From c9bb114a1dc3fc2216af482d1cdbafe58db45afb Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Mar 2018 16:58:18 +0100 Subject: [PATCH] Do not send IP addresses in SNI TLS extension --- ...-do-not-send-IP-in-SNI-TLS-extension.patch | 60 +++++++++++++++++++ python3.spec | 12 +++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 00298-do-not-send-IP-in-SNI-TLS-extension.patch diff --git a/00298-do-not-send-IP-in-SNI-TLS-extension.patch b/00298-do-not-send-IP-in-SNI-TLS-extension.patch new file mode 100644 index 0000000..19b6b31 --- /dev/null +++ b/00298-do-not-send-IP-in-SNI-TLS-extension.patch @@ -0,0 +1,60 @@ +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index df8c6a7d96d8..e8cffef14de0 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -55,6 +55,11 @@ static PySocketModule_APIObject PySocketModule; + #include + #endif + ++#ifndef MS_WINDOWS ++/* inet_pton */ ++#include ++#endif ++ + /* Don't warn about deprecated functions */ + #ifdef __GNUC__ + #pragma GCC diagnostic ignored "-Wdeprecated-declarations" +@@ -667,8 +672,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, + SSL_set_mode(self->ssl, mode); + + #if HAVE_SNI +- if (server_hostname != NULL) +- SSL_set_tlsext_host_name(self->ssl, server_hostname); ++ if (server_hostname != NULL) { ++/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and ++ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't ++ * available on all platforms. Use OpenSSL's IP address parser. It's ++ * available since 1.0.2 and LibreSSL since at least 2.3.0. */ ++ int send_sni = 1; ++#if OPENSSL_VERSION_NUMBER >= 0x10200000L ++ ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname); ++ if (ip == NULL) { ++ send_sni = 1; ++ ERR_clear_error(); ++ } else { ++ send_sni = 0; ++ ASN1_OCTET_STRING_free(ip); ++ } ++#elif defined(HAVE_INET_PTON) ++#ifdef ENABLE_IPV6 ++ char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))]; ++#else ++ char packed[sizeof(struct in_addr)]; ++#endif /* ENABLE_IPV6 */ ++ if (inet_pton(AF_INET, server_hostname, packed)) { ++ send_sni = 0; ++#ifdef ENABLE_IPV6 ++ } else if(inet_pton(AF_INET6, server_hostname, packed)) { ++ send_sni = 0; ++#endif /* ENABLE_IPV6 */ ++ } else { ++ send_sni = 1; ++ } ++#endif /* HAVE_INET_PTON */ ++ if (send_sni) { ++ SSL_set_tlsext_host_name(self->ssl, server_hostname); ++ } ++ } + #endif + + /* If the socket is in non-blocking mode or timeout mode, set the BIO diff --git a/python3.spec b/python3.spec index 3a6cf71..b649cd9 100644 --- a/python3.spec +++ b/python3.spec @@ -14,7 +14,7 @@ URL: https://www.python.org/ # WARNING When rebasing to a new Python version, # remember to update the python3-docs package as well Version: %{pybasever}.4 -Release: 16%{?dist} +Release: 17%{?dist} License: Python @@ -387,6 +387,12 @@ Patch292: 00292-restore-PyExc_RecursionErrorInst-symbol.patch # See also: https://bugzilla.redhat.com/show_bug.cgi?id=1489816 Patch294: 00294-define-TLS-cipher-suite-on-build-time.patch +# 00298 # +# The SSL module no longer sends IP addresses in SNI TLS extension on +# platforms with OpenSSL 1.0.2+ or inet_pton. +# Fixed upstream: https://bugs.python.org/issue32185 +Patch298: 00298-do-not-send-IP-in-SNI-TLS-extension.patch + # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -686,6 +692,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch291 -p1 %patch292 -p1 %patch294 -p1 +%patch298 -p1 # Remove files that should be generated by the build @@ -1506,6 +1513,9 @@ CheckPython optimized # ====================================================== %changelog +* Tue Mar 13 2018 Charalampos Stratakis - 3.6.4-17 +- Do not send IP addresses in SNI TLS extension + * Sat Feb 24 2018 Florian Weimer - 3.6.4-16 - Rebuild with new LDFLAGS from redhat-rpm-config