From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Ismael Luceno Subject: Fix build against LibreSSL Date: Thu, 15 Sep 2022 22:10:54 +0200 Based on patches from OpenBSD. Origin: OpenBSD Upstream-Status: Inappropriate Signed-off-by: Ismael Luceno --- Modules/_hashopenssl.c | 9 ++++++++- Modules/_ssl.c | 10 +++++++++- configure | 2 ++ 3 files changed, 19 insertions(+), 2 deletions(-) --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c @@ -44,6 +44,7 @@ #define MUNCH_SIZE INT_MAX +#if !defined(LIBRESSL_VERSION_NUMBER) #define PY_OPENSSL_HAS_SCRYPT 1 #if defined(NID_sha3_224) && defined(NID_sha3_256) && defined(NID_sha3_384) && defined(NID_sha3_512) #define PY_OPENSSL_HAS_SHA3 1 @@ -54,6 +55,7 @@ #if defined(NID_blake2s256) || defined(NID_blake2b512) #define PY_OPENSSL_HAS_BLAKE2 1 #endif +#endif #if OPENSSL_VERSION_NUMBER >= 0x30000000L #define PY_EVP_MD EVP_MD @@ -147,6 +149,7 @@ static const py_hashentry_t py_hashes[] = { PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256), PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384), PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512), +#if !defined(LIBRESSL_VERSION_NUMBER) /* truncated sha2 */ #ifdef Py_hash_sha512_224 PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224), @@ -180,6 +183,7 @@ static const py_hashentry_t py_hashes[] = { #endif #ifdef Py_hash_blake2b PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512), +#endif #endif PY_HASH_ENTRY(NULL, NULL, NULL, 0), }; @@ -873,9 +870,12 @@ py_evp_fromname(PyObject *module, const char *digestna goto exit; } +#if !defined(LIBRESSL_VERSION_NUMBER) if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) { type = get_hashlib_state(module)->EVPXOFtype; - } else { + } else +#endif + { type = get_hashlib_state(module)->EVPtype; } --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -174,7 +174,11 @@ extern const SSL_METHOD *TLSv1_2_method(void); * Based on Hynek's excellent blog post (update 2021-02-11) * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ */ + #if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3050300fL) + #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" + #else #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" + #endif #ifndef PY_SSL_MIN_PROTOCOL #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION #endif @@ -3708,6 +3712,11 @@ _ssl__SSLContext_num_tickets_set_impl(PySSLContext *self, PyObject *value) return 0; } + +#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER <= 0x3050300fL) +static inline int SSL_CTX_get_security_level(const SSL_CTX *ctx) { return 1; } +#endif + /*[clinic input] @critical_section @getter diff --git a/configure b/configure index b6f90bc..c71b68a 100755 --- a/configure +++ b/configure @@ -28265,8 +28265,10 @@ main (void) OBJ_nid2sn(NID_md5); OBJ_nid2sn(NID_sha1); OBJ_nid2sn(NID_sha3_512); +#if !defined(LIBRESSL_VERSION_NUMBER) OBJ_nid2sn(NID_blake2b512); EVP_PBE_scrypt(NULL, 0, NULL, 0, 2, 8, 1, 0, NULL, 0); +#endif ; return 0; .