--- Python-3.5.4-orig/Modules/_ssl.c 2017-08-07 17:59:11.000000000 +1000 +++ Python-3.5.4/Modules/_ssl.c 2017-10-10 00:03:04.820943867 +1100 @@ -139,7 +139,17 @@ #define HAVE_OPENSSL_CRYPTO_LOCK #endif +#ifndef OPENSSL_VERSION_1_1 #define TLS_method SSLv23_method +#define TLS_client_method SSLv23_client_method +#define TLS_server_method SSLv23_server_method +#define X509_get0_notBefore X509_get_notBefore +#define X509_get0_notAfter X509_get_notAfter +#define ASN1_STRING_get0_data ASN1_STRING_data +#define OpenSSL_version_num SSLeay +#define OpenSSL_version SSLeay_version +#define OPENSSL_VERSION SSLEAY_VERSION +#endif static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { @@ -997,7 +1007,7 @@ goto fail; } PyTuple_SET_ITEM(t, 0, v); - v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as), + v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_get0_data(as), ASN1_STRING_length(as)); if (v == NULL) { Py_DECREF(t); @@ -1300,7 +1310,7 @@ Py_DECREF(sn_obj); (void) BIO_reset(biobuf); - notBefore = X509_get_notBefore(certificate); + notBefore = X509_get0_notBefore(certificate); ASN1_TIME_print(biobuf, notBefore); len = BIO_gets(biobuf, buf, sizeof(buf)-1); if (len < 0) { @@ -1317,7 +1327,7 @@ Py_DECREF(pnotBefore); (void) BIO_reset(biobuf); - notAfter = X509_get_notAfter(certificate); + notAfter = X509_get0_notAfter(certificate); ASN1_TIME_print(biobuf, notAfter); len = BIO_gets(biobuf, buf, sizeof(buf)-1); if (len < 0) { @@ -2335,22 +2345,52 @@ #endif PySSL_BEGIN_ALLOW_THREADS - if (proto_version == PY_SSL_VERSION_TLS1) + if (proto_version == PY_SSL_VERSION_TLS1) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); +#else ctx = SSL_CTX_new(TLSv1_method()); +#endif + } #if HAVE_TLSv1_2 - else if (proto_version == PY_SSL_VERSION_TLS1_1) + else if (proto_version == PY_SSL_VERSION_TLS1_1) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); +#else ctx = SSL_CTX_new(TLSv1_1_method()); - else if (proto_version == PY_SSL_VERSION_TLS1_2) +#endif + } + else if (proto_version == PY_SSL_VERSION_TLS1_2) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); +#else ctx = SSL_CTX_new(TLSv1_2_method()); #endif + } +#endif #ifndef OPENSSL_NO_SSL3 - else if (proto_version == PY_SSL_VERSION_SSL3) + else if (proto_version == PY_SSL_VERSION_SSL3) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); +#else ctx = SSL_CTX_new(SSLv3_method()); #endif + } +#endif #ifndef OPENSSL_NO_SSL2 - else if (proto_version == PY_SSL_VERSION_SSL2) + else if (proto_version == PY_SSL_VERSION_SSL2) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, SSL2_VERSION); +#else ctx = SSL_CTX_new(SSLv2_method()); #endif + } +#endif else if (proto_version == PY_SSL_VERSION_TLS) ctx = SSL_CTX_new(TLS_method()); else @@ -2403,7 +2443,7 @@ conservative and assume it wasn't fixed until release. We do this check at runtime to avoid problems from the dynamic linker. See #25672 for more on this. */ - libver = SSLeay(); + libver = OpenSSL_version_num(); if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) && !(libver >= 0x10000000UL && libver < 0x100000dfUL)) { SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS); @@ -3981,7 +4021,11 @@ if (bytes == NULL) return NULL; if (pseudo) { +#ifdef OPENSSL_VERSION_1_1 + ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len); +#else ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len); +#endif if (ok == 0 || ok == 1) return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False); } @@ -4629,8 +4673,12 @@ PySocketModule = *socket_api; /* Init OpenSSL */ +#ifdef OPENSSL_VERSION_1_1 + OPENSSL_init_ssl(0, NULL); +#else SSL_load_error_strings(); SSL_library_init(); +#endif #ifdef WITH_THREAD #ifdef HAVE_OPENSSL_CRYPTO_LOCK /* note that this will start threading if not already started */ @@ -4642,8 +4690,9 @@ _ssl_locks_count++; #endif #endif /* WITH_THREAD */ +#ifndef OPENSSL_VERSION_1_1 OpenSSL_add_all_algorithms(); - +#endif /* Add symbols to module dict */ sslerror_type_slots[0].pfunc = PyExc_OSError; PySSLErrorObject = PyType_FromSpec(&sslerror_type_spec); @@ -4902,10 +4951,10 @@ return NULL; /* OpenSSL version */ - /* SSLeay() gives us the version of the library linked against, + /* OpenSSL_version_num() gives us the version of the library linked against, which could be different from the headers version. */ - libver = SSLeay(); + libver = OpenSSL_version_num(); r = PyLong_FromUnsignedLong(libver); if (r == NULL) return NULL; @@ -4915,7 +4964,7 @@ r = Py_BuildValue("IIIII", major, minor, fix, patch, status); if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r)) return NULL; - r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION)); + r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION)); if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r)) return NULL; --- Python-3.5.4-orig/Modules/_hashopenssl.c 2017-08-07 17:59:11.000000000 +1000 +++ Python-3.5.4/Modules/_hashopenssl.c 2017-10-09 23:54:37.292929711 +1100 @@ -866,8 +866,10 @@ { PyObject *m, *openssl_md_meth_names; +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) OpenSSL_add_all_digests(); ERR_load_crypto_strings(); +#endif /* TODO build EVP_functions openssl_* entries dynamically based * on what hashes are supported rather than listing many