703 lines
19 KiB
Diff
703 lines
19 KiB
Diff
--- a/Modules/clinic/_ssl.c.h
|
|
+++ b/Modules/clinic/_ssl.c.h
|
|
@@ -88,6 +88,7 @@
|
|
return return_value;
|
|
}
|
|
|
|
+#if OPENSSL_VERSION_1_1
|
|
PyDoc_STRVAR(_ssl__SSLSocket_get_verified_chain__doc__,
|
|
"get_verified_chain($self, /)\n"
|
|
"--\n"
|
|
@@ -121,6 +122,7 @@
|
|
{
|
|
return _ssl__SSLSocket_get_unverified_chain_impl(self);
|
|
}
|
|
+#endif
|
|
|
|
PyDoc_STRVAR(_ssl__SSLSocket_shared_ciphers__doc__,
|
|
"shared_ciphers($self, /)\n"
|
|
--- a/Modules/_hashopenssl.c
|
|
+++ b/Modules/_hashopenssl.c
|
|
@@ -43,12 +43,55 @@
|
|
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
|
|
#endif
|
|
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
+/* OpenSSL < 1.1.0 */
|
|
+#define EVP_MD_CTX_new EVP_MD_CTX_create
|
|
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
|
+HMAC_CTX *
|
|
+HMAC_CTX_new(void)
|
|
+{
|
|
+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
|
|
+ if (ctx != NULL) {
|
|
+ memset(ctx, 0, sizeof(HMAC_CTX));
|
|
+ HMAC_CTX_init(ctx);
|
|
+ }
|
|
+ return ctx;
|
|
+}
|
|
+
|
|
+void
|
|
+HMAC_CTX_free(HMAC_CTX *ctx)
|
|
+{
|
|
+ if (ctx != NULL) {
|
|
+ HMAC_CTX_cleanup(ctx);
|
|
+ OPENSSL_free(ctx);
|
|
+ }
|
|
+}
|
|
+
|
|
+const EVP_MD *
|
|
+HMAC_CTX_get_md(const HMAC_CTX *ctx)
|
|
+{
|
|
+ return ctx->md;
|
|
+}
|
|
+#endif
|
|
+
|
|
#define MUNCH_SIZE INT_MAX
|
|
|
|
+#if ! ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
|
+/* OpenSSL < 1.1.0 */
|
|
#define PY_OPENSSL_HAS_SCRYPT 1
|
|
+#endif
|
|
+#ifdef NID_sha512_224
|
|
+#define PY_OPENSSL_HAS_SHA2_TRUNCATED 1
|
|
+#endif
|
|
+#ifdef NID_sha3_224
|
|
#define PY_OPENSSL_HAS_SHA3 1
|
|
+#endif
|
|
+#ifdef NID_shake128
|
|
#define PY_OPENSSL_HAS_SHAKE 1
|
|
+#endif
|
|
+#ifdef NID_blake2s256
|
|
#define PY_OPENSSL_HAS_BLAKE2 1
|
|
+#endif
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
#define PY_EVP_MD EVP_MD
|
|
@@ -119,20 +162,28 @@
|
|
PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256),
|
|
PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
|
|
PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
|
|
+#ifdef PY_OPENSSL_HAS_SHA2_TRUNCATED
|
|
/* truncated sha2 */
|
|
PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
|
|
PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
|
|
+#endif
|
|
+#ifdef PY_OPENSSL_HAS_SHA3
|
|
/* sha3 */
|
|
PY_HASH_ENTRY(Py_hash_sha3_224, NULL, SN_sha3_224, NID_sha3_224),
|
|
PY_HASH_ENTRY(Py_hash_sha3_256, NULL, SN_sha3_256, NID_sha3_256),
|
|
PY_HASH_ENTRY(Py_hash_sha3_384, NULL, SN_sha3_384, NID_sha3_384),
|
|
PY_HASH_ENTRY(Py_hash_sha3_512, NULL, SN_sha3_512, NID_sha3_512),
|
|
+#endif
|
|
+#ifdef PY_OPENSSL_HAS_SHAKE
|
|
/* sha3 shake */
|
|
PY_HASH_ENTRY(Py_hash_shake_128, NULL, SN_shake128, NID_shake128),
|
|
PY_HASH_ENTRY(Py_hash_shake_256, NULL, SN_shake256, NID_shake256),
|
|
+#endif
|
|
+#ifdef PY_OPENSSL_HAS_BLAKE
|
|
/* blake2 digest */
|
|
PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
|
|
PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
|
|
+#endif
|
|
PY_HASH_ENTRY(NULL, NULL, NULL, 0),
|
|
};
|
|
|
|
@@ -874,11 +925,15 @@
|
|
goto exit;
|
|
}
|
|
|
|
+#ifdef PY_OPENSSL_HAS_SHAKE
|
|
if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
|
|
type = get_hashlib_state(module)->EVPXOFtype;
|
|
} else {
|
|
type = get_hashlib_state(module)->EVPtype;
|
|
}
|
|
+#else
|
|
+ type = get_hashlib_state(module)->EVPtype;
|
|
+#endif
|
|
|
|
self = newEVPobject(type);
|
|
if (self == NULL) {
|
|
--- a/Modules/_ssl/cert.c
|
|
+++ b/Modules/_ssl/cert.c
|
|
@@ -6,6 +6,8 @@
|
|
#include "openssl/pem.h"
|
|
#include "openssl/x509.h"
|
|
|
|
+#if OPENSSL_VERSION_1_1
|
|
+
|
|
/*[clinic input]
|
|
module _ssl
|
|
class _ssl.Certificate "PySSLCertificate *" "PySSLCertificate_Type"
|
|
@@ -243,3 +245,5 @@
|
|
Py_TPFLAGS_DEFAULT | Py_TPFLAGS_DISALLOW_INSTANTIATION | Py_TPFLAGS_IMMUTABLETYPE,
|
|
PySSLCertificate_slots,
|
|
};
|
|
+
|
|
+#endif
|
|
--- a/Modules/_ssl/debughelpers.c
|
|
+++ b/Modules/_ssl/debughelpers.c
|
|
@@ -114,6 +114,8 @@
|
|
return 0;
|
|
}
|
|
|
|
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
+
|
|
static void
|
|
_PySSL_keylog_callback(const SSL *ssl, const char *line)
|
|
{
|
|
@@ -217,3 +219,5 @@
|
|
SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback);
|
|
return 0;
|
|
}
|
|
+
|
|
+#endif
|
|
--- a/Modules/_ssl.c
|
|
+++ b/Modules/_ssl.c
|
|
@@ -115,6 +115,7 @@
|
|
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
|
|
#include "_ssl_data_300.h"
|
|
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
|
|
+#define HAVE_OPENSSL_KEYLOG 1
|
|
#include "_ssl_data_111.h"
|
|
#else
|
|
#include "_ssl_data.h"
|
|
@@ -141,6 +142,76 @@
|
|
/* OpenSSL 1.1 does not have SSL 2.0 */
|
|
#define OPENSSL_NO_SSL2
|
|
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
+/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
|
|
+
|
|
+#define TLS_method SSLv23_method
|
|
+#define TLS_client_method SSLv23_client_method
|
|
+#define TLS_server_method SSLv23_server_method
|
|
+#define ASN1_STRING_get0_data ASN1_STRING_data
|
|
+#define X509_get0_notBefore X509_get_notBefore
|
|
+#define X509_get0_notAfter X509_get_notAfter
|
|
+#define OpenSSL_version_num SSLeay
|
|
+#define OpenSSL_version SSLeay_version
|
|
+#define OPENSSL_VERSION SSLEAY_VERSION
|
|
+static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
|
|
+{
|
|
+ return ne->set;
|
|
+}
|
|
+
|
|
+#ifndef OPENSSL_NO_COMP
|
|
+/* LCOV_EXCL_START */
|
|
+static int COMP_get_type(const COMP_METHOD *meth)
|
|
+{
|
|
+ return meth->type;
|
|
+}
|
|
+/* LCOV_EXCL_STOP */
|
|
+#endif
|
|
+
|
|
+static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
|
|
+{
|
|
+ return ctx->default_passwd_callback;
|
|
+}
|
|
+
|
|
+static void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
|
|
+{
|
|
+ return ctx->default_passwd_callback_userdata;
|
|
+}
|
|
+
|
|
+static int X509_OBJECT_get_type(X509_OBJECT *x)
|
|
+{
|
|
+ return x->type;
|
|
+}
|
|
+
|
|
+static X509 *X509_OBJECT_get0_X509(X509_OBJECT *x)
|
|
+{
|
|
+ return x->data.x509;
|
|
+}
|
|
+
|
|
+static int BIO_up_ref(BIO *b)
|
|
+{
|
|
+ CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO);
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) {
|
|
+ return store->objs;
|
|
+}
|
|
+
|
|
+static int
|
|
+SSL_SESSION_has_ticket(const SSL_SESSION *s)
|
|
+{
|
|
+ return (s->tlsext_ticklen > 0) ? 1 : 0;
|
|
+}
|
|
+
|
|
+static unsigned long
|
|
+SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
|
|
+{
|
|
+ return s->tlsext_tick_lifetime_hint;
|
|
+}
|
|
+
|
|
+#endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
|
|
+
|
|
/* Default cipher suites */
|
|
#ifndef PY_SSL_DEFAULT_CIPHERS
|
|
#define PY_SSL_DEFAULT_CIPHERS 1
|
|
@@ -167,7 +238,11 @@
|
|
* Based on Hynek's excellent blog post (update 2021-02-11)
|
|
* https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
*/
|
|
+#ifdef OPENSSL_VERSION_1_1
|
|
#define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
|
|
+#else
|
|
+ #define PY_SSL_DEFAULT_CIPHER_STRING "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK"
|
|
+#endif
|
|
#ifndef PY_SSL_MIN_PROTOCOL
|
|
#define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
|
|
#endif
|
|
@@ -1850,6 +1925,7 @@
|
|
return result;
|
|
}
|
|
|
|
+#if OPENSSL_VERSION_1_1
|
|
/*[clinic input]
|
|
_ssl._SSLSocket.get_verified_chain
|
|
|
|
@@ -1914,6 +1990,8 @@
|
|
return retval;
|
|
}
|
|
|
|
+#endif
|
|
+
|
|
static PyObject *
|
|
cipher_to_tuple(const SSL_CIPHER *cipher)
|
|
{
|
|
@@ -1978,6 +2056,7 @@
|
|
buf[len-1] = '\0';
|
|
strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
|
|
|
|
+#if OPENSSL_VERSION_1_1
|
|
aead = SSL_CIPHER_is_aead(cipher);
|
|
nid = SSL_CIPHER_get_cipher_nid(cipher);
|
|
skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
|
|
@@ -1987,10 +2066,13 @@
|
|
kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
|
|
nid = SSL_CIPHER_get_auth_nid(cipher);
|
|
auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
|
|
+#endif
|
|
|
|
return Py_BuildValue(
|
|
"{sksssssssisi"
|
|
+#if OPENSSL_VERSION_1_1
|
|
"sOssssssss"
|
|
+#endif
|
|
"}",
|
|
"id", cipher_id,
|
|
"name", cipher_name,
|
|
@@ -1998,11 +2080,13 @@
|
|
"description", buf,
|
|
"strength_bits", strength_bits,
|
|
"alg_bits", alg_bits
|
|
+#if OPENSSL_VERSION_1_1
|
|
,"aead", aead ? Py_True : Py_False,
|
|
"symmetric", skcipher,
|
|
"digest", digest,
|
|
"kea", kx,
|
|
"auth", auth
|
|
+#endif
|
|
);
|
|
}
|
|
|
|
@@ -2031,9 +2115,12 @@
|
|
server_ciphers = SSL_get_ciphers(self->ssl);
|
|
if (!server_ciphers)
|
|
Py_RETURN_NONE;
|
|
+#if ! ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
|
+/* OpenSSL < 1.1.0 */
|
|
client_ciphers = SSL_get_client_ciphers(self->ssl);
|
|
if (!client_ciphers)
|
|
Py_RETURN_NONE;
|
|
+#endif
|
|
|
|
res = PyList_New(sk_SSL_CIPHER_num(server_ciphers));
|
|
if (!res)
|
|
@@ -2041,8 +2128,11 @@
|
|
len = 0;
|
|
for (i = 0; i < sk_SSL_CIPHER_num(server_ciphers); i++) {
|
|
cipher = sk_SSL_CIPHER_value(server_ciphers, i);
|
|
+#if ! ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
|
+/* OpenSSL < 1.1.0 */
|
|
if (sk_SSL_CIPHER_find(client_ciphers, cipher) < 0)
|
|
continue;
|
|
+#endif
|
|
|
|
PyObject *tup = cipher_to_tuple(cipher);
|
|
if (!tup) {
|
|
@@ -2339,6 +2429,9 @@
|
|
_ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
|
|
/*[clinic end generated code: output=aa7a6be5527358d8 input=77262d994fe5100a]*/
|
|
{
|
|
+#ifndef SSL_write_ex
|
|
+ int len;
|
|
+#endif
|
|
size_t count = 0;
|
|
int retval;
|
|
int sockstate;
|
|
@@ -2358,6 +2451,14 @@
|
|
Py_INCREF(sock);
|
|
}
|
|
|
|
+#ifndef SSL_write_ex
|
|
+ if (b->len > INT_MAX) {
|
|
+ PyErr_Format(PyExc_OverflowError,
|
|
+ "string longer than %d bytes", INT_MAX);
|
|
+ goto error;
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (sock != NULL) {
|
|
/* just in case the blocking state of the socket has been changed */
|
|
nonblocking = (sock->sock_timeout >= 0);
|
|
@@ -2388,8 +2489,13 @@
|
|
|
|
do {
|
|
PySSL_BEGIN_ALLOW_THREADS
|
|
+#ifdef SSL_write_ex
|
|
retval = SSL_write_ex(self->ssl, b->buf, (size_t)b->len, &count);
|
|
err = _PySSL_errno(retval == 0, self->ssl, retval);
|
|
+#else
|
|
+ len = SSL_write(self->ssl, b->buf, (size_t)b->len);
|
|
+ err = _PySSL_errno(len <= 0, self->ssl, len);
|
|
+#endif
|
|
PySSL_END_ALLOW_THREADS
|
|
self->err = err;
|
|
|
|
@@ -2423,11 +2529,20 @@
|
|
err.ssl == SSL_ERROR_WANT_WRITE);
|
|
|
|
Py_XDECREF(sock);
|
|
+#ifdef SSL_write_ex
|
|
if (retval == 0)
|
|
return PySSL_SetError(self, retval, __FILE__, __LINE__);
|
|
+#else
|
|
+ if (len <= 0)
|
|
+ return PySSL_SetError(self, len, __FILE__, __LINE__);
|
|
+#endif
|
|
if (PySSL_ChainExceptions(self) < 0)
|
|
return NULL;
|
|
+#ifdef SSL_write_ex
|
|
return PyLong_FromSize_t(count);
|
|
+#else
|
|
+ return PyLong_FromLong(len);
|
|
+#endif
|
|
error:
|
|
Py_XDECREF(sock);
|
|
PySSL_ChainExceptions(self);
|
|
@@ -2477,7 +2592,11 @@
|
|
{
|
|
PyObject *dest = NULL;
|
|
char *mem;
|
|
+#ifdef SSL_read_ex
|
|
size_t count = 0;
|
|
+#else
|
|
+ int count;
|
|
+#endif
|
|
int retval;
|
|
int sockstate;
|
|
_PySSLError err;
|
|
@@ -2541,8 +2660,13 @@
|
|
|
|
do {
|
|
PySSL_BEGIN_ALLOW_THREADS
|
|
+#ifdef SSL_read_ex
|
|
retval = SSL_read_ex(self->ssl, mem, (size_t)len, &count);
|
|
err = _PySSL_errno(retval == 0, self->ssl, retval);
|
|
+#else
|
|
+ count = SSL_read(self->ssl, mem, (size_t)len);
|
|
+ err = _PySSL_errno(count <= 0, self->ssl, count);
|
|
+#endif
|
|
PySSL_END_ALLOW_THREADS
|
|
self->err = err;
|
|
|
|
@@ -2576,8 +2700,13 @@
|
|
} while (err.ssl == SSL_ERROR_WANT_READ ||
|
|
err.ssl == SSL_ERROR_WANT_WRITE);
|
|
|
|
+#ifdef SSL_read_ex
|
|
if (retval == 0) {
|
|
PySSL_SetError(self, retval, __FILE__, __LINE__);
|
|
+#else
|
|
+ if (count <= 0) {
|
|
+ PySSL_SetError(self, count, __FILE__, __LINE__);
|
|
+#endif
|
|
goto error;
|
|
}
|
|
if (self->exc_type != NULL)
|
|
@@ -2590,7 +2719,11 @@
|
|
return dest;
|
|
}
|
|
else {
|
|
+#ifdef SSL_read_ex
|
|
return PyLong_FromSize_t(count);
|
|
+#else
|
|
+ return PyLong_FromLong(count);
|
|
+#endif
|
|
}
|
|
|
|
error:
|
|
@@ -2954,8 +3087,10 @@
|
|
_SSL__SSLSOCKET_COMPRESSION_METHODDEF
|
|
_SSL__SSLSOCKET_SHUTDOWN_METHODDEF
|
|
_SSL__SSLSOCKET_VERIFY_CLIENT_POST_HANDSHAKE_METHODDEF
|
|
+#if OPENSSL_VERSION_1_1
|
|
_SSL__SSLSOCKET_GET_UNVERIFIED_CHAIN_METHODDEF
|
|
_SSL__SSLSOCKET_GET_VERIFIED_CHAIN_METHODDEF
|
|
+#endif
|
|
{NULL, NULL}
|
|
};
|
|
|
|
@@ -3041,7 +3176,9 @@
|
|
switch(proto_version) {
|
|
#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
|
|
case PY_SSL_VERSION_SSL3:
|
|
+#ifdef OPENSSL_VERSION_1_1
|
|
PY_SSL_DEPRECATED("ssl.PROTOCOL_SSLv3 is deprecated", 2, NULL);
|
|
+#endif
|
|
method = SSLv3_method();
|
|
break;
|
|
#endif
|
|
@@ -3049,7 +3186,9 @@
|
|
!defined(OPENSSL_NO_TLS1) && \
|
|
!defined(OPENSSL_NO_TLS1_METHOD))
|
|
case PY_SSL_VERSION_TLS1:
|
|
+#ifdef OPENSSL_VERSION_1_1
|
|
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1 is deprecated", 2, NULL);
|
|
+#endif
|
|
method = TLSv1_method();
|
|
break;
|
|
#endif
|
|
@@ -3057,7 +3196,9 @@
|
|
!defined(OPENSSL_NO_TLS1_1) && \
|
|
!defined(OPENSSL_NO_TLS1_1_METHOD))
|
|
case PY_SSL_VERSION_TLS1_1:
|
|
+#ifdef OPENSSL_VERSION_1_1
|
|
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1_1 is deprecated", 2, NULL);
|
|
+#endif
|
|
method = TLSv1_1_method();
|
|
break;
|
|
#endif
|
|
@@ -3065,12 +3206,16 @@
|
|
!defined(OPENSSL_NO_TLS1_2) && \
|
|
!defined(OPENSSL_NO_TLS1_2_METHOD))
|
|
case PY_SSL_VERSION_TLS1_2:
|
|
+#ifdef OPENSSL_VERSION_1_1
|
|
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1_2 is deprecated", 2, NULL);
|
|
+#endif
|
|
method = TLSv1_2_method();
|
|
break;
|
|
#endif
|
|
case PY_SSL_VERSION_TLS:
|
|
+#ifdef OPENSSL_VERSION_1_1
|
|
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLS is deprecated", 2, NULL);
|
|
+#endif
|
|
method = TLS_method();
|
|
break;
|
|
case PY_SSL_VERSION_TLS_CLIENT:
|
|
@@ -3170,7 +3315,7 @@
|
|
"No cipher can be selected.");
|
|
goto error;
|
|
}
|
|
-#ifdef PY_SSL_MIN_PROTOCOL
|
|
+#if defined(PY_SSL_MIN_PROTOCOL) && defined(OPENSSL_VERSION_1_1)
|
|
switch(proto_version) {
|
|
case PY_SSL_VERSION_TLS:
|
|
case PY_SSL_VERSION_TLS_CLIENT:
|
|
@@ -3459,6 +3604,8 @@
|
|
}
|
|
|
|
/* Getter and setter for protocol version */
|
|
+#if defined(SSL_CTRL_GET_MAX_PROTO_VERSION)
|
|
+/* Getter and setter for protocol version */
|
|
static int
|
|
set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what)
|
|
{
|
|
@@ -3576,6 +3723,7 @@
|
|
{
|
|
return set_min_max_proto_version(self, arg, 1);
|
|
}
|
|
+#endif
|
|
|
|
#ifdef TLS1_3_VERSION
|
|
static PyObject *
|
|
@@ -3610,12 +3758,14 @@
|
|
"Control the number of TLSv1.3 session tickets");
|
|
#endif /* TLS1_3_VERSION */
|
|
|
|
+#if OPENSSL_VERSION_1_1
|
|
static PyObject *
|
|
get_security_level(PySSLContext *self, void *c)
|
|
{
|
|
return PyLong_FromLong(SSL_CTX_get_security_level(self->ctx));
|
|
}
|
|
PyDoc_STRVAR(PySSLContext_security_level_doc, "The current security level");
|
|
+#endif
|
|
|
|
static PyObject *
|
|
get_options(PySSLContext *self, void *c)
|
|
@@ -3633,7 +3783,10 @@
|
|
uint64_t new_opts, opts, clear, set;
|
|
uint64_t opt_no = (
|
|
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
|
|
- SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3
|
|
+ SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2
|
|
+#ifdef SSL_OP_NO_TLSv1_3
|
|
+ | SSL_OP_NO_TLSv1_3
|
|
+#endif
|
|
);
|
|
|
|
if (!PyArg_Parse(arg, "O!", &PyLong_Type, &new_opts_obj)) {
|
|
@@ -4541,7 +4694,7 @@
|
|
return 0;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30300000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30300000L
|
|
static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj)
|
|
{
|
|
int ok;
|
|
@@ -4614,7 +4767,11 @@
|
|
int x509 = 0, crl = 0, ca = 0, i;
|
|
|
|
store = SSL_CTX_get_cert_store(self->ctx);
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
objs = X509_STORE_get1_objects(store);
|
|
+#else
|
|
+ objs = X509_STORE_get0_objects(store);
|
|
+#endif
|
|
if (objs == NULL) {
|
|
PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
|
|
return NULL;
|
|
@@ -4637,7 +4794,9 @@
|
|
break;
|
|
}
|
|
}
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
|
|
+#endif
|
|
return Py_BuildValue("{sisisi}", "x509", x509, "crl", crl,
|
|
"x509_ca", ca);
|
|
}
|
|
@@ -4669,7 +4828,11 @@
|
|
}
|
|
|
|
store = SSL_CTX_get_cert_store(self->ctx);
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
objs = X509_STORE_get1_objects(store);
|
|
+#else
|
|
+ objs = X509_STORE_get0_objects(store);
|
|
+#endif
|
|
if (objs == NULL) {
|
|
PyErr_SetString(PyExc_MemoryError, "failed to query cert store");
|
|
goto error;
|
|
@@ -4702,11 +4865,15 @@
|
|
}
|
|
Py_CLEAR(ci);
|
|
}
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
|
|
+#endif
|
|
return rlist;
|
|
|
|
error:
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
sk_X509_OBJECT_pop_free(objs, X509_OBJECT_free);
|
|
+#endif
|
|
Py_XDECREF(ci);
|
|
Py_XDECREF(rlist);
|
|
return NULL;
|
|
@@ -4718,12 +4885,16 @@
|
|
(setter) set_check_hostname, NULL},
|
|
{"_host_flags", (getter) get_host_flags,
|
|
(setter) set_host_flags, NULL},
|
|
+#if defined(SSL_CTRL_GET_MAX_PROTO_VERSION)
|
|
{"minimum_version", (getter) get_minimum_version,
|
|
(setter) set_minimum_version, NULL},
|
|
{"maximum_version", (getter) get_maximum_version,
|
|
(setter) set_maximum_version, NULL},
|
|
+#endif
|
|
+#ifdef HAVE_OPENSSL_KEYLOG
|
|
{"keylog_filename", (getter) _PySSLContext_get_keylog_filename,
|
|
(setter) _PySSLContext_set_keylog_filename, NULL},
|
|
+#endif
|
|
{"_msg_callback", (getter) _PySSLContext_get_msg_callback,
|
|
(setter) _PySSLContext_set_msg_callback, NULL},
|
|
{"sni_callback", (getter) get_sni_callback,
|
|
@@ -4747,8 +4918,10 @@
|
|
(setter) set_verify_flags, NULL},
|
|
{"verify_mode", (getter) get_verify_mode,
|
|
(setter) set_verify_mode, NULL},
|
|
+#if OPENSSL_VERSION_1_1
|
|
{"security_level", (getter) get_security_level,
|
|
NULL, PySSLContext_security_level_doc},
|
|
+#endif
|
|
{NULL}, /* sentinel */
|
|
};
|
|
|
|
@@ -5839,6 +6012,14 @@
|
|
_sslmodulestate *state = get_ssl_state(module);
|
|
PySocketModule_APIObject *sockmod = PySocketModule_ImportModuleAndAPI();
|
|
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
+ /* Load all algorithms and initialize cpuid */
|
|
+ OPENSSL_add_all_algorithms_noconf();
|
|
+ /* Init OpenSSL */
|
|
+ SSL_load_error_strings();
|
|
+ SSL_library_init();
|
|
+#endif
|
|
+
|
|
if ((sockmod == NULL) || (sockmod->Sock_Type == NULL)) {
|
|
return -1;
|
|
}
|
|
@@ -6266,11 +6447,13 @@
|
|
if (state->PySSLSession_Type == NULL)
|
|
return -1;
|
|
|
|
+#if OPENSSL_VERSION_1_1
|
|
state->PySSLCertificate_Type = (PyTypeObject *)PyType_FromModuleAndSpec(
|
|
module, &PySSLCertificate_spec, NULL
|
|
);
|
|
if (state->PySSLCertificate_Type == NULL)
|
|
return -1;
|
|
+#endif
|
|
|
|
if (PyModule_AddType(module, state->PySSLContext_Type))
|
|
return -1;
|
|
@@ -6280,8 +6463,10 @@
|
|
return -1;
|
|
if (PyModule_AddType(module, state->PySSLSession_Type))
|
|
return -1;
|
|
+#if OPENSSL_VERSION_1_1
|
|
if (PyModule_AddType(module, state->PySSLCertificate_Type))
|
|
return -1;
|
|
+#endif
|
|
return 0;
|
|
}
|
|
|
|
@@ -6328,7 +6513,9 @@
|
|
Py_VISIT(state->PySSLSocket_Type);
|
|
Py_VISIT(state->PySSLMemoryBIO_Type);
|
|
Py_VISIT(state->PySSLSession_Type);
|
|
+#if OPENSSL_VERSION_1_1
|
|
Py_VISIT(state->PySSLCertificate_Type);
|
|
+#endif
|
|
Py_VISIT(state->PySSLErrorObject);
|
|
Py_VISIT(state->PySSLCertVerificationErrorObject);
|
|
Py_VISIT(state->PySSLZeroReturnErrorObject);
|
|
@@ -6353,7 +6540,9 @@
|
|
Py_CLEAR(state->PySSLSocket_Type);
|
|
Py_CLEAR(state->PySSLMemoryBIO_Type);
|
|
Py_CLEAR(state->PySSLSession_Type);
|
|
+#if OPENSSL_VERSION_1_1
|
|
Py_CLEAR(state->PySSLCertificate_Type);
|
|
+#endif
|
|
Py_CLEAR(state->PySSLErrorObject);
|
|
Py_CLEAR(state->PySSLCertVerificationErrorObject);
|
|
Py_CLEAR(state->PySSLZeroReturnErrorObject);
|