From e1abe5a026e4ae70e3a5bd249c89a3b33e6bb0c1 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Mar 13 2018 16:09:14 +0000 Subject: Do not send IP addresses in SNI TLS extension --- diff --git a/00298-do-not-send-IP-in-SNI-TLS-extension.patch b/00298-do-not-send-IP-in-SNI-TLS-extension.patch new file mode 100644 index 0000000..dc80f33 --- /dev/null +++ b/00298-do-not-send-IP-in-SNI-TLS-extension.patch @@ -0,0 +1,68 @@ +diff --git a/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst +new file mode 100644 +index 000000000000..bfb2533b5dcf +--- /dev/null ++++ b/Misc/NEWS.d/next/Library/2017-12-20-09-25-10.bpo-32185.IL0cMt.rst +@@ -0,0 +1,2 @@ ++The SSL module no longer sends IP addresses in SNI TLS extension on ++platforms with OpenSSL 1.0.2+ or inet_pton. +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index f70af266731a..b191b3a8687a 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -52,6 +52,11 @@ + #include + #endif + ++#ifndef MS_WINDOWS ++/* inet_pton */ ++#include ++#endif ++ + /* Don't warn about deprecated functions */ + #ifdef __GNUC__ + #pragma GCC diagnostic ignored "-Wdeprecated-declarations" +@@ -575,8 +580,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, + SSL_set_mode(self->ssl, mode); + + #if HAVE_SNI +- if (server_hostname != NULL) +- SSL_set_tlsext_host_name(self->ssl, server_hostname); ++ if (server_hostname != NULL) { ++/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and ++ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't ++ * available on all platforms. Use OpenSSL's IP address parser. It's ++ * available since 1.0.2 and LibreSSL since at least 2.3.0. */ ++ int send_sni = 1; ++#if OPENSSL_VERSION_NUMBER >= 0x10200000L ++ ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname); ++ if (ip == NULL) { ++ send_sni = 1; ++ ERR_clear_error(); ++ } else { ++ send_sni = 0; ++ ASN1_OCTET_STRING_free(ip); ++ } ++#elif defined(HAVE_INET_PTON) ++#ifdef ENABLE_IPV6 ++ char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))]; ++#else ++ char packed[sizeof(struct in_addr)]; ++#endif /* ENABLE_IPV6 */ ++ if (inet_pton(AF_INET, server_hostname, packed)) { ++ send_sni = 0; ++#ifdef ENABLE_IPV6 ++ } else if(inet_pton(AF_INET6, server_hostname, packed)) { ++ send_sni = 0; ++#endif /* ENABLE_IPV6 */ ++ } else { ++ send_sni = 1; ++ } ++#endif /* HAVE_INET_PTON */ ++ if (send_sni) { ++ SSL_set_tlsext_host_name(self->ssl, server_hostname); ++ } ++ } + #endif + + /* If the socket is in non-blocking mode or timeout mode, set the BIO diff --git a/python2.spec b/python2.spec index 37f5803..8cdbea3 100644 --- a/python2.spec +++ b/python2.spec @@ -112,7 +112,7 @@ Summary: An interpreted, interactive, object-oriented programming language Name: %{python} # Remember to also rebase python-docs when changing this: Version: 2.7.14 -Release: 13%{?dist} +Release: 14%{?dist} License: Python Group: Development/Languages Requires: %{python}-libs%{?_isa} = %{version}-%{release} @@ -780,6 +780,11 @@ Patch293: 00293-fix-gc-alignment.patch # Fixed upstream: https://github.com/python/cpython/pull/3581 Patch297: 00297-fix-int-in-bool-context-warnings.patch +# 00298 # +# The SSL module no longer sends IP addresses in SNI TLS extension on +# platforms with OpenSSL 1.0.2+ or inet_pton. +# Fixed upstream: https://bugs.python.org/issue32185 +Patch298: 00298-do-not-send-IP-in-SNI-TLS-extension.patch # (New patches go here ^^^) # @@ -1107,6 +1112,7 @@ mv Modules/cryptmodule.c Modules/_cryptmodule.c %patch289 -p1 %patch293 -p1 %patch297 -p1 +%patch298 -p1 %if 0%{?_module_build} @@ -1985,6 +1991,9 @@ CheckPython \ # ====================================================== %changelog +* Tue Mar 13 2018 Charalampos Stratakis - 2.7.14-14 +- Do not send IP addresses in SNI TLS extension + * Mon Feb 26 2018 Petr Viktorin - 2.7.14-13 - Fix -Wint-in-bool-context warnings Resolves: rhbz#1473425