[Python-checkins] [3.8] bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190) (GH-17499)

Sat Dec 7 12:20:32 EST 2019

https://github.com/python/cpython/commit/9d3cacd5901f8fbbc4f8b78fc35abad01a0e6546
commit: 9d3cacd5901f8fbbc4f8b78fc35abad01a0e6546
branch: 3.8
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2019年12月07日T09:20:27-08:00
summary:
[3.8] bpo-38820: OpenSSL 3.0.0 compatibility. (GH-17190) (GH-17499)
test_openssl_version now accepts version 3.0.0.
getpeercert() no longer returns IPv6 addresses with a trailing new line.
Signed-off-by: Christian Heimes <christian at python.org>
https://bugs.python.org/issue38820
(cherry picked from commit 2b7de6696bf2f924cd2cd9ff0a539c8aa37c6244)
Co-authored-by: Christian Heimes <christian at python.org>
https://bugs.python.org/issue38820
Automerge-Triggered-By: @tiran
files:
A Misc/NEWS.d/next/Library/2019-11-16-16-09-07.bpo-38820.ivhUSV.rst
M Doc/library/ssl.rst
M Lib/test/test_ssl.py
M Modules/_ssl.c

diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index f8fa25df6c241..bbb4c412d9303 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -1256,6 +1256,9 @@ SSL sockets also have the following additional methods and attributes:
 The returned dictionary includes additional X509v3 extension items
 such as ``crlDistributionPoints``, ``caIssuers`` and ``OCSP`` URIs.
 
+ .. versionchanged:: 3.8.1
+ IPv6 address strings no longer have a trailing new line.
+
 .. method:: SSLSocket.cipher()
 
 Returns a three-value tuple containing the name of the cipher being used, the
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 539cb7751db89..0bc0a8c4522d5 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -485,7 +485,7 @@ def test_parse_cert_CVE_2013_4238(self):
 ('email', 'null at python.org\x00user at example.org'),
 ('URI', 'http://null.python.org\x00http://example.org'),
 ('IP Address', '192.0.2.1'),
- ('IP Address', '2001:DB8:0:0:0:0:0:1\n'))
+ ('IP Address', '2001:DB8:0:0:0:0:0:1'))
 else:
 # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
 san = (('DNS', 'altnull.python.org\x00example.com'),
@@ -512,7 +512,7 @@ def test_parse_all_sans(self):
 (('commonName', 'dirname example'),))),
 ('URI', 'https://www.python.org/'),
 ('IP Address', '127.0.0.1'),
- ('IP Address', '0:0:0:0:0:0:0:1\n'),
+ ('IP Address', '0:0:0:0:0:0:0:1'),
 ('Registered ID', '1.2.3.4.5')
 )
 )
@@ -539,11 +539,11 @@ def test_openssl_version(self):
 # Some sanity checks follow
 # >= 0.9
 self.assertGreaterEqual(n, 0x900000)
- # < 3.0
- self.assertLess(n, 0x30000000)
+ # < 4.0
+ self.assertLess(n, 0x40000000)
 major, minor, fix, patch, status = t
- self.assertGreaterEqual(major, 0)
- self.assertLess(major, 3)
+ self.assertGreaterEqual(major, 1)
+ self.assertLess(major, 4)
 self.assertGreaterEqual(minor, 0)
 self.assertLess(minor, 256)
 self.assertGreaterEqual(fix, 0)
diff --git a/Misc/NEWS.d/next/Library/2019-11-16-16-09-07.bpo-38820.ivhUSV.rst b/Misc/NEWS.d/next/Library/2019-11-16-16-09-07.bpo-38820.ivhUSV.rst
new file mode 100644
index 0000000000000..2c6a6e853c25f
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2019-11-16-16-09-07.bpo-38820.ivhUSV.rst
@@ -0,0 +1,2 @@
+Make Python compatible with OpenSSL 3.0.0. :func:`ssl.SSLSocket.getpeercert`
+no longer returns IPv6 addresses with a trailing new line.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 6f1f9c881530f..43b236c212120 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1410,6 +1410,54 @@ _get_peer_alt_names (X509 *certificate) {
 PyTuple_SET_ITEM(t, 1, v);
 break;
 
+ case GEN_IPADD:
+ /* OpenSSL < 3.0.0 adds a trailing \n to IPv6. 3.0.0 removed
+ * the trailing newline. Remove it in all versions
+ */
+ t = PyTuple_New(2);
+ if (t == NULL)
+ goto fail;
+
+ v = PyUnicode_FromString("IP Address");
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 0, v);
+
+ if (name->d.ip->length == 4) {
+ unsigned char *p = name->d.ip->data;
+ v = PyUnicode_FromFormat(
+ "%d.%d.%d.%d",
+ p[0], p[1], p[2], p[3]
+ );
+ } else if (name->d.ip->length == 16) {
+ /* PyUnicode_FromFormat() does not support %X */
+ unsigned char *p = name->d.ip->data;
+ len = sprintf(
+ buf,
+ "%X:%X:%X:%X:%X:%X:%X:%X",
+ p[0] << 8 | p[1],
+ p[2] << 8 | p[3],
+ p[4] << 8 | p[5],
+ p[6] << 8 | p[7],
+ p[8] << 8 | p[9],
+ p[10] << 8 | p[11],
+ p[12] << 8 | p[13],
+ p[14] << 8 | p[15]
+ );
+ v = PyUnicode_FromStringAndSize(buf, len);
+ } else {
+ v = PyUnicode_FromString("<invalid>");
+ }
+
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 1, v);
+ break;
+
 default:
 /* for everything else, we use the OpenSSL print form */
 switch (gntype) {
@@ -1417,7 +1465,6 @@ _get_peer_alt_names (X509 *certificate) {
 case GEN_OTHERNAME:
 case GEN_X400:
 case GEN_EDIPARTY:
- case GEN_IPADD:
 case GEN_RID:
 break;
 default:
