[CVE-2024-5642] Switch off NPN support

Fixes: gh#python#121227 Fixes: bsc#1227233 (CVE-2024-5642) Fixes: https://security-tracker.debian.org/tracker/CVE-2024-5642 From-PR: gh#python#121227#issuecomment-2245302832 Patch: CVE-2024-5642-switch-off-NPN.patch
openSUSE-Python · Sep 18, 2024 · 1036c4b · 1036c4b
1 parent cdffb9f
commit 1036c4b
Showing 1 changed file with 2 additions and 8 deletions.
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
@@ -148,16 +148,10 @@ struct py_ssl_library_code {
  * reasons. The check for TLSEXT_TYPE_next_proto_neg works with
  * OpenSSL 1.0.1+ and LibreSSL.
  * OpenSSL 1.1.1-pre1 dropped NPN but still has TLSEXT_TYPE_next_proto_neg.
+ *
+ * Fix for CVE-2024-5642: we just switch NPN completely
  */
-#ifdef OPENSSL_NO_NEXTPROTONEG
 # define HAVE_NPN 0
-#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
-# define HAVE_NPN 0
-#elif defined(TLSEXT_TYPE_next_proto_neg)
-# define HAVE_NPN 1
-#else
-# define HAVE_NPN 0
-#endif
 
 #ifndef INVALID_SOCKET /* MS defines this */
 #define INVALID_SOCKET (-1)