Do not send IP addresses in SNI TLS extension

2018-03-13 16:58:18 +01:00 · 2018-03-13 16:58:18 +01:00 · 22a5417452
parent ffd80345f3
commit 22a5417452
2 changed files with 71 additions and 1 deletions
--- a/00298-do-not-send-IP-in-SNI-TLS-extension.patch
+++ b/00298-do-not-send-IP-in-SNI-TLS-extension.patch
@ -0,0 +1,60 @@
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index df8c6a7d96d8..e8cffef14de0 100644
+--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
+@@ -55,6 +55,11 @@ static PySocketModule_APIObject PySocketModule;
+ #include <sys/poll.h>
+ #endif
+ 
+#ifndef MS_WINDOWS
+/* inet_pton */
+#include <arpa/inet.h>
+#endif
+
+ /* Don't warn about deprecated functions */
+ #ifdef __GNUC__
+ #pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+@@ -667,8 +672,41 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
+     SSL_set_mode(self->ssl, mode);
+ 
+ #if HAVE_SNI
+-    if (server_hostname != NULL)
+-        SSL_set_tlsext_host_name(self->ssl, server_hostname);
+    if (server_hostname != NULL) {
+/* Don't send SNI for IP addresses. We cannot simply use inet_aton() and
+ * inet_pton() here. inet_aton() may be linked weakly and inet_pton() isn't
+ * available on all platforms. Use OpenSSL's IP address parser. It's
+ * available since 1.0.2 and LibreSSL since at least 2.3.0. */
+        int send_sni = 1;
+#if OPENSSL_VERSION_NUMBER >= 0x10200000L
+        ASN1_OCTET_STRING *ip = a2i_IPADDRESS(server_hostname);
+        if (ip == NULL) {
+            send_sni = 1;
+            ERR_clear_error();
+        } else {
+            send_sni = 0;
+            ASN1_OCTET_STRING_free(ip);
+        }
+#elif defined(HAVE_INET_PTON)
+#ifdef ENABLE_IPV6
+        char packed[Py_MAX(sizeof(struct in_addr), sizeof(struct in6_addr))];
+#else
+        char packed[sizeof(struct in_addr)];
+#endif /* ENABLE_IPV6 */
+        if (inet_pton(AF_INET, server_hostname, packed)) {
+            send_sni = 0;
+#ifdef ENABLE_IPV6
+        } else if(inet_pton(AF_INET6, server_hostname, packed)) {
+            send_sni = 0;
+#endif /* ENABLE_IPV6 */
+        } else {
+            send_sni = 1;
+        }
+#endif /* HAVE_INET_PTON */
+        if (send_sni) {
+            SSL_set_tlsext_host_name(self->ssl, server_hostname);
+        }
+    }
+ #endif
+ 
+     /* If the socket is in non-blocking mode or timeout mode, set the BIO
--- a/python3.spec
+++ b/python3.spec
@ -125,7 +125,7 @@ Name: python3
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Python
 Group: Development/Languages

@ -423,6 +423,12 @@ Patch264: 00264-skip-test-failing-on-aarch64.patch
 # Reported upstream: https://bugs.python.org/issue30697
 Patch292: 00292-restore-PyExc_RecursionErrorInst-symbol.patch

+# 00298 #
+# The SSL module no longer sends IP addresses in SNI TLS extension on
+# platforms with OpenSSL 1.0.2+ or inet_pton.
+# Fixed upstream: https://bugs.python.org/issue32185
+Patch298: 00298-do-not-send-IP-in-SNI-TLS-extension.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@ -700,6 +706,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
 %endif

 %patch292 -p1
+%patch298 -p1

 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
 # are many differences between 2.6 and the Python 3 library.
@ -1660,6 +1667,9 @@ fi
 # ======================================================

 %changelog
+* Tue Mar 13 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.6.4-3
+- Do not send IP addresses in SNI TLS extension
+
 * Tue Jan 23 2018 Charalampos Stratakis <cstratak@redhat.com> - 3.6.4-2
 - Restore the PyExc_RecursionErrorInst public symbol