From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Ismael Luceno Subject: Fix build against LibreSSL Date: Thu, 15 Sep 2022 22:10:54 +0200 Based on patches from OpenBSD. Origin: OpenBSD Upstream-Status: Inappropriate Signed-off-by: Ismael Luceno --- Modules/_hashopenssl.c | 9 ++++++++- Modules/_ssl.c | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -45,11 +45,13 @@ #define MUNCH_SIZE INT_MAX +#if !defined(LIBRESSL_VERSION_NUMBER) #define PY_OPENSSL_HAS_SCRYPT 1 #define PY_OPENSSL_HAS_SHA3 1 #define PY_OPENSSL_HAS_SHAKE 1 #define PY_OPENSSL_HAS_BLAKE2 1 +#endif #if OPENSSL_VERSION_NUMBER >= 0x30000000L #define PY_EVP_MD EVP_MD #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties) @@ -119,6 +114,7 @@ static const py_hashentry_t py_hashes[] = { PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256), PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384), PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512), +#if !defined(LIBRESSL_VERSION_NUMBER) /* truncated sha2 */ PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224), PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256), @@ -133,6 +129,7 @@ static const py_hashentry_t py_hashes[] = { /* blake2 digest */ PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256), PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512), +#endif PY_HASH_ENTRY(NULL, NULL, NULL, 0), }; @@ -873,9 +870,12 @@ py_evp_fromname(PyObject *module, const char *digestna goto exit; } +#if !defined(LIBRESSL_VERSION_NUMBER) if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) { type = get_hashlib_state(module)->EVPXOFtype; - } else { + } else +#endif + { type = get_hashlib_state(module)->EVPtype; } --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -169,7 +169,11 @@ extern const SSL_METHOD *TLSv1_2_method(void); * Based on Hynek's excellent blog post (update 2021-02-11) * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ */ + #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3050300fL) + #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" + #else #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" + #endif #ifndef PY_SSL_MIN_PROTOCOL #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION #endif @@ -3579,6 +3579,10 @@ set_num_tickets(PySSLContext *self, PyObject *arg, voi PyDoc_STRVAR(PySSLContext_num_tickets_doc, "Control the number of TLSv1.3 session tickets"); #endif /* TLS1_3_VERSION */ + +#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3050300fL) +static inline int SSL_CTX_get_security_level(const SSL_CTX *ctx) { return 1; } +#endif static PyObject * get_security_level(PySSLContext *self, void *c) @@ -4541,7 +4541,7 @@ set_sni_callback(PySSLContext *self, PyObject *arg, vo return 0; } -#if OPENSSL_VERSION_NUMBER < 0x30300000L +#if OPENSSL_VERSION_NUMBER < 0x30300000L && !defined(LIBRESSL_VERSION_NUMBER) static X509_OBJECT *x509_object_dup(const X509_OBJECT *obj) { int ok;