File no-strict-openssl111-dep.patch of Package saltbundlepy
--- a/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h
@@ -88,6 +88,7 @@
return return_value;
}
+#if OPENSSL_VERSION_1_1
PyDoc_STRVAR(_ssl__SSLSocket_get_verified_chain__doc__,
"get_verified_chain($self, /)\n"
"--\n"
@@ -121,6 +122,7 @@
{
return _ssl__SSLSocket_get_unverified_chain_impl(self);
}
+#endif
PyDoc_STRVAR(_ssl__SSLSocket_shared_ciphers__doc__,
"shared_ciphers($self, /)\n"
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -43,12 +43,55 @@
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+/* OpenSSL < 1.1.0 */
+#define EVP_MD_CTX_new EVP_MD_CTX_create
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+HMAC_CTX *
+HMAC_CTX_new(void)
+{
+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
+ if (ctx != NULL) {
+ memset(ctx, 0, sizeof(HMAC_CTX));
+ HMAC_CTX_init(ctx);
+ }
+ return ctx;
+}
+
+void
+HMAC_CTX_free(HMAC_CTX *ctx)
+{
+ if (ctx != NULL) {
+ HMAC_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+const EVP_MD *
+HMAC_CTX_get_md(const HMAC_CTX *ctx)
+{
+ return ctx->md;
+}
+#endif
+
#define MUNCH_SIZE INT_MAX
+#if ! ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
+/* OpenSSL < 1.1.0 */
#define PY_OPENSSL_HAS_SCRYPT 1
+#endif
+#ifdef NID_sha512_224
+#define PY_OPENSSL_HAS_SHA2_TRUNCATED 1
+#endif
+#ifdef NID_sha3_224
#define PY_OPENSSL_HAS_SHA3 1
+#endif
+#ifdef NID_shake128
#define PY_OPENSSL_HAS_SHAKE 1
+#endif
+#ifdef NID_blake2s256
#define PY_OPENSSL_HAS_BLAKE2 1
+#endif
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PY_EVP_MD EVP_MD
@@ -119,20 +162,28 @@
PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256),
PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
+#ifdef PY_OPENSSL_HAS_SHA2_TRUNCATED
/* truncated sha2 */
PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
+#endif
+#ifdef PY_OPENSSL_HAS_SHA3
/* sha3 */
PY_HASH_ENTRY(Py_hash_sha3_224, NULL, SN_sha3_224, NID_sha3_224),
PY_HASH_ENTRY(Py_hash_sha3_256, NULL, SN_sha3_256, NID_sha3_256),
PY_HASH_ENTRY(Py_hash_sha3_384, NULL, SN_sha3_384, NID_sha3_384),
PY_HASH_ENTRY(Py_hash_sha3_512, NULL, SN_sha3_512, NID_sha3_512),
+#endif
+#ifdef PY_OPENSSL_HAS_SHAKE
/* sha3 shake */
PY_HASH_ENTRY(Py_hash_shake_128, NULL, SN_shake128, NID_shake128),
PY_HASH_ENTRY(Py_hash_shake_256, NULL, SN_shake256, NID_shake256),
+#endif
+#ifdef PY_OPENSSL_HAS_BLAKE
/* blake2 digest */
PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
+#endif
PY_HASH_ENTRY(NULL, NULL, NULL, 0),
};
@@ -872,11 +923,15 @@
goto exit;
}
+#ifdef PY_OPENSSL_HAS_SHAKE
if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
type = get_hashlib_state(module)->EVPXOFtype;
} else {
type = get_hashlib_state(module)->EVPtype;
}
+#else
+ type = get_hashlib_state(module)->EVPtype;
+#endif
self = newEVPobject(type);
if (self == NULL) {
--- a/Modules/_ssl/cert.c
+++ b/Modules/_ssl/cert.c
@@ -6,6 +6,8 @@
#include "openssl/pem.h"
#include "openssl/x509.h"
+#if OPENSSL_VERSION_1_1
+
/*[clinic input]
module _ssl
class _ssl.Certificate "PySSLCertificate *" "PySSLCertificate_Type"
@@ -243,3 +245,5 @@
Py_TPFLAGS_DEFAULT | Py_TPFLAGS_DISALLOW_INSTANTIATION | Py_TPFLAGS_IMMUTABLETYPE,
PySSLCertificate_slots,
};
+
+#endif
--- a/Modules/_ssl/debughelpers.c
+++ b/Modules/_ssl/debughelpers.c
@@ -114,6 +114,8 @@
return 0;
}
+#ifdef HAVE_OPENSSL_KEYLOG
+
static void
_PySSL_keylog_callback(const SSL *ssl, const char *line)
{
@@ -217,3 +219,5 @@
SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback);
return 0;
}
+
+#endif
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -117,6 +117,7 @@
#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
#include "_ssl_data_300.h"
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+#define HAVE_OPENSSL_KEYLOG 1
#include "_ssl_data_111.h"
#else
#include "_ssl_data.h"
@@ -143,6 +144,76 @@
/* OpenSSL 1.1 does not have SSL 2.0 */
#define OPENSSL_NO_SSL2
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
+
+#define TLS_method SSLv23_method
+#define TLS_client_method SSLv23_client_method
+#define TLS_server_method SSLv23_server_method
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#define X509_get0_notBefore X509_get_notBefore
+#define X509_get0_notAfter X509_get_notAfter
+#define OpenSSL_version_num SSLeay
+#define OpenSSL_version SSLeay_version
+#define OPENSSL_VERSION SSLEAY_VERSION
+static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
+{
+ return ne->set;
+}
+
+#ifndef OPENSSL_NO_COMP
+/* LCOV_EXCL_START */
+static int COMP_get_type(const COMP_METHOD *meth)
+{
+ return meth->type;
+}
+/* LCOV_EXCL_STOP */
+#endif
+
+static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback;
+}
+
+static void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback_userdata;
+}
+
+static int X509_OBJECT_get_type(X509_OBJECT *x)
+{
+ return x->type;
+}
+
+static X509 *X509_OBJECT_get0_X509(X509_OBJECT *x)
+{
+ return x->data.x509;
+}
+
+static int BIO_up_ref(BIO *b)
+{
+ CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO);
+ return 1;
+}
+
+static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) {
+ return store->objs;
+}
+
+static int
+SSL_SESSION_has_ticket(const SSL_SESSION *s)
+{
+ return (s->tlsext_ticklen > 0) ? 1 : 0;
+}
+
+static unsigned long
+SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
+{
+ return s->tlsext_tick_lifetime_hint;
+}
+
+#endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
+
/* Default cipher suites */
#ifndef PY_SSL_DEFAULT_CIPHERS
#define PY_SSL_DEFAULT_CIPHERS 1
@@ -169,7 +240,11 @@
* Based on Hynek's excellent blog post (update 2021-02-11)
* https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
*/
+#ifdef OPENSSL_VERSION_1_1
#define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
+#else
+ #define PY_SSL_DEFAULT_CIPHER_STRING "DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK"
+#endif
#ifndef PY_SSL_MIN_PROTOCOL
#define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
#endif
@@ -1829,6 +1904,7 @@
return result;
}
+#if OPENSSL_VERSION_1_1
/*[clinic input]
_ssl._SSLSocket.get_verified_chain
@@ -1893,6 +1969,8 @@
return retval;
}
+#endif
+
static PyObject *
cipher_to_tuple(const SSL_CIPHER *cipher)
{
@@ -1957,6 +2035,7 @@
buf[len-1] = '\0';
strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
+#if OPENSSL_VERSION_1_1
aead = SSL_CIPHER_is_aead(cipher);
nid = SSL_CIPHER_get_cipher_nid(cipher);
skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -1966,10 +2045,13 @@
kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
nid = SSL_CIPHER_get_auth_nid(cipher);
auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
+#endif
return Py_BuildValue(
"{sksssssssisi"
+#if OPENSSL_VERSION_1_1
"sOssssssss"
+#endif
"}",
"id", cipher_id,
"name", cipher_name,
@@ -1977,11 +2059,13 @@
"description", buf,
"strength_bits", strength_bits,
"alg_bits", alg_bits
+#if OPENSSL_VERSION_1_1
,"aead", aead ? Py_True : Py_False,
"symmetric", skcipher,
"digest", digest,
"kea", kx,
"auth", auth
+#endif
);
}
@@ -2298,6 +2382,9 @@
_ssl__SSLSocket_write_impl(PySSLSocket *self, Py_buffer *b)
/*[clinic end generated code: output=aa7a6be5527358d8 input=77262d994fe5100a]*/
{
+#ifndef SSL_write_ex
+ int len;
+#endif
size_t count = 0;
int retval;
int sockstate;
@@ -2317,6 +2404,14 @@
Py_INCREF(sock);
}
+#ifndef SSL_write_ex
+ if (b->len > INT_MAX) {
+ PyErr_Format(PyExc_OverflowError,
+ "string longer than %d bytes", INT_MAX);
+ goto error;
+ }
+#endif
+
if (sock != NULL) {
/* just in case the blocking state of the socket has been changed */
nonblocking = (sock->sock_timeout >= 0);
@@ -2346,8 +2441,13 @@
do {
PySSL_BEGIN_ALLOW_THREADS
+#ifdef SSL_write_ex
retval = SSL_write_ex(self->ssl, b->buf, (size_t)b->len, &count);
err = _PySSL_errno(retval == 0, self->ssl, retval);
+#else
+ len = SSL_write(self->ssl, b->buf, (size_t)b->len);
+ err = _PySSL_errno(len <= 0, self->ssl, len);
+#endif
PySSL_END_ALLOW_THREADS
self->err = err;
@@ -2380,11 +2480,20 @@
err.ssl == SSL_ERROR_WANT_WRITE);
Py_XDECREF(sock);
+#ifdef SSL_write_ex
if (retval == 0)
return PySSL_SetError(self, retval, __FILE__, __LINE__);
+#else
+ if (len <= 0)
+ return PySSL_SetError(self, len, __FILE__, __LINE__);
+#endif
if (PySSL_ChainExceptions(self) < 0)
return NULL;
+#ifdef SSL_write_ex
return PyLong_FromSize_t(count);
+#else
+ return PyLong_FromLong(len);
+#endif
error:
Py_XDECREF(sock);
PySSL_ChainExceptions(self);
@@ -2434,7 +2543,11 @@
{
PyObject *dest = NULL;
char *mem;
+#ifdef SSL_read_ex
size_t count = 0;
+#else
+ int count;
+#endif
int retval;
int sockstate;
_PySSLError err;
@@ -2498,8 +2611,13 @@
do {
PySSL_BEGIN_ALLOW_THREADS
+#ifdef SSL_read_ex
retval = SSL_read_ex(self->ssl, mem, (size_t)len, &count);
err = _PySSL_errno(retval == 0, self->ssl, retval);
+#else
+ count = SSL_read(self->ssl, mem, (size_t)len);
+ err = _PySSL_errno(count <= 0, self->ssl, count);
+#endif
PySSL_END_ALLOW_THREADS
self->err = err;
@@ -2532,8 +2650,13 @@
} while (err.ssl == SSL_ERROR_WANT_READ ||
err.ssl == SSL_ERROR_WANT_WRITE);
+#ifdef SSL_read_ex
if (retval == 0) {
PySSL_SetError(self, retval, __FILE__, __LINE__);
+#else
+ if (count <= 0) {
+ PySSL_SetError(self, count, __FILE__, __LINE__);
+#endif
goto error;
}
if (self->exc_type != NULL)
@@ -2546,7 +2669,11 @@
return dest;
}
else {
+#ifdef SSL_read_ex
return PyLong_FromSize_t(count);
+#else
+ return PyLong_FromLong(count);
+#endif
}
error:
@@ -2907,8 +3034,10 @@
_SSL__SSLSOCKET_COMPRESSION_METHODDEF
_SSL__SSLSOCKET_SHUTDOWN_METHODDEF
_SSL__SSLSOCKET_VERIFY_CLIENT_POST_HANDSHAKE_METHODDEF
+#if OPENSSL_VERSION_1_1
_SSL__SSLSOCKET_GET_UNVERIFIED_CHAIN_METHODDEF
_SSL__SSLSOCKET_GET_VERIFIED_CHAIN_METHODDEF
+#endif
{NULL, NULL}
};
@@ -2994,7 +3123,9 @@
switch(proto_version) {
#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
case PY_SSL_VERSION_SSL3:
+#ifdef OPENSSL_VERSION_1_1
PY_SSL_DEPRECATED("ssl.PROTOCOL_SSLv3 is deprecated", 2, NULL);
+#endif
method = SSLv3_method();
break;
#endif
@@ -3002,7 +3133,9 @@
!defined(OPENSSL_NO_TLS1) && \
!defined(OPENSSL_NO_TLS1_METHOD))
case PY_SSL_VERSION_TLS1:
+#ifdef OPENSSL_VERSION_1_1
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1 is deprecated", 2, NULL);
+#endif
method = TLSv1_method();
break;
#endif
@@ -3010,7 +3143,9 @@
!defined(OPENSSL_NO_TLS1_1) && \
!defined(OPENSSL_NO_TLS1_1_METHOD))
case PY_SSL_VERSION_TLS1_1:
+#ifdef OPENSSL_VERSION_1_1
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1_1 is deprecated", 2, NULL);
+#endif
method = TLSv1_1_method();
break;
#endif
@@ -3018,12 +3153,16 @@
!defined(OPENSSL_NO_TLS1_2) && \
!defined(OPENSSL_NO_TLS1_2_METHOD))
case PY_SSL_VERSION_TLS1_2:
+#ifdef OPENSSL_VERSION_1_1
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLSv1_2 is deprecated", 2, NULL);
+#endif
method = TLSv1_2_method();
break;
#endif
case PY_SSL_VERSION_TLS:
+#ifdef OPENSSL_VERSION_1_1
PY_SSL_DEPRECATED("ssl.PROTOCOL_TLS is deprecated", 2, NULL);
+#endif
method = TLS_method();
break;
case PY_SSL_VERSION_TLS_CLIENT:
@@ -3128,7 +3267,7 @@
"No cipher can be selected.");
goto error;
}
-#ifdef PY_SSL_MIN_PROTOCOL
+#if defined(PY_SSL_MIN_PROTOCOL) && defined(OPENSSL_VERSION_1_1)
switch(proto_version) {
case PY_SSL_VERSION_TLS:
case PY_SSL_VERSION_TLS_CLIENT:
@@ -3417,6 +3556,8 @@
}
/* Getter and setter for protocol version */
+#if defined(SSL_CTRL_GET_MAX_PROTO_VERSION)
+/* Getter and setter for protocol version */
static int
set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what)
{
@@ -3534,6 +3675,7 @@
{
return set_min_max_proto_version(self, arg, 1);
}
+#endif
#ifdef TLS1_3_VERSION
static PyObject *
@@ -3568,12 +3710,14 @@
"Control the number of TLSv1.3 session tickets");
#endif /* TLS1_3_VERSION */
+#if OPENSSL_VERSION_1_1
static PyObject *
get_security_level(PySSLContext *self, void *c)
{
return PyLong_FromLong(SSL_CTX_get_security_level(self->ctx));
}
PyDoc_STRVAR(PySSLContext_security_level_doc, "The current security level");
+#endif
static PyObject *
get_options(PySSLContext *self, void *c)
@@ -3587,7 +3731,10 @@
long new_opts, opts, set, clear;
long opt_no = (
SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
- SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_3
+ SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2
+#ifdef SSL_OP_NO_TLSv1_3
+ | SSL_OP_NO_TLSv1_3
+#endif
);
if (!PyArg_Parse(arg, "l", &new_opts))
@@ -4599,12 +4746,16 @@
(setter) set_check_hostname, NULL},
{"_host_flags", (getter) get_host_flags,
(setter) set_host_flags, NULL},
+#if defined(SSL_CTRL_GET_MAX_PROTO_VERSION)
{"minimum_version", (getter) get_minimum_version,
(setter) set_minimum_version, NULL},
{"maximum_version", (getter) get_maximum_version,
(setter) set_maximum_version, NULL},
+#endif
+#ifdef HAVE_OPENSSL_KEYLOG
{"keylog_filename", (getter) _PySSLContext_get_keylog_filename,
(setter) _PySSLContext_set_keylog_filename, NULL},
+#endif
{"_msg_callback", (getter) _PySSLContext_get_msg_callback,
(setter) _PySSLContext_set_msg_callback, NULL},
{"sni_callback", (getter) get_sni_callback,
@@ -4628,8 +4779,10 @@
(setter) set_verify_flags, NULL},
{"verify_mode", (getter) get_verify_mode,
(setter) set_verify_mode, NULL},
+#if OPENSSL_VERSION_1_1
{"security_level", (getter) get_security_level,
NULL, PySSLContext_security_level_doc},
+#endif
{NULL}, /* sentinel */
};
@@ -5719,6 +5872,14 @@
_sslmodulestate *state = get_ssl_state(module);
PySocketModule_APIObject *sockmod = PySocketModule_ImportModuleAndAPI();
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ /* Load all algorithms and initialize cpuid */
+ OPENSSL_add_all_algorithms_noconf();
+ /* Init OpenSSL */
+ SSL_load_error_strings();
+ SSL_library_init();
+#endif
+
if ((sockmod == NULL) || (sockmod->Sock_Type == NULL)) {
return -1;
}
@@ -6122,11 +6283,13 @@
if (state->PySSLSession_Type == NULL)
return -1;
+#if OPENSSL_VERSION_1_1
state->PySSLCertificate_Type = (PyTypeObject *)PyType_FromModuleAndSpec(
module, &PySSLCertificate_spec, NULL
);
if (state->PySSLCertificate_Type == NULL)
return -1;
+#endif
if (PyModule_AddType(module, state->PySSLContext_Type))
return -1;
@@ -6136,8 +6299,10 @@
return -1;
if (PyModule_AddType(module, state->PySSLSession_Type))
return -1;
+#if OPENSSL_VERSION_1_1
if (PyModule_AddType(module, state->PySSLCertificate_Type))
return -1;
+#endif
return 0;
}
@@ -6160,7 +6325,9 @@
Py_VISIT(state->PySSLSocket_Type);
Py_VISIT(state->PySSLMemoryBIO_Type);
Py_VISIT(state->PySSLSession_Type);
+#if OPENSSL_VERSION_1_1
Py_VISIT(state->PySSLCertificate_Type);
+#endif
Py_VISIT(state->PySSLErrorObject);
Py_VISIT(state->PySSLCertVerificationErrorObject);
Py_VISIT(state->PySSLZeroReturnErrorObject);
@@ -6185,7 +6352,9 @@
Py_CLEAR(state->PySSLSocket_Type);
Py_CLEAR(state->PySSLMemoryBIO_Type);
Py_CLEAR(state->PySSLSession_Type);
+#if OPENSSL_VERSION_1_1
Py_CLEAR(state->PySSLCertificate_Type);
+#endif
Py_CLEAR(state->PySSLErrorObject);
Py_CLEAR(state->PySSLCertVerificationErrorObject);
Py_CLEAR(state->PySSLZeroReturnErrorObject);
