Add OPENSSL_NO_SSL2 & OPENSSL_NO_SSL3 patch for 3.1.3

This commit is contained in:
Yamashita, Yuu 2015-12-20 07:35:10 +00:00
parent 3ddbb19663
commit 68e8945f74
2 changed files with 96 additions and 75 deletions

View file

@ -1,75 +0,0 @@
diff -r -u ./Lib/ssl.py ../Python-3.1.3/Lib/ssl.py
--- ./Lib/ssl.py 2010-09-14 23:47:08.000000000 +0900
+++ ../Python-3.1.3/Lib/ssl.py 2013-05-23 12:03:38.000000000 +0900
@@ -60,8 +60,20 @@
from _ssl import SSLError
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
-from _ssl import (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23,
+from _ssl import (PROTOCOL_SSLv3, PROTOCOL_SSLv23,
PROTOCOL_TLSv1)
+_PROTOCOL_NAMES = {
+ PROTOCOL_TLSv1: "TLSv1",
+ PROTOCOL_SSLv23: "SSLv23",
+ PROTOCOL_SSLv3: "SSLv3",
+}
+try:
+ from _ssl import PROTOCOL_SSLv2
+ _SSLv2_IF_EXISTS = PROTOCOL_SSLv2
+except ImportError:
+ _SSLv2_IF_EXISTS = None
+else:
+ _PROTOCOL_NAMES[PROTOCOL_SSLv2] = "SSLv2"
from _ssl import RAND_status, RAND_egd, RAND_add
from _ssl import (
SSL_ERROR_ZERO_RETURN,
@@ -427,13 +439,4 @@
return DER_cert_to_PEM_cert(dercert)
def get_protocol_name(protocol_code):
- if protocol_code == PROTOCOL_TLSv1:
- return "TLSv1"
- elif protocol_code == PROTOCOL_SSLv23:
- return "SSLv23"
- elif protocol_code == PROTOCOL_SSLv2:
- return "SSLv2"
- elif protocol_code == PROTOCOL_SSLv3:
- return "SSLv3"
- else:
- return "<unknown>"
+ return _PROTOCOL_NAMES.get(protocol_code, '<unknown>')
diff -r -u ./Modules/_ssl.c ../Python-3.1.3/Modules/_ssl.c
--- ./Modules/_ssl.c 2010-10-14 07:20:48.000000000 +0900
+++ ../Python-3.1.3/Modules/_ssl.c 2013-05-23 12:04:31.000000000 +0900
@@ -63,7 +63,9 @@
};
enum py_ssl_version {
+#ifndef OPENSSL_NO_SSL2
PY_SSL_VERSION_SSL2,
+#endif
PY_SSL_VERSION_SSL3,
PY_SSL_VERSION_SSL23,
PY_SSL_VERSION_TLS1
@@ -306,8 +308,10 @@
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
else if (proto_version == PY_SSL_VERSION_SSL3)
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
+#ifndef OPENSSL_NO_SSL2
else if (proto_version == PY_SSL_VERSION_SSL2)
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
+#endif
else if (proto_version == PY_SSL_VERSION_SSL23)
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
PySSL_END_ALLOW_THREADS
@@ -1785,8 +1789,10 @@
PY_SSL_CERT_REQUIRED);
/* protocol versions */
+#ifndef OPENSSL_NO_SSL2
PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
PY_SSL_VERSION_SSL2);
+#endif
PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
PY_SSL_VERSION_SSL3);
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",

View file

@ -0,0 +1,96 @@
diff -r -u ../Python-3.1.3.orig/Lib/ssl.py ./Lib/ssl.py
--- ../Python-3.1.3.orig/Lib/ssl.py 2010-09-14 14:47:08.000000000 +0000
+++ ./Lib/ssl.py 2015-12-20 07:32:44.351880682 +0000
@@ -60,20 +60,23 @@
from _ssl import SSLError
from _ssl import CERT_NONE, CERT_OPTIONAL, CERT_REQUIRED
-from _ssl import (PROTOCOL_SSLv2, PROTOCOL_SSLv3, PROTOCOL_SSLv23,
- PROTOCOL_TLSv1)
-from _ssl import RAND_status, RAND_egd, RAND_add
-from _ssl import (
- SSL_ERROR_ZERO_RETURN,
- SSL_ERROR_WANT_READ,
- SSL_ERROR_WANT_WRITE,
- SSL_ERROR_WANT_X509_LOOKUP,
- SSL_ERROR_SYSCALL,
- SSL_ERROR_SSL,
- SSL_ERROR_WANT_CONNECT,
- SSL_ERROR_EOF,
- SSL_ERROR_INVALID_ERROR_CODE,
- )
+from _ssl import RAND_status, RAND_add
+try:
+ from _ssl import RAND_egd
+except ImportError:
+ # LibreSSL does not provide RAND_egd
+ pass
+
+def _import_symbols(prefix):
+ for n in dir(_ssl):
+ if n.startswith(prefix):
+ globals()[n] = getattr(_ssl, n)
+
+_import_symbols('OP_')
+_import_symbols('SSL_ERROR_')
+_import_symbols('PROTOCOL_')
+
+_PROTOCOL_NAMES = {value: name for name, value in globals().items() if name.startswith('PROTOCOL_')}
from socket import getnameinfo as _getnameinfo
from socket import error as socket_error
@@ -408,7 +411,7 @@
d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
return base64.decodebytes(d.encode('ASCII', 'strict'))
-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
+def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
"""Retrieve the certificate from the server at the specified address,
and return it as a PEM-encoded string.
If 'ca_certs' is specified, validate the server cert against it.
diff -r -u ../Python-3.1.3.orig/Modules/_ssl.c ./Modules/_ssl.c
--- ../Python-3.1.3.orig/Modules/_ssl.c 2010-10-13 22:20:48.000000000 +0000
+++ ./Modules/_ssl.c 2015-12-20 07:31:44.644359788 +0000
@@ -63,8 +63,12 @@
};
enum py_ssl_version {
+#ifndef OPENSSL_NO_SSL2
PY_SSL_VERSION_SSL2,
+#endif
+#ifndef OPENSSL_NO_SSL3
PY_SSL_VERSION_SSL3,
+#endif
PY_SSL_VERSION_SSL23,
PY_SSL_VERSION_TLS1
};
@@ -304,10 +308,14 @@
PySSL_BEGIN_ALLOW_THREADS
if (proto_version == PY_SSL_VERSION_TLS1)
self->ctx = SSL_CTX_new(TLSv1_method()); /* Set up context */
+#ifndef OPENSSL_NO_SSL3
else if (proto_version == PY_SSL_VERSION_SSL3)
self->ctx = SSL_CTX_new(SSLv3_method()); /* Set up context */
+#endif
+#ifndef OPENSSL_NO_SSL2
else if (proto_version == PY_SSL_VERSION_SSL2)
self->ctx = SSL_CTX_new(SSLv2_method()); /* Set up context */
+#endif
else if (proto_version == PY_SSL_VERSION_SSL23)
self->ctx = SSL_CTX_new(SSLv23_method()); /* Set up context */
PySSL_END_ALLOW_THREADS
@@ -1785,10 +1793,14 @@
PY_SSL_CERT_REQUIRED);
/* protocol versions */
+#ifndef OPENSSL_NO_SSL2
PyModule_AddIntConstant(m, "PROTOCOL_SSLv2",
PY_SSL_VERSION_SSL2);
+#endif
+#ifndef OPENSSL_NO_SSL3
PyModule_AddIntConstant(m, "PROTOCOL_SSLv3",
PY_SSL_VERSION_SSL3);
+#endif
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
PY_SSL_VERSION_SSL23);
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",