From 22a541745254401ec499ba8781f583c35cf5b7aa Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Mar 13 2018 16:04:30 +0000 Subject: Do not send IP addresses in SNI TLS extension --- diff --git a/00298-do-not-send-IP-in-SNI-TLS-extension.patch b/00298-do-not-send-IP-in-SNI-TLS-extension.patch new file mode 100644 index 0000000..19b6b31 --- /dev/null +++ b/00298-do-not-send-IP-in-SNI-TLS-extension.patch @@ -0,0 +1,60 @@ +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index df8c6a7d96d8..e8cffef14de0 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -55,6 +55,11 @@ static PySocketModule_APIObject PySocketModule; + #include + #endif + ++#ifndef MS_WINDOWS ++/* inet_pton */ ++#include ++#endif ++ + /* Don't warn about deprecated functions */ + #ifdef __GNUC__ + #pragma GCC diagnostic ignored "-Wdeprecated-declarations" +@@ -667,8 +672,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, + SSL_set_mode(self->ssl, mode); + + #if HAVE_SNI +- if (server_hostname != NULL) +- SSL_set_tlsext_host_name(self->ssl, server_hostname); ++ if (server_hostname != NULL) { ++/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and ++ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't ++ * available on all platforms. Use OpenSSL's IP address parser. It's ++ * available since 1.0.2 and LibreSSL since at least 2.3.0. */ ++ int send_sni = 1; ++#if OPENSSL_VERSION_NUMBER >= 0x10200000L ++ ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname); ++ if (ip == NULL) { ++ send_sni = 1; ++ ERR_clear_error(); ++ } else { ++ send_sni = 0; ++ ASN1_OCTET_STRING_free(ip); ++ } ++#elif defined(HAVE_INET_PTON) ++#ifdef ENABLE_IPV6 ++ char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))]; ++#else ++ char packed[sizeof(struct in_addr)]; ++#endif /* ENABLE_IPV6 */ ++ if (inet_pton(AF_INET, server_hostname, packed)) { ++ send_sni = 0; ++#ifdef ENABLE_IPV6 ++ } else if(inet_pton(AF_INET6, server_hostname, packed)) { ++ send_sni = 0; ++#endif /* ENABLE_IPV6 */ ++ } else { ++ send_sni = 1; ++ } ++#endif /* HAVE_INET_PTON */ ++ if (send_sni) { ++ SSL_set_tlsext_host_name(self->ssl, server_hostname); ++ } ++ } + #endif + + /* If the socket is in non-blocking mode or timeout mode, set the BIO diff --git a/python3.spec b/python3.spec index def4379..26a5fdb 100644 --- a/python3.spec +++ b/python3.spec @@ -125,7 +125,7 @@ Name: python3 # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.4 -Release: 2%{?dist} +Release: 3%{?dist} License: Python Group: Development/Languages @@ -423,6 +423,12 @@ Patch264: 00264-skip-test-failing-on-aarch64.patch # Reported upstream: https://bugs.python.org/issue30697 Patch292: 00292-restore-PyExc_RecursionErrorInst-symbol.patch +# 00298 # +# The SSL module no longer sends IP addresses in SNI TLS extension on +# platforms with OpenSSL 1.0.2+ or inet_pton. +# Fixed upstream: https://bugs.python.org/issue32185 +Patch298: 00298-do-not-send-IP-in-SNI-TLS-extension.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -700,6 +706,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %endif %patch292 -p1 +%patch298 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library. @@ -1660,6 +1667,9 @@ fi # ====================================================== %changelog +* Tue Mar 13 2018 Charalampos Stratakis - 3.6.4-3 +- Do not send IP addresses in SNI TLS extension + * Tue Jan 23 2018 Charalampos Stratakis - 3.6.4-2 - Restore the PyExc_RecursionErrorInst public symbol