bpo-30622: Fix NPN for OpenSSL 1.1.1-pre1 (#5876)
Signed-off-by: Christian Heimes <christian@python.org>
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index ed6b7a8..52695fe 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -157,21 +157,26 @@
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
-# define HAVE_ALPN
+# define HAVE_ALPN 1
+#else
+# define HAVE_ALPN 0
#endif
/* We cannot rely on OPENSSL_NO_NEXTPROTONEG because LibreSSL 2.6.1 dropped
* NPN support but did not set OPENSSL_NO_NEXTPROTONEG for compatibility
* reasons. The check for TLSEXT_TYPE_next_proto_neg works with
* OpenSSL 1.0.1+ and LibreSSL.
+ * OpenSSL 1.1.1-pre1 dropped NPN but still has TLSEXT_TYPE_next_proto_neg.
*/
#ifdef OPENSSL_NO_NEXTPROTONEG
-# define HAVE_NPN 0
+# define HAVE_NPN 0
+#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
+# define HAVE_NPN 0
#elif defined(TLSEXT_TYPE_next_proto_neg)
-# define HAVE_NPN 1
+# define HAVE_NPN 1
#else
-# define HAVE_NPN 0
-# endif
+# define HAVE_NPN 0
+#endif
#ifndef INVALID_SOCKET /* MS defines this */
#define INVALID_SOCKET (-1)
@@ -341,11 +346,11 @@
typedef struct {
PyObject_HEAD
SSL_CTX *ctx;
-#ifdef HAVE_NPN
+#if HAVE_NPN
unsigned char *npn_protocols;
int npn_protocols_len;
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
unsigned char *alpn_protocols;
unsigned int alpn_protocols_len;
#endif
@@ -1922,7 +1927,7 @@
return PyUnicode_FromString(version);
}
-#ifdef HAVE_NPN
+#if HAVE_NPN
/*[clinic input]
_ssl._SSLSocket.selected_npn_protocol
[clinic start generated code]*/
@@ -1943,7 +1948,7 @@
}
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
/*[clinic input]
_ssl._SSLSocket.selected_alpn_protocol
[clinic start generated code]*/
@@ -2887,10 +2892,10 @@
self->ctx = ctx;
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
self->protocol = proto_version;
-#ifdef HAVE_NPN
+#if HAVE_NPN
self->npn_protocols = NULL;
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
self->alpn_protocols = NULL;
#endif
#ifndef OPENSSL_NO_TLSEXT
@@ -3026,10 +3031,10 @@
PyObject_GC_UnTrack(self);
context_clear(self);
SSL_CTX_free(self->ctx);
-#ifdef HAVE_NPN
+#if HAVE_NPN
PyMem_FREE(self->npn_protocols);
#endif
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
PyMem_FREE(self->alpn_protocols);
#endif
Py_TYPE(self)->tp_free(self);
@@ -3104,7 +3109,7 @@
#endif
-#if defined(HAVE_NPN) || defined(HAVE_ALPN)
+#if HAVE_NPN || HAVE_ALPN
static int
do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -3130,7 +3135,7 @@
}
#endif
-#ifdef HAVE_NPN
+#if HAVE_NPN
/* this callback gets passed to SSL_CTX_set_next_protos_advertise_cb */
static int
_advertiseNPN_cb(SSL *s,
@@ -3173,7 +3178,7 @@
Py_buffer *protos)
/*[clinic end generated code: output=72b002c3324390c6 input=319fcb66abf95bd7]*/
{
-#ifdef HAVE_NPN
+#if HAVE_NPN
PyMem_Free(self->npn_protocols);
self->npn_protocols = PyMem_Malloc(protos->len);
if (self->npn_protocols == NULL)
@@ -3198,7 +3203,7 @@
#endif
}
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
static int
_selectALPN_cb(SSL *s,
const unsigned char **out, unsigned char *outlen,
@@ -3223,7 +3228,7 @@
Py_buffer *protos)
/*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/
{
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
if ((size_t)protos->len > UINT_MAX) {
PyErr_Format(PyExc_OverflowError,
"protocols longer than %d bytes", UINT_MAX);
@@ -5718,7 +5723,7 @@
Py_INCREF(r);
PyModule_AddObject(m, "HAS_ECDH", r);
-#ifdef HAVE_NPN
+#if HAVE_NPN
r = Py_True;
#else
r = Py_False;
@@ -5726,7 +5731,7 @@
Py_INCREF(r);
PyModule_AddObject(m, "HAS_NPN", r);
-#ifdef HAVE_ALPN
+#if HAVE_ALPN
r = Py_True;
#else
r = Py_False;