[packages/python] - final openssl 3.0.0 fixes, rel 5
baggins
baggins at pld-linux.org
Tue Sep 28 23:10:29 CEST 2021
commit 2eee8c61986b750591a6e44c63642b6e5256a9b5
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Tue Sep 28 23:09:35 2021 +0200
- final openssl 3.0.0 fixes, rel 5
openssl3.patch | 676 +++++++++++++++++++++++++++++++++++----------------------
python.spec | 2 +-
2 files changed, 413 insertions(+), 265 deletions(-)
---
diff --git a/python.spec b/python.spec
index baa4f97..f24a550 100644
--- a/python.spec
+++ b/python.spec
@@ -39,7 +39,7 @@ Summary(tr.UTF-8): X arayüzlü, yüksek düzeyli, kabuk yorumlayıcı dili
Summary(uk.UTF-8): Мова програмування дуже високого рівня з X-інтерфейсом
Name: python
Version: %{py_ver}.18
-Release: 4
+Release: 5
Epoch: 1
License: PSF
Group: Development/Languages/Python
diff --git a/openssl3.patch b/openssl3.patch
index 60c1dcc..ceebe3f 100644
--- a/openssl3.patch
+++ b/openssl3.patch
@@ -1,6 +1,6 @@
-diff -urN Python-2.7.18/Doc/library/ssl.rst Python-2.7.18.openssl3/Doc/library/ssl.rst
+diff -urN Python-2.7.18/Doc/library/ssl.rst Python-2.7.18.ssl3/Doc/library/ssl.rst
--- Python-2.7.18/Doc/library/ssl.rst 2020-04-19 23:13:39.000000000 +0200
-+++ Python-2.7.18.openssl3/Doc/library/ssl.rst 2021-09-26 17:48:18.378332556 +0200
++++ Python-2.7.18.ssl3/Doc/library/ssl.rst 2021-09-28 21:17:48.697403980 +0200
@@ -760,6 +760,12 @@
.. versionadded:: 2.7.9
@@ -14,10 +14,10 @@ diff -urN Python-2.7.18/Doc/library/ssl.rst Python-2.7.18.openssl3/Doc/library/s
.. data:: HAS_ALPN
Whether the OpenSSL library has built-in support for the *Application-Layer
-diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/test_ssl.py
+diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.ssl3/Lib/test/test_ssl.py
--- Python-2.7.18/Lib/test/test_ssl.py 2020-04-19 23:13:39.000000000 +0200
-+++ Python-2.7.18.openssl3/Lib/test/test_ssl.py 2021-09-26 18:50:50.463997547 +0200
-@@ -84,6 +85,7 @@
++++ Python-2.7.18.ssl3/Lib/test/test_ssl.py 2021-09-28 22:32:24.245278731 +0200
+@@ -84,6 +84,7 @@
OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
@@ -25,7 +25,41 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes
def handle_error(prefix):
-@@ -305,7 +307,7 @@
+@@ -170,23 +171,7 @@
+ """
+ @functools.wraps(func)
+ def f(*args, **kwargs):
+- openssl_cnf = os.environ.get("OPENSSL_CONF", "/etc/ssl/openssl.cnf")
+- try:
+- with open(openssl_cnf, "r") as config:
+- for line in config:
+- match = re.match(r"MinProtocol\s*=\s*(TLSv\d+\S*)", line)
+- if match:
+- tls_ver = match.group(1)
+- if tls_ver > "TLSv1":
+- raise unittest.SkipTest(
+- "%s has MinProtocol = %s which is > TLSv1." %
+- (openssl_cnf, tls_ver))
+- except (EnvironmentError, UnicodeDecodeError) as err:
+- # no config file found, etc.
+- if support.verbose:
+- sys.stdout.write("\n Could not scan %s for MinProtocol: %s\n"
+- % (openssl_cnf, err))
+- return func(*args, **kwargs)
++ raise unittest.SkipTest("OpenSSL 3 supports only protocols > TLSv1.")
+ return f
+
+
+@@ -214,6 +199,8 @@
+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
+ ssl.OP_NO_TLSv1_1
+ ssl.OP_NO_TLSv1_2
++ if ssl.OPENSSL_VERSION_INFO >= (3, 0, 0):
++ ssl.OP_NO_TLSv1
+
+ def test_random(self):
+ v = ssl.RAND_status()
+@@ -305,7 +292,7 @@
('email', 'null at python.org\x00user at example.org'),
('URI', 'http://null.python.org\x00http://example.org'),
('IP Address', '192.0.2.1'),
@@ -34,7 +68,7 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes
else:
# OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName
san = (('DNS', 'altnull.python.org\x00example.com'),
-@@ -332,7 +334,7 @@
+@@ -332,7 +319,7 @@
(('commonName', 'dirname example'),))),
('URI', 'https://www.python.org/'),
('IP Address', '127.0.0.1'),
@@ -43,7 +77,7 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes
('Registered ID', '1.2.3.4.5')
)
)
-@@ -359,11 +361,11 @@
+@@ -359,11 +346,11 @@
# Some sanity checks follow
# >= 0.9
self.assertGreaterEqual(n, 0x900000)
@@ -59,7 +93,7 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes
self.assertGreaterEqual(minor, 0)
self.assertLess(minor, 256)
self.assertGreaterEqual(fix, 0)
-@@ -833,7 +841,8 @@
+@@ -839,7 +826,8 @@
# SSLContext also enables these by default
default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
@@ -69,9 +103,318 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
-diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.openssl3/Modules/_ssl.c
+@@ -1003,7 +991,7 @@
+ neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
+
+ # test PEM
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
+ ctx.load_verify_locations(cadata=cacert_pem)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
+@@ -1014,20 +1002,20 @@
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # combined
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ combined = "\n".join((cacert_pem, neuronio_pem))
+ ctx.load_verify_locations(cadata=combined)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # with junk around the certs
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ combined = ["head", cacert_pem, "other", neuronio_pem, "again",
+ neuronio_pem, "tail"]
+ ctx.load_verify_locations(cadata="\n".join(combined))
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # test DER
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ ctx.load_verify_locations(cadata=cacert_der)
+ ctx.load_verify_locations(cadata=neuronio_der)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+@@ -1036,13 +1024,13 @@
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # combined
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ combined = b"".join((cacert_der, neuronio_der))
+ ctx.load_verify_locations(cadata=combined)
+ self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
+
+ # error cases
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
+
+ with self.assertRaisesRegexp(ssl.SSLError, "no start line"):
+@@ -1111,7 +1099,7 @@
+
+ @needs_sni
+ def test_sni_callback(self):
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+
+ # set_servername_callback expects a callable, or None
+ self.assertRaises(TypeError, ctx.set_servername_callback)
+@@ -1128,7 +1116,7 @@
+ def test_sni_callback_refcycle(self):
+ # Reference cycles through the servername callback are detected
+ # and cleared.
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ def dummycallback(sock, servername, ctx, cycle=ctx):
+ pass
+ ctx.set_servername_callback(dummycallback)
+@@ -1332,7 +1320,7 @@
+ assert_python_ok("-c", https_is_verified, **extra_env)
+
+ def test_check_hostname(self):
+- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ self.assertFalse(ctx.check_hostname)
+
+ # Requires CERT_REQUIRED or CERT_OPTIONAL
+@@ -2160,6 +2148,8 @@
+ if support.verbose:
+ sys.stdout.write("\n")
+ for protocol in PROTOCOLS:
++ if (protocol == ssl.PROTOCOL_TLSv1 or protocol == ssl.PROTOCOL_TLSv1_1):
++ continue
+ context = ssl.SSLContext(protocol)
+ context.load_cert_chain(CERTFILE)
+ server_params_test(context, context,
+@@ -2209,10 +2199,10 @@
+ if support.verbose:
+ sys.stdout.write("\n")
+
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.load_verify_locations(SIGNING_CA)
+ tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
+@@ -2250,10 +2240,10 @@
+ if support.verbose:
+ sys.stdout.write("\n")
+
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.check_hostname = True
+ context.load_verify_locations(SIGNING_CA)
+@@ -2443,43 +2433,6 @@
+ False, client_options=ssl.OP_NO_SSLv2)
+
+ @skip_if_broken_ubuntu_ssl
+- def test_protocol_tlsv1(self):
+- """Connecting to a TLSv1 server with various client options"""
+- if support.verbose:
+- sys.stdout.write("\n")
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
+- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
+- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
+- client_options=ssl.OP_NO_TLSv1)
+-
+- @skip_if_broken_ubuntu_ssl
+- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
+- "TLS version 1.1 not supported.")
+- @skip_if_openssl_cnf_minprotocol_gt_tls1
+- def test_protocol_tlsv1_1(self):
+- """Connecting to a TLSv1.1 server with various client options.
+- Testing against older TLS versions."""
+- if support.verbose:
+- sys.stdout.write("\n")
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
+- if hasattr(ssl, 'PROTOCOL_SSLv2'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
+- if hasattr(ssl, 'PROTOCOL_SSLv3'):
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
+- client_options=ssl.OP_NO_TLSv1_1)
+-
+- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
+- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
+- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
+-
+-
+- @skip_if_broken_ubuntu_ssl
+ @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
+ "TLS version 1.2 not supported.")
+ def test_protocol_tlsv1_2(self):
+@@ -2508,7 +2461,7 @@
+ msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
+
+ server = ThreadedEchoServer(CERTFILE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLS,
+ starttls_server=True,
+ chatty=True,
+ connectionchatty=True)
+@@ -2536,7 +2489,7 @@
+ sys.stdout.write(
+ " client: read %r from server, starting TLS...\n"
+ % msg)
+- conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
++ conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
+ wrapped = True
+ elif indata == b"ENDTLS" and msg.startswith(b"ok"):
+ # ENDTLS ok, switch back to clear text
+@@ -2623,7 +2576,7 @@
+
+ server = ThreadedEchoServer(CERTFILE,
+ certreqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLS,
+ cacerts=CERTFILE,
+ chatty=True,
+ connectionchatty=False)
+@@ -2633,7 +2586,7 @@
+ certfile=CERTFILE,
+ ca_certs=CERTFILE,
+ cert_reqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1)
++ ssl_version=ssl.PROTOCOL_TLS)
+ s.connect((HOST, server.port))
+ # helper methods for standardising recv* method signatures
+ def _recv_into():
+@@ -2882,14 +2835,14 @@
+ Basic tests for SSLSocket.version().
+ More tests are done in the test_protocol_*() methods.
+ """
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ with ThreadedEchoServer(CERTFILE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLS,
+ chatty=False) as server:
+ with closing(context.wrap_socket(socket.socket())) as s:
+ self.assertIs(s.version(), None)
+ s.connect((HOST, server.port))
+- self.assertEqual(s.version(), 'TLSv1')
++ self.assertEqual(s.version(), 'TLSv1.3')
+ self.assertIs(s.version(), None)
+
+ @unittest.skipUnless(ssl.HAS_TLSv1_3,
+@@ -2940,7 +2893,7 @@
+
+ server = ThreadedEchoServer(CERTFILE,
+ certreqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1,
++ ssl_version=ssl.PROTOCOL_TLSv1_2,
+ cacerts=CERTFILE,
+ chatty=True,
+ connectionchatty=False)
+@@ -2950,7 +2903,7 @@
+ certfile=CERTFILE,
+ ca_certs=CERTFILE,
+ cert_reqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1)
++ ssl_version=ssl.PROTOCOL_TLSv1_2)
+ s.connect((HOST, server.port))
+ # get the data
+ cb_data = s.get_channel_binding("tls-unique")
+@@ -2975,7 +2928,7 @@
+ certfile=CERTFILE,
+ ca_certs=CERTFILE,
+ cert_reqs=ssl.CERT_NONE,
+- ssl_version=ssl.PROTOCOL_TLSv1)
++ ssl_version=ssl.PROTOCOL_TLSv1_2)
+ s.connect((HOST, server.port))
+ new_cb_data = s.get_channel_binding("tls-unique")
+ if support.verbose:
+@@ -2992,7 +2945,7 @@
+ s.close()
+
+ def test_compression(self):
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ stats = server_params_test(context, context,
+ chatty=True, connectionchatty=True)
+@@ -3003,7 +2956,7 @@
+ @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
+ "ssl.OP_NO_COMPRESSION needed for this test")
+ def test_compression_disabled(self):
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ context.options |= ssl.OP_NO_COMPRESSION
+ stats = server_params_test(context, context,
+@@ -3012,7 +2965,8 @@
+
+ def test_dh_params(self):
+ # Check we can get a connection with ephemeral Diffie-Hellman
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
++ context.options |= ssl.OP_NO_TLSv1_3
+ context.load_cert_chain(CERTFILE)
+ context.load_dh_params(DHFILE)
+ context.set_ciphers("kEDH")
+@@ -3025,7 +2979,7 @@
+
+ def test_selected_alpn_protocol(self):
+ # selected_alpn_protocol() is None unless ALPN is used.
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ stats = server_params_test(context, context,
+ chatty=True, connectionchatty=True)
+@@ -3034,9 +2988,9 @@
+ @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")
+ def test_selected_alpn_protocol_if_server_uses_alpn(self):
+ # selected_alpn_protocol() is None unless ALPN is used by the client.
+- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ client_context.load_verify_locations(CERTFILE)
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(CERTFILE)
+ server_context.set_alpn_protocols(['foo', 'bar'])
+ stats = server_params_test(client_context, server_context,
+@@ -3087,7 +3041,7 @@
+
+ def test_selected_npn_protocol(self):
+ # selected_npn_protocol() is None unless NPN is used
+- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ context.load_cert_chain(CERTFILE)
+ stats = server_params_test(context, context,
+ chatty=True, connectionchatty=True)
+@@ -3123,11 +3077,11 @@
+ self.assertEqual(server_result, expected, msg % (server_result, "server"))
+
+ def sni_contexts(self):
+- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+- other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ other_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ other_context.load_cert_chain(SIGNED_CERTFILE2)
+- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
++ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
+ client_context.verify_mode = ssl.CERT_REQUIRED
+ client_context.load_verify_locations(SIGNING_CA)
+ return server_context, other_context, client_context
+diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.ssl3/Modules/_ssl.c
--- Python-2.7.18/Modules/_ssl.c 2020-04-19 23:13:39.000000000 +0200
-+++ Python-2.7.18.openssl3/Modules/_ssl.c 2021-09-26 17:48:18.378332556 +0200
++++ Python-2.7.18.ssl3/Modules/_ssl.c 2021-09-28 21:37:21.022223239 +0200
@@ -99,7 +99,13 @@
};
@@ -97,7 +440,44 @@ diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.openssl3/Modules/_ssl.c
SSL_CTX_set_options(self->ctx, options);
/* A bare minimum cipher list without completly broken cipher suites.
-@@ -4415,6 +4425,10 @@
+@@ -2920,7 +2930,16 @@
+ }
+
+ err = ERR_peek_last_error();
+- if ((filetype == SSL_FILETYPE_ASN1) &&
++ if (loaded == 0) {
++ const char *msg = NULL;
++ if (filetype == SSL_FILETYPE_PEM) {
++ msg = "no start line: cadata does not contain a certificate";
++ } else {
++ msg = "not enough data: cadata does not contain a certificate";
++ }
++ _setSSLError(msg, 0, __FILE__, __LINE__);
++ retval = -1;
++ } else if ((filetype == SSL_FILETYPE_ASN1) &&
+ (loaded > 0) &&
+ (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
+ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
+@@ -2928,15 +2947,16 @@
+ ERR_clear_error();
+ retval = 0;
+ } else if ((filetype == SSL_FILETYPE_PEM) &&
+- (loaded > 0) &&
+ (ERR_GET_LIB(err) == ERR_LIB_PEM) &&
+ (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
+ /* EOF PEM file, not an error */
+ ERR_clear_error();
+ retval = 0;
+- } else {
++ } else if (err != 0) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ retval = -1;
++ } else {
++ retval = 0;
+ }
+
+ BIO_free(biobuf);
+@@ -4415,6 +4435,10 @@
PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
#endif
@@ -108,9 +488,9 @@ diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.openssl3/Modules/_ssl.c
#if HAVE_SNI
r = Py_True;
-diff -urN Python-2.7.18/Modules/_ssl_data_111.h Python-2.7.18.openssl3/Modules/_ssl_data_111.h
+diff -urN Python-2.7.18/Modules/_ssl_data_111.h Python-2.7.18.ssl3/Modules/_ssl_data_111.h
--- Python-2.7.18/Modules/_ssl_data_111.h 1970-01-01 01:00:00.000000000 +0100
-+++ Python-2.7.18.openssl3/Modules/_ssl_data_111.h 2021-09-26 17:39:37.004624441 +0200
++++ Python-2.7.18.ssl3/Modules/_ssl_data_111.h 2021-09-28 21:17:48.697403980 +0200
@@ -0,0 +1,6525 @@
+/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */
+static struct py_ssl_library_code library_codes[] = {
@@ -6637,9 +7017,9 @@ diff -urN Python-2.7.18/Modules/_ssl_data_111.h Python-2.7.18.openssl3/Modules/_
+ { NULL }
+};
+
-diff -urN Python-2.7.18/Modules/_ssl_data_300.h Python-2.7.18.openssl3/Modules/_ssl_data_300.h
+diff -urN Python-2.7.18/Modules/_ssl_data_300.h Python-2.7.18.ssl3/Modules/_ssl_data_300.h
--- Python-2.7.18/Modules/_ssl_data_300.h 1970-01-01 01:00:00.000000000 +0100
-+++ Python-2.7.18.openssl3/Modules/_ssl_data_300.h 2021-09-26 17:39:37.004624441 +0200
++++ Python-2.7.18.ssl3/Modules/_ssl_data_300.h 2021-09-28 21:17:48.700737298 +0200
@@ -0,0 +1,8435 @@
+/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:44:43.288448 */
+static struct py_ssl_library_code library_codes[] = {
@@ -15076,9 +15456,9 @@ diff -urN Python-2.7.18/Modules/_ssl_data_300.h Python-2.7.18.openssl3/Modules/_
+ { NULL }
+};
+
-diff -urN Python-2.7.18/setup.py Python-2.7.18.openssl3/setup.py
---- Python-2.7.18/setup.py 2021-09-26 19:00:24.336371243 +0200
-+++ Python-2.7.18.openssl3/setup.py 2021-09-26 17:39:37.827966394 +0200
+diff -urN Python-2.7.18/setup.py Python-2.7.18.ssl3/setup.py
+--- Python-2.7.18/setup.py 2021-09-28 22:33:44.718519973 +0200
++++ Python-2.7.18.ssl3/setup.py 2021-09-28 21:17:49.454067071 +0200
@@ -877,7 +877,12 @@
include_dirs = ssl_incs,
library_dirs = ssl_libs,
@@ -15093,9 +15473,19 @@ diff -urN Python-2.7.18/setup.py Python-2.7.18.openssl3/setup.py
else:
missing.append('_ssl')
-diff -urN Python-2.7.18/Tools/ssl/make_ssl_data.py Python-2.7.18.openssl3/Tools/ssl/make_ssl_data.py
---- Python-2.7.18/Tools/ssl/make_ssl_data.py 2021-09-26 19:00:24.349704777 +0200
-+++ Python-2.7.18.openssl3/Tools/ssl/make_ssl_data.py 2021-09-26 17:39:37.844633236 +0200
+@@ -910,8 +910,7 @@
+
+ min_openssl_ver = 0x00907000
+ have_any_openssl = ssl_incs is not None and ssl_libs is not None
+- have_usable_openssl = (have_any_openssl and
+- openssl_ver >= min_openssl_ver)
++ have_usable_openssl = True
+
+ if have_any_openssl:
+ if have_usable_openssl:
+diff -urN Python-2.7.18/Tools/ssl/make_ssl_data.py Python-2.7.18.ssl3/Tools/ssl/make_ssl_data.py
+--- Python-2.7.18/Tools/ssl/make_ssl_data.py 2021-09-28 22:33:44.731853312 +0200
++++ Python-2.7.18.ssl3/Tools/ssl/make_ssl_data.py 2021-09-28 21:17:49.467400341 +0200
@@ -2,86 +2,133 @@
"""
@@ -15298,245 +15688,3 @@ diff -urN Python-2.7.18/Tools/ssl/make_ssl_data.py Python-2.7.18.openssl3/Tools/
- if not use_stdout:
- f.close()
+ main()
-diff -ur Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.ssl3/Lib/test/test_ssl.py
---- Python-2.7.18/Lib/test/test_ssl.py 2021-09-27 23:43:12.111251846 +0200
-+++ Python-2.7.18.ssl3/Lib/test/test_ssl.py 2021-09-27 23:41:03.000000000 +0200
-@@ -1005,7 +1005,7 @@
- neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem)
-
- # test PEM
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0)
- ctx.load_verify_locations(cadata=cacert_pem)
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1)
-@@ -1016,20 +1016,20 @@
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
-
- # combined
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- combined = "\n".join((cacert_pem, neuronio_pem))
- ctx.load_verify_locations(cadata=combined)
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
-
- # with junk around the certs
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- combined = ["head", cacert_pem, "other", neuronio_pem, "again",
- neuronio_pem, "tail"]
- ctx.load_verify_locations(cadata="\n".join(combined))
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
-
- # test DER
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- ctx.load_verify_locations(cadata=cacert_der)
- ctx.load_verify_locations(cadata=neuronio_der)
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
-@@ -1038,13 +1038,13 @@
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
-
- # combined
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- combined = b"".join((cacert_der, neuronio_der))
- ctx.load_verify_locations(cadata=combined)
- self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2)
-
- # error cases
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
-
- with self.assertRaisesRegexp(ssl.SSLError, "no start line"):
-@@ -1334,7 +1334,7 @@
- assert_python_ok("-c", https_is_verified, **extra_env)
-
- def test_check_hostname(self):
-- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
- self.assertFalse(ctx.check_hostname)
-
- # Requires CERT_REQUIRED or CERT_OPTIONAL
-@@ -2211,10 +2211,10 @@
- if support.verbose:
- sys.stdout.write("\n")
-
-- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- server_context.load_cert_chain(SIGNED_CERTFILE)
-
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.verify_mode = ssl.CERT_REQUIRED
- context.load_verify_locations(SIGNING_CA)
- tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0)
-@@ -2252,10 +2252,10 @@
- if support.verbose:
- sys.stdout.write("\n")
-
-- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- server_context.load_cert_chain(SIGNED_CERTFILE)
-
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.verify_mode = ssl.CERT_REQUIRED
- context.check_hostname = True
- context.load_verify_locations(SIGNING_CA)
-@@ -2445,43 +2445,6 @@
- False, client_options=ssl.OP_NO_SSLv2)
-
- @skip_if_broken_ubuntu_ssl
-- def test_protocol_tlsv1(self):
-- """Connecting to a TLSv1 server with various client options"""
-- if support.verbose:
-- sys.stdout.write("\n")
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1')
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL)
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED)
-- if hasattr(ssl, 'PROTOCOL_SSLv2'):
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False)
-- if hasattr(ssl, 'PROTOCOL_SSLv3'):
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False)
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False,
-- client_options=ssl.OP_NO_TLSv1)
--
-- @skip_if_broken_ubuntu_ssl
-- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"),
-- "TLS version 1.1 not supported.")
-- @skip_if_openssl_cnf_minprotocol_gt_tls1
-- def test_protocol_tlsv1_1(self):
-- """Connecting to a TLSv1.1 server with various client options.
-- Testing against older TLS versions."""
-- if support.verbose:
-- sys.stdout.write("\n")
-- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
-- if hasattr(ssl, 'PROTOCOL_SSLv2'):
-- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False)
-- if hasattr(ssl, 'PROTOCOL_SSLv3'):
-- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False)
-- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False,
-- client_options=ssl.OP_NO_TLSv1_1)
--
-- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1')
-- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False)
-- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False)
--
--
-- @skip_if_broken_ubuntu_ssl
- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"),
- "TLS version 1.2 not supported.")
- def test_protocol_tlsv1_2(self):
-@@ -2510,7 +2473,7 @@
- msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6")
-
- server = ThreadedEchoServer(CERTFILE,
-- ssl_version=ssl.PROTOCOL_TLSv1,
-+ ssl_version=ssl.PROTOCOL_TLS,
- starttls_server=True,
- chatty=True,
- connectionchatty=True)
-@@ -2538,7 +2501,7 @@
- sys.stdout.write(
- " client: read %r from server, starting TLS...\n"
- % msg)
-- conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1)
-+ conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS)
- wrapped = True
- elif indata == b"ENDTLS" and msg.startswith(b"ok"):
- # ENDTLS ok, switch back to clear text
-@@ -2625,7 +2588,7 @@
-
- server = ThreadedEchoServer(CERTFILE,
- certreqs=ssl.CERT_NONE,
-- ssl_version=ssl.PROTOCOL_TLSv1,
-+ ssl_version=ssl.PROTOCOL_TLS,
- cacerts=CERTFILE,
- chatty=True,
- connectionchatty=False)
-@@ -2635,7 +2598,7 @@
- certfile=CERTFILE,
- ca_certs=CERTFILE,
- cert_reqs=ssl.CERT_NONE,
-- ssl_version=ssl.PROTOCOL_TLSv1)
-+ ssl_version=ssl.PROTOCOL_TLS)
- s.connect((HOST, server.port))
- # helper methods for standardising recv* method signatures
- def _recv_into():
-@@ -2884,14 +2847,14 @@
- Basic tests for SSLSocket.version().
- More tests are done in the test_protocol_*() methods.
- """
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- with ThreadedEchoServer(CERTFILE,
-- ssl_version=ssl.PROTOCOL_TLSv1,
-+ ssl_version=ssl.PROTOCOL_TLS,
- chatty=False) as server:
- with closing(context.wrap_socket(socket.socket())) as s:
- self.assertIs(s.version(), None)
- s.connect((HOST, server.port))
-- self.assertEqual(s.version(), 'TLSv1')
-+ self.assertEqual(s.version(), 'TLSv1.3')
- self.assertIs(s.version(), None)
-
- @unittest.skipUnless(ssl.HAS_TLSv1_3,
-@@ -2994,7 +2957,7 @@
- s.close()
-
- def test_compression(self):
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.load_cert_chain(CERTFILE)
- stats = server_params_test(context, context,
- chatty=True, connectionchatty=True)
-@@ -3005,7 +2968,7 @@
- @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'),
- "ssl.OP_NO_COMPRESSION needed for this test")
- def test_compression_disabled(self):
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.load_cert_chain(CERTFILE)
- context.options |= ssl.OP_NO_COMPRESSION
- stats = server_params_test(context, context,
-@@ -3014,7 +2977,7 @@
-
- def test_dh_params(self):
- # Check we can get a connection with ephemeral Diffie-Hellman
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.load_cert_chain(CERTFILE)
- context.load_dh_params(DHFILE)
- context.set_ciphers("kEDH")
-@@ -3027,7 +2990,7 @@
-
- def test_selected_alpn_protocol(self):
- # selected_alpn_protocol() is None unless ALPN is used.
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.load_cert_chain(CERTFILE)
- stats = server_params_test(context, context,
- chatty=True, connectionchatty=True)
-@@ -3036,9 +2999,9 @@
- @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required")
- def test_selected_alpn_protocol_if_server_uses_alpn(self):
- # selected_alpn_protocol() is None unless ALPN is used by the client.
-- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- client_context.load_verify_locations(CERTFILE)
-- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- server_context.load_cert_chain(CERTFILE)
- server_context.set_alpn_protocols(['foo', 'bar'])
- stats = server_params_test(client_context, server_context,
-@@ -3089,7 +3052,7 @@
-
- def test_selected_npn_protocol(self):
- # selected_npn_protocol() is None unless NPN is used
-- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
- context.load_cert_chain(CERTFILE)
- stats = server_params_test(context, context,
- chatty=True, connectionchatty=True)
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/python.git/commitdiff/2eee8c61986b750591a6e44c63642b6e5256a9b5
More information about the pld-cvs-commit
mailing list