bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210)

LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org>

bpo-33127: Compatibility patch for LibreSSL 2.7.0 (GH-6210)
LibreSSL 2.7 introduced OpenSSL 1.1.0 API. The ssl module now detects LibreSSL 2.7 and only provides API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7. Documentation updates and fixes for failing tests will be provided in another patch set. Signed-off-by: Christian Heimes <christian@python.org>
4ca0739c · Christian Heimes · GitHub · e42ae915 · 4ca0739c · 4ca0739c
Commit 4ca0739c authored Mar 24, 2018 by Christian Heimes Committed by GitHub Mar 24, 2018
3 changed files
--- a/Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+++ b/Misc/NEWS.d/next/Library/2018-03-24-15-08-24.bpo-33127.olJmHv.rst
+The ssl module now compiles with LibreSSL 2.7.1.
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -136,6 +136,12 @@ static void _PySSLFixErrno(void) {
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 #  define OPENSSL_VERSION_1_1 1
+#  define PY_OPENSSL_1_1_API 1
+#endif
+/* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+#  define PY_OPENSSL_1_1_API 1
 #endif
 /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
@@ -182,13 +188,17 @@ static void _PySSLFixErrno(void) {
 #define INVALID_SOCKET (-1)
 #endif
-#ifdef OPENSSL_VERSION_1_1
+/* OpenSSL 1.0.2 and LibreSSL needs extra code for locking */
-/* OpenSSL 1.1.0+ */
+#ifndef OPENSSL_VERSION_1_1
-#ifndef OPENSSL_NO_SSL2
+#define HAVE_OPENSSL_CRYPTO_LOCK
+#endif
+#if defined(OPENSSL_VERSION_1_1) && !defined(OPENSSL_NO_SSL2)
 #define OPENSSL_NO_SSL2
 #endif
-#else /* OpenSSL < 1.1.0 */
-#define HAVE_OPENSSL_CRYPTO_LOCK
+#ifndef PY_OPENSSL_1_1_API
+/* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
 #define TLS_method SSLv23_method
 #define TLS_client_method SSLv23_client_method
@@ -250,7 +260,7 @@ SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
    return s->tlsext_tick_lifetime_hint;
 }
-#endif /* OpenSSL < 1.1.0 or LibreSSL */
+#endif /* OpenSSL < 1.1.0 or LibreSSL < 2.7.0 */
 /* Default cipher suites */
 #ifndef PY_SSL_DEFAULT_CIPHERS

--- a/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py
@@ -54,7 +54,7 @@ LIBRESSL_OLD_VERSIONS = [
 ]
 LIBRESSL_RECENT_VERSIONS = [
-    # "2.6.5",
+    "2.7.1",
 ]
 # store files in ../multissl