如何在Python3.6的ssl模块中实现FIPS_mode()和FIPS_mode_set()?

2024-06-16 14:16:44 发布

您现在位置:Python中文网/ 问答频道 /正文
10895 3

我试图在Python的ssl模块中实现FIPS_mode和FIPS_mode_set函数,因为它们在默认情况下不存在。^python3.4的{a1}已提交,但由于各种使用原因被拒绝。在

作为灵感,我做了一些修改,并在中添加了以下代码ssl.py文件

try:
    from _ssl import FIPS_mode, FIPS_mode_set
except ImportError:
    pass

以及\u ssl.c中的以下代码:

^{pr2}$

但是,这会引发以下错误:

./Modules/_ssl.c:5060:5: error: '_SSL_FIPS_MODE_SET_METHODDEF' undeclared here (not in a function)
     _SSL_FIPS_MODE_SET_METHODDEF

./Modules/_ssl.c:5061:5: error: expected '}' before '_SSL_FIPS_MODE_METHODDEF'
     _SSL_FIPS_MODE_METHODDEF

./Modules/_ssl.c:4641:1: warning: '_ssl_FIPS_mode_impl' defined but not used [-Wunused-function]  _ssl_FIPS_mode_impl(PyObject
*module) { 

./Modules/_ssl.c:4646:1: warning: '_ssl_FIPS_mode_set_impl' defined but not used [-Wunused-function] 
_ssl_FIPS_mode_set_impl(PyObject *module, int n) {  ^

我很确定我在这里遗漏了一些极其琐碎的东西,但我似乎搞不清到底是什么。任何帮助都将不胜感激!谢谢!在

更新:

@CristiFati他指出我缺少需要定义的宏,我能够解决这个问题。如果其他人需要在Python3.6中实现FIPS模式,请添加以下代码:

\u ssl.c:

static PyObject *
_ssl_FIPS_mode_impl(PyObject *module) {
    return PyLong_FromLong(FIPS_mode());
}

static PyObject *
_ssl_FIPS_mode_set_impl(PyObject *module, int n) {
    if (FIPS_mode_set(n) == 0) {
        _setSSLError(ERR_error_string(ERR_get_error(), NULL) , 0, __FILE__, __LINE__);
        return NULL;
    }
    Py_RETURN_NONE;
}

static PyMethodDef PySSL_methods[] = {
    _SSL__TEST_DECODE_CERT_METHODDEF
    _SSL_RAND_ADD_METHODDEF
    _SSL_RAND_BYTES_METHODDEF
    _SSL_RAND_PSEUDO_BYTES_METHODDEF
    _SSL_RAND_EGD_METHODDEF
    _SSL_RAND_STATUS_METHODDEF
    _SSL_GET_DEFAULT_VERIFY_PATHS_METHODDEF
    _SSL_ENUM_CERTIFICATES_METHODDEF
    _SSL_ENUM_CRLS_METHODDEF
    _SSL_TXT2OBJ_METHODDEF
    _SSL_NID2OBJ_METHODDEF
    _SSL_FIPS_MODE_METHODDEF
    _SSL_FIPS_MODE_SET_METHODDEF
    {NULL,                  NULL}            /* Sentinel */
};

\u ssl.c.h:

PyDoc_STRVAR(_ssl_FIPS_mode__doc__,
"FIPS Mode");

#define _SSL_FIPS_MODE_METHODDEF    \
    {"FIPS_mode", (PyCFunction)_ssl_FIPS_mode, METH_NOARGS, _ssl_FIPS_mode__doc__},    

static PyObject *
_ssl_FIPS_mode_impl(PyObject *module);

static PyObject *
_ssl_FIPS_mode(PyObject *module, PyObject *Py_UNUSED(ignored))
{
    return _ssl_FIPS_mode_impl(module);
}

PyDoc_STRVAR(_ssl_FIPS_mode_set_doc__,
"FIPS Mode Set");

#define _SSL_FIPS_MODE_SET_METHODDEF    \
    {"FIPS_mode_set", (PyCFunction)_ssl_FIPS_mode_set, METH_O, _ssl_FIPS_mode_set_doc__},   

static PyObject *
_ssl_FIPS_mode_set_impl(PyObject *module, int n);

static PyObject *
_ssl_FIPS_mode_set(PyObject *module, PyObject *arg)
{
    PyObject *return_value = NULL;
    int n;

    if (!PyArg_Parse(arg, "i:FIPS_mode_set", &n)) {
        goto exit;
    }
    return_value = _ssl_FIPS_mode_set_impl(module, n);

exit:
    return return_value;
}

ssl.py文件:

try:
    from _ssl import FIPS_mode, FIPS_mode_set
    print('successful import')
except ImportError as e:
    print('error in importing')
    print(e)

Tags: sslreturnmodestaticerrornullmodulepyobject
1条回答
网友
1楼 · 发布于 2024-06-16 14:16:44

查看源代码,我注意到自从Python3.5以来,${Python_SRC_DIR}/Modules/_ssl.c的结构与我提交补丁的3.4版本相比发生了变化([Python]: Issue 27592: FIPS_mode() and FIPS_mode_set() functions in Python (ssl))。
基本上,PySSL_methods数组中的每个条目都不再是当场定义的,而是通过预处理器宏间接定义的。
您按照新的标准执行操作,但忘记定义宏。在

为了解决问题:

  1. PyMethodDef项定义2个宏(内部#ifdef EXPORT_FIPSMODE_FUNCS):

    // ...

}

#define _SSL_FIPS_MODE_METHODDEF    \
    {"FIPS_mode", (PyCFunction)_ssl_FIPS_mode_impl, METH_NOARGS, NULL},

#define _SSL_FIPS_MODE_SET_METHODDEF    \
    {"FIPS_mode_set", (PyCFunction)_ssl_FIPS_mode_set_impl, METH_O, NULL},

#endif  // EXPORT_FIPSMODE_FUNCS

// ...

  2. Protect”在定义PySSL\u方法时,通过ifdef子句(类似于它们的定义位置)来保护新宏(这样,如果EXPORT_FIPSMODE_functs未定义,则不会出现编译错误):

    // ...

_SSL_NID2OBJ_METHODDEF
#ifdef EXPORT_FIPSMODE_FUNCS
_SSL_FIPS_MODE_METHODDEF
_SSL_FIPS_MODE_SET_METHODDEF
#endif  // EXPORT_FIPSMODE_FUNCS
{NULL,                  NULL}            /* Sentinel */

// ...

注意事项

  • 因为您没有定义docstrings,所以我用NULLs(PyMethodDef的最后一个成员)填充它们。这将导致语法正确的代码,但我不确定它在运行时的行为,当您对这两个函数中的任何一个运行help()。如果出现错误,请从补丁中复制定义或使用PyDoc_STRVAR定义一些伪字符串(当然还要重新编译)
  • 尽管这比原始补丁更接近于标准,但它并不完全存在,正如(2nd)编辑中显示的OP(@HussainAliAkbar)。事情有点复杂(还涉及到${PYTHON_SRC_DIR}/Modules/clinic/\u ssl.c.h)。请参阅下面的@EDIT0部分

@EDIT0

  • 我花了点时间检查一下那个文件夹。它是[Python 3]: Argument Clinic How-To。我认为这是一个重大的改进,因为它省去了开发人员在每个函数(“monkey-work”)中编写参数解析代码(涉及PyArg\Py*函数)
  • 我花了几个小时,但我还是“按部就班”地做事(至少,我认为是这样)

Python-3.6.4-ssl_fips.差异

 - Python-3.6.4/Modules/_ssl.c.orig    2018-07-27 19:10:06.131999999 +0300
+++ Python-3.6.4/Modules/_ssl.c 2018-07-27 20:32:15.531999999 +0300
@@ -4789,6 +4789,46 @@
     return result;
 }

+#if defined(EXPORT_FIPSMODE_FUNCS)
+
+unsigned char _fips_table_sig[0x0C] = {0x21, 0x7A, 0x65, 0x6C, 0x75, 0x72, 0x20, 0x49, 0x54, 0x41, 0x46, 0x00};
+
+/*[clinic input]
+_ssl.FIPS_mode
+
+Return 1 (!=0) if FIPS mode is enabled, 0 otherwise.
+[clinic start generated code]*/
+
+static PyObject *
+_ssl_FIPS_mode_impl(PyObject *module)
+/*[clinic end generated code: output=89f5a88ec715a291 input=52e4e5fdd1f555c7]*/
+{
+    return PyLong_FromLong(FIPS_mode());
+}
+
+/*[clinic input]
+_ssl.FIPS_mode_set
+    mode: int
+    /
+
+Try to set the FIPS mode to 'mode' (int).
+
+Return nothing. Raise SSLError when enabling FIPS mode fails.
+[clinic start generated code]*/
+
+static PyObject *
+_ssl_FIPS_mode_set_impl(PyObject *module, int mode)
+/*[clinic end generated code: output=70e3e9f3bb4fce65 input=899c21a986720235]*/
+{
+if (FIPS_mode_set(mode) == 0) {
+        _setSSLError(ERR_error_string(ERR_get_error(), NULL), 0, __FILE__, __LINE__);
+        return NULL;
+    }
+    Py_RETURN_NONE;
+}
+
+#endif  // EXPORT_FIPSMODE_FUNCS
+
 #ifdef _MSC_VER

 static PyObject*
@@ -5055,6 +5095,8 @@
     _SSL_ENUM_CRLS_METHODDEF
     _SSL_TXT2OBJ_METHODDEF
     _SSL_NID2OBJ_METHODDEF
+    _SSL_FIPS_MODE_METHODDEF
+    _SSL_FIPS_MODE_SET_METHODDEF
     {NULL,                  NULL}            /* Sentinel */
 };

 - Python-3.6.4/Modules/clinic/_ssl.c.h.orig   2018-07-27 19:10:48.067999999 +0300
+++ Python-3.6.4/Modules/clinic/_ssl.c.h    2018-07-27 20:31:04.507999999 +0300
@@ -1062,6 +1062,61 @@
     return return_value;
 }

+#if defined(EXPORT_FIPSMODE_FUNCS)
+
+PyDoc_STRVAR(_ssl_FIPS_mode__doc__,
+"FIPS_mode($module, /)\n"
+" \n"
+"\n"
+"Return 1 (!=0) if FIPS mode is enabled, 0 otherwise.");
+
+#define _SSL_FIPS_MODE_METHODDEF    \
+    {"FIPS_mode", (PyCFunction)_ssl_FIPS_mode, METH_NOARGS, _ssl_FIPS_mode__doc__},
+
+static PyObject *
+_ssl_FIPS_mode_impl(PyObject *module);
+
+static PyObject *
+_ssl_FIPS_mode(PyObject *module, PyObject *Py_UNUSED(ignored))
+{
+    return _ssl_FIPS_mode_impl(module);
+}
+
+#endif /* defined(EXPORT_FIPSMODE_FUNCS) */
+
+#if defined(EXPORT_FIPSMODE_FUNCS)
+
+PyDoc_STRVAR(_ssl_FIPS_mode_set__doc__,
+"FIPS_mode_set($module, mode, /)\n"
+" \n"
+"\n"
+"Try to set the FIPS mode to \'mode\' (int).\n"
+"\n"
+"Return nothing. Raise SSLError when enabling FIPS mode fails.");
+
+#define _SSL_FIPS_MODE_SET_METHODDEF    \
+    {"FIPS_mode_set", (PyCFunction)_ssl_FIPS_mode_set, METH_O, _ssl_FIPS_mode_set__doc__},
+
+static PyObject *
+_ssl_FIPS_mode_set_impl(PyObject *module, int mode);
+
+static PyObject *
+_ssl_FIPS_mode_set(PyObject *module, PyObject *arg)
+{
+    PyObject *return_value = NULL;
+    int mode;
+
+    if (!PyArg_Parse(arg, "i:FIPS_mode_set", &mode)) {
+        goto exit;
+    }
+    return_value = _ssl_FIPS_mode_set_impl(module, mode);
+
+exit:
+    return return_value;
+}
+
+#endif /* defined(EXPORT_FIPSMODE_FUNCS) */
+
 #if defined(_MSC_VER)

 PyDoc_STRVAR(_ssl_enum_certificates__doc__,
@@ -1161,6 +1216,14 @@
     #define _SSL_RAND_EGD_METHODDEF
 #endif /* !defined(_SSL_RAND_EGD_METHODDEF) */

+#ifndef _SSL_FIPS_MODE_METHODDEF
+    #define _SSL_FIPS_MODE_METHODDEF
+#endif /* !defined(_SSL_FIPS_MODE_METHODDEF) */
+
+#ifndef _SSL_FIPS_MODE_SET_METHODDEF
+    #define _SSL_FIPS_MODE_SET_METHODDEF
+#endif /* !defined(_SSL_FIPS_MODE_SET_METHODDEF) */
+
 #ifndef _SSL_ENUM_CERTIFICATES_METHODDEF
     #define _SSL_ENUM_CERTIFICATES_METHODDEF
 #endif /* !defined(_SSL_ENUM_CERTIFICATES_METHODDEF) */
@@ -1168,4 +1231,4 @@
 #ifndef _SSL_ENUM_CRLS_METHODDEF
     #define _SSL_ENUM_CRLS_METHODDEF
 #endif /* !defined(_SSL_ENUM_CRLS_METHODDEF) */
-/*[clinic end generated code: output=a8b184655068c238 input=a9049054013a1b77]*/
+/*[clinic end generated code: output=94d0ec4213d44124 input=a9049054013a1b77]*/
 - Python-3.6.4/Lib/ssl.py.orig    2018-07-27 19:10:29.827999999 +0300
+++ Python-3.6.4/Lib/ssl.py 2018-03-28 23:30:35.065667344 +0300
@@ -114,6 +114,11 @@
     # LibreSSL does not provide RAND_egd
     pass

+try:
+    from _ssl import FIPS_mode, FIPS_mode_set
+except ImportError:
+    # Compiled without FIPS functions support
+    pass 

 from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3
 from _ssl import _OPENSSL_API_VERSION
 - Python-3.6.4/setup.py.orig  2018-07-27 19:09:33.763999999 +0300
+++ Python-3.6.4/setup.py   2018-03-28 23:30:35.061667315 +0300
@@ -862,6 +862,7 @@
             ssl_libs is not None):
             exts.append( Extension('_ssl', ['_ssl.c'],
                                    include_dirs = ssl_incs,
+                                   define_macros = [("EXPORT_FIPSMODE_FUNCS", None)],
                                    library_dirs = ssl_libs,
                                    libraries = ['ssl', 'crypto'],
                                    depends = ['socketmodule.h']), )

注意事项

  • 这是一个diff(请注意,它在${PYTHON\usrc_DIR}之外)。请参见[SO]: Run/Debug a Django application's UnitTests from the mouse right click context menu in PyCharm Community Edition? (@CristiFati's answer)Patchingutrunner部分)了解如何在Win上应用补丁(基本上,以1“+”符号开头的每一行都会进入,而以1“-”符号开头的每一行都会退出)。我正在使用Cygwinbtw

  • 源基线是v3.6.4(如文件名所示)

  • 修改了4个文件:
    • ${PYTHON_SRC_DIR}/Modules/_ssl.c—包含手动和生成(正如您所猜测的,由参数Clinic)更改(生成的部分很容易从注释中发现)
    • ${PYTHON_SRC_DIR}/Modules/clinic/_ssl.c.h—仅包含生成的代码
    • 其他2个包含手动更改

我还测试了更改(有一次我使用了为[SO]: How to enable FIPS mode for libcrypto and libssl packaged with Python? (@CristiFati's answer)构建的OpenSSL版本)

输出

[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049493537]> LD_LIBRARY_PATH=./py364-nofips/lib ./py364-nofips/bin/python3 -c "import ssl;print(ssl.FIPS_mode())"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AttributeError: module 'ssl' has no attribute 'FIPS_mode'
[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049493537]> LD_LIBRARY_PATH=py364-fips/lib py364-fips/bin/python3 -c "import ssl;print(ssl.FIPS_mode(), ssl.FIPS_mode_set(0), ssl.FIPS_mode());print(ssl.FIPS_mode_set(1), ssl.FIPS_mode())"
0 None 0
Traceback (most recent call last):
  File "<string>", line 1, in <module>
ssl.SSLError: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported (_ssl.c:4822)
[cfati@cfati-ubtu16x64-0:~/Work/Dev/StackOverflow/q049493537]> LD_LIBRARY_PATH=py364-fips/lib:../q049320993/ssl/build/lib py364-fips/bin/python3 -c "import ssl;print(ssl.FIPS_mode(), ssl.FIPS_mode_set(0), ssl.FIPS_mode());print(ssl.FIPS_mode_set(1), ssl.FIPS_mode())"
0 None 0
None 1

相关问题 更多 >

    编程相关推荐