[python] Check version of cryptography module

We have had multiple issues with Ubuntu 16.04 using an outdated version of the Python cryptography module that causes strange SSL behavior. Example for this is not being able to connect to SSL sites. This commit introduces a check on initialization of the interpreter to make sure that we use a compatible version. See also: pyca/pyopenssl#542 (comment) https://forum.kodi.tv/showthread.php?tid=335786
yol · Oct 3, 2018 · 557faa5 · 557faa5
1 parent a42e9d5
commit 557faa5
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/xbmc/interfaces/python/XBPython.cpp b/xbmc/interfaces/python/XBPython.cpp
@@ -553,6 +553,34 @@ void XBPython::Process()
   }
 }
 
+bool XBPython::CheckCryptographyVersion()
+{
+  PyObject* cryptoMod{PyImport_ImportModule("cryptography")};
+  if (!cryptoMod)
+  {
+    return true;
+  }
+
+  PyObject* cryptoModDict{PyModule_GetDict(cryptoMod)};
+  PyObject* versionPyString{PyDict_GetItemString(cryptoModDict, "__version__")};
+  std::string version {PyString_AsString(versionPyString)};
+
+  Py_DECREF(cryptoMod);
+
+  std::vector<std::string> versionParts{StringUtils::Split(version, '.')};
+
+  // Python cryptography < 1.7 has issues with pyOpenSSL integration, leading to all sorts
+  // of weird bugs - check here to save on some troubleshooting
+  // https://github.com/pyca/pyopenssl/issues/542
+  if (versionParts.size() < 2 || std::stoi(versionParts[0]) < 1 || (std::stoi(versionParts[0]) == 1 && std::stoi(versionParts[1]) < 7))
+  {
+    CLog::Log(LOGERROR, "Python cryptography module version {} is too old, at least version 1.7 needed", version);
+    return false;
+  }
+
+  return true;
+}
+
 bool XBPython::OnScriptInitialized(ILanguageInvoker *invoker)
 {
   if (invoker == NULL)
@@ -638,7 +666,14 @@ bool XBPython::OnScriptInitialized(ILanguageInvoker *invoker)
 
     if (!(m_mainThreadState = PyThreadState_Get()))
       CLog::Log(LOGERROR, "Python threadstate is NULL.");
+
+    bool cryptoOk = CheckCryptographyVersion();
     PyEval_ReleaseLock();
+    if (!cryptoOk)
+    {
+      Finalize();
+      return false;
+    }
 
     m_bInitialized = true;
   }

diff --git a/xbmc/interfaces/python/XBPython.h b/xbmc/interfaces/python/XBPython.h
@@ -102,6 +102,13 @@ class XBPython :
   void UnloadExtensionLibs();
 
 private:
+  /**
+   * Check minimum required version of Python cryptography module
+   *
+   * If version is below 1.7, there could be random OpenSSL errors, see
+   * https://github.com/pyca/pyopenssl/issues/542#issuecomment-312968275
+   */
+  bool CheckCryptographyVersion();
   void Finalize();
 
   CCriticalSection    m_critSection;