Attachment #498606 for bug #592480




    PySSLContext *self;
    long options;
    SSL_CTX *ctx = NULL;
    int result = 0;
#if defined(SSL_MODE_RELEASE_BUFFERS)
    unsigned long libver;
#endif

    PySSL_BEGIN_ALLOW_THREADS
    switch (proto_version) {
#ifndef OPENSSL_VERSION_1_1
    /* OpenSSL < 1.1 */
#ifndef OPENSSL_NO_SSL2
    case PY_SSL_VERSION_SSL2:
        ctx = SSL_CTX_new(SSLv2_method());
        break;
#endif
#ifndef OPENSSL_NO_SSL3
    case PY_SSL_VERSION_SSL3:
        ctx = SSL_CTX_new(SSLv3_method());
        break;
#endif
#ifndef OPENSSL_NO_TLS1
    case PY_SSL_VERSION_TLS1:
        ctx = SSL_CTX_new(TLSv1_method());
        break;
#endif
#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2
    case PY_SSL_VERSION_TLS1_1:
        ctx = SSL_CTX_new(TLSv1_1_method());
        break;
#endif
#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2
    case PY_SSL_VERSION_TLS1_2:
        ctx = SSL_CTX_new(TLSv1_2_method());
        break;
#endif
#else
    /* OpenSSL >= 1.1
     * create context with TLS_method for all protocols
     * no SSLv2_method in OpenSSL 1.1.
     */
#ifndef OPENSSL_NO_SSL3
    case PY_SSL_VERSION_SSL3: /* fallthrough */
        ctx = SSL_CTX_new(SSLv3_method());
#endif
#ifndef OPENSSL_NO_TLS1
    case PY_SSL_VERSION_TLS1: /* fallthrough */
#endif
#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2
    case PY_SSL_VERSION_TLS1_1: /* fallthrough */
#endif
#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2
    case PY_SSL_VERSION_TLS1_2: /* fallthrough */
#endif
#endif /* OpenSSL >= 1.1 */
    case PY_SSL_VERSION_TLS:
        /* SSLv23 */
        ctx = SSL_CTX_new(TLS_method());
        break;
    default:
        result = -1;
        break;
    }
    PySSL_END_ALLOW_THREADS

    if (result == -1) {
        PyErr_SetString(PyExc_ValueError,
                        "invalid protocol version");
        return NULL;

        return NULL;
    }

#ifdef OPENSSL_VERSION_1_1
    /* Emulate version specific methods with set min/max proto version */
    switch (proto_version) {
    case PY_SSL_VERSION_SSL3:
        /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */
        SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
        if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION))
            result = -1;
        if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION))
            result = -1;
        break;
    case PY_SSL_VERSION_TLS1:
        if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION))
            result = -1;
        if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION))
            result = -1;
        break;
    case PY_SSL_VERSION_TLS1_1:
        if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION))
            result = -1;
        if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION))
            result = -1;
        break;
    case PY_SSL_VERSION_TLS1_2:
        if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION))
            result = -1;
        if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
            result = -1;
        break;
    default:
        break;
    }
    if (result == -1) {
        SSL_CTX_free(ctx);
        _setSSLError(NULL, 0, __FILE__, __LINE__);
        return NULL;
    }
#endif

    assert(type != NULL && type->tp_alloc != NULL);
    self = (PySSLContext *) type->tp_alloc(type, 0);
    if (self == NULL) {

Return to bug 592480

Lines 2330-2363 Link Here

(-)Python-3.5.4-orig/Modules/_ssl.c (-13 / +87 lines)
2330	PySSLContext *self;	2330	PySSLContext *self;
2331	long options;	2331	long options;
2332	SSL_CTX *ctx = NULL;	2332	SSL_CTX *ctx = NULL;
		2333	int result = 0;
2333	#if defined(SSL_MODE_RELEASE_BUFFERS)	2334	#if defined(SSL_MODE_RELEASE_BUFFERS)
2334	unsigned long libver;	2335	unsigned long libver;
2335	#endif	2336	#endif
2336		2337
2337	PySSL_BEGIN_ALLOW_THREADS	2338	PySSL_BEGIN_ALLOW_THREADS
2338	if (proto_version == PY_SSL_VERSION_TLS1)	2339	switch (proto_version) {
		2340	#ifndef OPENSSL_VERSION_1_1
		2341	/* OpenSSL < 1.1 */
		2342	#ifndef OPENSSL_NO_SSL2
		2343	case PY_SSL_VERSION_SSL2:
		2344	ctx = SSL_CTX_new(SSLv2_method());
		2345	break;
		2346	#endif
		2347	#ifndef OPENSSL_NO_SSL3
		2348	case PY_SSL_VERSION_SSL3:
		2349	ctx = SSL_CTX_new(SSLv3_method());
		2350	break;
		2351	#endif
		2352	#ifndef OPENSSL_NO_TLS1
		2353	case PY_SSL_VERSION_TLS1:
2339	ctx = SSL_CTX_new(TLSv1_method());	2354	ctx = SSL_CTX_new(TLSv1_method());
2340	#if HAVE_TLSv1_2	2355	break;
2341	else if (proto_version == PY_SSL_VERSION_TLS1_1)	2356	#endif
		2357	#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2
		2358	case PY_SSL_VERSION_TLS1_1:
2342	ctx = SSL_CTX_new(TLSv1_1_method());	2359	ctx = SSL_CTX_new(TLSv1_1_method());
2343	else if (proto_version == PY_SSL_VERSION_TLS1_2)	2360	break;
		2361	#endif
		2362	#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2
		2363	case PY_SSL_VERSION_TLS1_2:
2344	ctx = SSL_CTX_new(TLSv1_2_method());	2364	ctx = SSL_CTX_new(TLSv1_2_method());
		2365	break;
2345	#endif	2366	#endif
		2367	#else
		2368	/* OpenSSL >= 1.1
		2369	* create context with TLS_method for all protocols
		2370	* no SSLv2_method in OpenSSL 1.1.
		2371	*/
2346	#ifndef OPENSSL_NO_SSL3	2372	#ifndef OPENSSL_NO_SSL3
2347	else if (proto_version == PY_SSL_VERSION_SSL3)	2373	case PY_SSL_VERSION_SSL3: /* fallthrough */
2348	ctx = SSL_CTX_new(SSLv3_method());
2349	#endif	2374	#endif
2350	#ifndef OPENSSL_NO_SSL2	2375	#ifndef OPENSSL_NO_TLS1
2351	else if (proto_version == PY_SSL_VERSION_SSL2)	2376	case PY_SSL_VERSION_TLS1: /* fallthrough */
2352	ctx = SSL_CTX_new(SSLv2_method());	2377	#endif
		2378	#if !defined(OPENSSL_NO_TLS1_1) && HAVE_TLSv1_2
		2379	case PY_SSL_VERSION_TLS1_1: /* fallthrough */
		2380	#endif
		2381	#if !defined(OPENSSL_NO_TLS1_2) && HAVE_TLSv1_2
		2382	case PY_SSL_VERSION_TLS1_2: /* fallthrough */
2353	#endif	2383	#endif
2354	else if (proto_version == PY_SSL_VERSION_TLS)	2384	#endif /* OpenSSL >= 1.1 */
		2385	case PY_SSL_VERSION_TLS:
		2386	/* SSLv23 */
2355	ctx = SSL_CTX_new(TLS_method());	2387	ctx = SSL_CTX_new(TLS_method());
2356	else	2388	break;
2357	proto_version = -1;	2389	default:
		2390	result = -1;
		2391	break;
		2392	}
2358	PySSL_END_ALLOW_THREADS	2393	PySSL_END_ALLOW_THREADS
2359		2394
2360	if (proto_version == -1) {	2395	if (result == -1) {
2361	PyErr_SetString(PyExc_ValueError,	2396	PyErr_SetString(PyExc_ValueError,
2362	"invalid protocol version");	2397	"invalid protocol version");
2363	return NULL;	2398	return NULL;
Lines 2368-2373 Link Here
2368	return NULL;	2403	return NULL;
2369	}	2404	}
2370		2405
		2406	#ifdef OPENSSL_VERSION_1_1
		2407	/* Emulate version specific methods with set min/max proto version */
		2408	switch (proto_version) {
		2409	case PY_SSL_VERSION_SSL3:
		2410	/* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */
		2411	SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
		2412	if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION))
		2413	result = -1;
		2414	if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION))
		2415	result = -1;
		2416	break;
		2417	case PY_SSL_VERSION_TLS1:
		2418	if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION))
		2419	result = -1;
		2420	if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION))
		2421	result = -1;
		2422	break;
		2423	case PY_SSL_VERSION_TLS1_1:
		2424	if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION))
		2425	result = -1;
		2426	if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION))
		2427	result = -1;
		2428	break;
		2429	case PY_SSL_VERSION_TLS1_2:
		2430	if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION))
		2431	result = -1;
		2432	if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
		2433	result = -1;
		2434	break;
		2435	default:
		2436	break;
		2437	}
		2438	if (result == -1) {
		2439	SSL_CTX_free(ctx);
		2440	_setSSLError(NULL, 0, __FILE__, __LINE__);
		2441	return NULL;
		2442	}
		2443	#endif
		2444
2371	assert(type != NULL && type->tp_alloc != NULL);	2445	assert(type != NULL && type->tp_alloc != NULL);
2372	self = (PySSLContext *) type->tp_alloc(type, 0);	2446	self = (PySSLContext *) type->tp_alloc(type, 0);
2373	if (self == NULL) {	2447	if (self == NULL) {