--- Python-2.7.14-orig/Modules/_ssl.c 2017-09-17 03:38:35.000000000 +1000 +++ Python-2.7.14/Modules/_ssl.c 2017-10-10 00:13:18.564960987 +1100 @@ -136,7 +136,15 @@ #define HAVE_OPENSSL_CRYPTO_LOCK #endif +#ifndef OPENSSL_VERSION_1_1 #define TLS_method SSLv23_method +#define X509_get0_notBefore X509_get_notBefore +#define X509_get0_notAfter X509_get_notAfter +#define ASN1_STRING_get0_data ASN1_STRING_data +#define OpenSSL_version_num SSLeay +#define OpenSSL_version SSLeay_version +#define OPENSSL_VERSION SSLEAY_VERSION +#endif static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { @@ -944,7 +952,7 @@ goto fail; } PyTuple_SET_ITEM(t, 0, v); - v = PyString_FromStringAndSize((char *)ASN1_STRING_data(as), + v = PyString_FromStringAndSize((char *)ASN1_STRING_get0_data(as), ASN1_STRING_length(as)); if (v == NULL) { Py_DECREF(t); @@ -1245,7 +1253,7 @@ Py_DECREF(sn_obj); (void) BIO_reset(biobuf); - notBefore = X509_get_notBefore(certificate); + notBefore = X509_get0_notBefore(certificate); ASN1_TIME_print(biobuf, notBefore); len = BIO_gets(biobuf, buf, sizeof(buf)-1); if (len < 0) { @@ -1262,7 +1270,7 @@ Py_DECREF(pnotBefore); (void) BIO_reset(biobuf); - notAfter = X509_get_notAfter(certificate); + notAfter = X509_get0_notAfter(certificate); ASN1_TIME_print(biobuf, notAfter); len = BIO_gets(biobuf, buf, sizeof(buf)-1); if (len < 0) { @@ -2100,22 +2108,52 @@ return NULL; PySSL_BEGIN_ALLOW_THREADS - if (proto_version == PY_SSL_VERSION_TLS1) + if (proto_version == PY_SSL_VERSION_TLS1) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); +#else ctx = SSL_CTX_new(TLSv1_method()); +#endif + } #if HAVE_TLSv1_2 - else if (proto_version == PY_SSL_VERSION_TLS1_1) + else if (proto_version == PY_SSL_VERSION_TLS1_1) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); +#else ctx = SSL_CTX_new(TLSv1_1_method()); - else if (proto_version == PY_SSL_VERSION_TLS1_2) +#endif + } + else if (proto_version == PY_SSL_VERSION_TLS1_2) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); +#else ctx = SSL_CTX_new(TLSv1_2_method()); #endif + } +#endif #ifndef OPENSSL_NO_SSL3 - else if (proto_version == PY_SSL_VERSION_SSL3) + else if (proto_version == PY_SSL_VERSION_SSL3) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); +#else ctx = SSL_CTX_new(SSLv3_method()); #endif + } +#endif #ifndef OPENSSL_NO_SSL2 - else if (proto_version == PY_SSL_VERSION_SSL2) + else if (proto_version == PY_SSL_VERSION_SSL2) { +#ifdef OPENSSL_VERSION_1_1 + ctx = SSL_CTX_new(TLS_method()); + SSL_CTX_set_min_proto_version(ctx, SSL2_VERSION); +#else ctx = SSL_CTX_new(SSLv2_method()); #endif + } +#endif else if (proto_version == PY_SSL_VERSION_TLS) ctx = SSL_CTX_new(TLS_method()); else @@ -4081,8 +4119,12 @@ return; /* Init OpenSSL */ +#ifdef OPENSSL_VERSION_1_1 + OPENSSL_init_ssl(0, NULL); +#else SSL_load_error_strings(); SSL_library_init(); +#endif #ifdef WITH_THREAD #ifdef HAVE_OPENSSL_CRYPTO_LOCK /* note that this will start threading if not already started */ @@ -4094,8 +4136,9 @@ _ssl_locks_count++; #endif #endif /* WITH_THREAD */ +#ifndef OPENSSL_VERSION_1_1 OpenSSL_add_all_algorithms(); - +#endif /* Add symbols to module dict */ PySSLErrorObject = PyErr_NewExceptionWithDoc( "ssl.SSLError", SSLError_doc, @@ -4364,10 +4407,10 @@ return; /* OpenSSL version */ - /* SSLeay() gives us the version of the library linked against, + /* OpenSSL_version_num() gives us the version of the library linked against, which could be different from the headers version. */ - libver = SSLeay(); + libver = OpenSSL_version_num(); r = PyLong_FromUnsignedLong(libver); if (r == NULL) return; @@ -4377,7 +4420,7 @@ r = Py_BuildValue("IIIII", major, minor, fix, patch, status); if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r)) return; - r = PyString_FromString(SSLeay_version(SSLEAY_VERSION)); + r = PyString_FromString(OpenSSL_version(OPENSSL_VERSION)); if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r)) return; --- Python-2.7.14-orig/Modules/_hashopenssl.c 2017-09-17 03:38:35.000000000 +1000 +++ Python-2.7.14/Modules/_hashopenssl.c 2017-10-09 16:00:47.953136733 +1100 @@ -899,8 +899,10 @@ { PyObject *m, *openssl_md_meth_names; +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) OpenSSL_add_all_digests(); ERR_load_crypto_strings(); +#endif /* TODO build EVP_functions openssl_* entries dynamically based * on what hashes are supported rather than listing many