From: Jan Rękorajski Date: Tue, 28 Sep 2021 21:09:35 +0000 (+0200) Subject: - final openssl 3.0.0 fixes, rel 5 X-Git-Tag: auto/th/python-2.7.18-5 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=2eee8c61986b750591a6e44c63642b6e5256a9b5;p=packages%2Fpython.git - final openssl 3.0.0 fixes, rel 5 --- diff --git a/openssl3.patch b/openssl3.patch index 60c1dcc..ceebe3f 100644 --- a/openssl3.patch +++ b/openssl3.patch @@ -1,6 +1,6 @@ -diff -urN Python-2.7.18/Doc/library/ssl.rst Python-2.7.18.openssl3/Doc/library/ssl.rst +diff -urN Python-2.7.18/Doc/library/ssl.rst Python-2.7.18.ssl3/Doc/library/ssl.rst --- Python-2.7.18/Doc/library/ssl.rst 2020-04-19 23:13:39.000000000 +0200 -+++ Python-2.7.18.openssl3/Doc/library/ssl.rst 2021-09-26 17:48:18.378332556 +0200 ++++ Python-2.7.18.ssl3/Doc/library/ssl.rst 2021-09-28 21:17:48.697403980 +0200 @@ -760,6 +760,12 @@ .. versionadded:: 2.7.9 @@ -14,10 +14,10 @@ diff -urN Python-2.7.18/Doc/library/ssl.rst Python-2.7.18.openssl3/Doc/library/s .. data:: HAS_ALPN Whether the OpenSSL library has built-in support for the *Application-Layer -diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/test_ssl.py +diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.ssl3/Lib/test/test_ssl.py --- Python-2.7.18/Lib/test/test_ssl.py 2020-04-19 23:13:39.000000000 +0200 -+++ Python-2.7.18.openssl3/Lib/test/test_ssl.py 2021-09-26 18:50:50.463997547 +0200 -@@ -84,6 +85,7 @@ ++++ Python-2.7.18.ssl3/Lib/test/test_ssl.py 2021-09-28 22:32:24.245278731 +0200 +@@ -84,6 +84,7 @@ OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0) OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0) OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0) @@ -25,7 +25,41 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes def handle_error(prefix): -@@ -305,7 +307,7 @@ +@@ -170,23 +171,7 @@ + """ + @functools.wraps(func) + def f(*args, **kwargs): +- openssl_cnf = os.environ.get("OPENSSL_CONF", "/etc/ssl/openssl.cnf") +- try: +- with open(openssl_cnf, "r") as config: +- for line in config: +- match = re.match(r"MinProtocol\s*=\s*(TLSv\d+\S*)", line) +- if match: +- tls_ver = match.group(1) +- if tls_ver > "TLSv1": +- raise unittest.SkipTest( +- "%s has MinProtocol = %s which is > TLSv1." % +- (openssl_cnf, tls_ver)) +- except (EnvironmentError, UnicodeDecodeError) as err: +- # no config file found, etc. +- if support.verbose: +- sys.stdout.write("\n Could not scan %s for MinProtocol: %s\n" +- % (openssl_cnf, err)) +- return func(*args, **kwargs) ++ raise unittest.SkipTest("OpenSSL 3 supports only protocols > TLSv1.") + return f + + +@@ -214,6 +199,8 @@ + if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1): + ssl.OP_NO_TLSv1_1 + ssl.OP_NO_TLSv1_2 ++ if ssl.OPENSSL_VERSION_INFO >= (3, 0, 0): ++ ssl.OP_NO_TLSv1 + + def test_random(self): + v = ssl.RAND_status() +@@ -305,7 +292,7 @@ ('email', 'null@python.org\x00user@example.org'), ('URI', 'http://null.python.org\x00http://example.org'), ('IP Address', '192.0.2.1'), @@ -34,7 +68,7 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes else: # OpenSSL 0.9.7 doesn't support IPv6 addresses in subjectAltName san = (('DNS', 'altnull.python.org\x00example.com'), -@@ -332,7 +334,7 @@ +@@ -332,7 +319,7 @@ (('commonName', 'dirname example'),))), ('URI', 'https://www.python.org/'), ('IP Address', '127.0.0.1'), @@ -43,7 +77,7 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes ('Registered ID', '1.2.3.4.5') ) ) -@@ -359,11 +361,11 @@ +@@ -359,11 +346,11 @@ # Some sanity checks follow # >= 0.9 self.assertGreaterEqual(n, 0x900000) @@ -59,7 +93,7 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes self.assertGreaterEqual(minor, 0) self.assertLess(minor, 256) self.assertGreaterEqual(fix, 0) -@@ -833,7 +841,8 @@ +@@ -839,7 +826,8 @@ # SSLContext also enables these by default default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE | OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE | @@ -69,9 +103,318 @@ diff -urN Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.openssl3/Lib/test/tes self.assertEqual(default, ctx.options) ctx.options |= ssl.OP_NO_TLSv1 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) -diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.openssl3/Modules/_ssl.c +@@ -1003,7 +991,7 @@ + neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem) + + # test PEM +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0) + ctx.load_verify_locations(cadata=cacert_pem) + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1) +@@ -1014,20 +1002,20 @@ + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) + + # combined +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + combined = "\n".join((cacert_pem, neuronio_pem)) + ctx.load_verify_locations(cadata=combined) + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) + + # with junk around the certs +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + combined = ["head", cacert_pem, "other", neuronio_pem, "again", + neuronio_pem, "tail"] + ctx.load_verify_locations(cadata="\n".join(combined)) + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) + + # test DER +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + ctx.load_verify_locations(cadata=cacert_der) + ctx.load_verify_locations(cadata=neuronio_der) + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) +@@ -1036,13 +1024,13 @@ + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) + + # combined +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + combined = b"".join((cacert_der, neuronio_der)) + ctx.load_verify_locations(cadata=combined) + self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) + + # error cases +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object) + + with self.assertRaisesRegexp(ssl.SSLError, "no start line"): +@@ -1111,7 +1099,7 @@ + + @needs_sni + def test_sni_callback(self): +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + + # set_servername_callback expects a callable, or None + self.assertRaises(TypeError, ctx.set_servername_callback) +@@ -1128,7 +1116,7 @@ + def test_sni_callback_refcycle(self): + # Reference cycles through the servername callback are detected + # and cleared. +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + def dummycallback(sock, servername, ctx, cycle=ctx): + pass + ctx.set_servername_callback(dummycallback) +@@ -1332,7 +1320,7 @@ + assert_python_ok("-c", https_is_verified, **extra_env) + + def test_check_hostname(self): +- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) + self.assertFalse(ctx.check_hostname) + + # Requires CERT_REQUIRED or CERT_OPTIONAL +@@ -2160,6 +2148,8 @@ + if support.verbose: + sys.stdout.write("\n") + for protocol in PROTOCOLS: ++ if (protocol == ssl.PROTOCOL_TLSv1 or protocol == ssl.PROTOCOL_TLSv1_1): ++ continue + context = ssl.SSLContext(protocol) + context.load_cert_chain(CERTFILE) + server_params_test(context, context, +@@ -2209,10 +2199,10 @@ + if support.verbose: + sys.stdout.write("\n") + +- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + server_context.load_cert_chain(SIGNED_CERTFILE) + +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.verify_mode = ssl.CERT_REQUIRED + context.load_verify_locations(SIGNING_CA) + tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0) +@@ -2250,10 +2240,10 @@ + if support.verbose: + sys.stdout.write("\n") + +- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + server_context.load_cert_chain(SIGNED_CERTFILE) + +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.verify_mode = ssl.CERT_REQUIRED + context.check_hostname = True + context.load_verify_locations(SIGNING_CA) +@@ -2443,43 +2433,6 @@ + False, client_options=ssl.OP_NO_SSLv2) + + @skip_if_broken_ubuntu_ssl +- def test_protocol_tlsv1(self): +- """Connecting to a TLSv1 server with various client options""" +- if support.verbose: +- sys.stdout.write("\n") +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1') +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL) +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED) +- if hasattr(ssl, 'PROTOCOL_SSLv2'): +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False) +- if hasattr(ssl, 'PROTOCOL_SSLv3'): +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False) +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False, +- client_options=ssl.OP_NO_TLSv1) +- +- @skip_if_broken_ubuntu_ssl +- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"), +- "TLS version 1.1 not supported.") +- @skip_if_openssl_cnf_minprotocol_gt_tls1 +- def test_protocol_tlsv1_1(self): +- """Connecting to a TLSv1.1 server with various client options. +- Testing against older TLS versions.""" +- if support.verbose: +- sys.stdout.write("\n") +- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') +- if hasattr(ssl, 'PROTOCOL_SSLv2'): +- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False) +- if hasattr(ssl, 'PROTOCOL_SSLv3'): +- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False) +- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False, +- client_options=ssl.OP_NO_TLSv1_1) +- +- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') +- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False) +- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False) +- +- +- @skip_if_broken_ubuntu_ssl + @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"), + "TLS version 1.2 not supported.") + def test_protocol_tlsv1_2(self): +@@ -2508,7 +2461,7 @@ + msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6") + + server = ThreadedEchoServer(CERTFILE, +- ssl_version=ssl.PROTOCOL_TLSv1, ++ ssl_version=ssl.PROTOCOL_TLS, + starttls_server=True, + chatty=True, + connectionchatty=True) +@@ -2536,7 +2489,7 @@ + sys.stdout.write( + " client: read %r from server, starting TLS...\n" + % msg) +- conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) ++ conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS) + wrapped = True + elif indata == b"ENDTLS" and msg.startswith(b"ok"): + # ENDTLS ok, switch back to clear text +@@ -2623,7 +2576,7 @@ + + server = ThreadedEchoServer(CERTFILE, + certreqs=ssl.CERT_NONE, +- ssl_version=ssl.PROTOCOL_TLSv1, ++ ssl_version=ssl.PROTOCOL_TLS, + cacerts=CERTFILE, + chatty=True, + connectionchatty=False) +@@ -2633,7 +2586,7 @@ + certfile=CERTFILE, + ca_certs=CERTFILE, + cert_reqs=ssl.CERT_NONE, +- ssl_version=ssl.PROTOCOL_TLSv1) ++ ssl_version=ssl.PROTOCOL_TLS) + s.connect((HOST, server.port)) + # helper methods for standardising recv* method signatures + def _recv_into(): +@@ -2882,14 +2835,14 @@ + Basic tests for SSLSocket.version(). + More tests are done in the test_protocol_*() methods. + """ +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + with ThreadedEchoServer(CERTFILE, +- ssl_version=ssl.PROTOCOL_TLSv1, ++ ssl_version=ssl.PROTOCOL_TLS, + chatty=False) as server: + with closing(context.wrap_socket(socket.socket())) as s: + self.assertIs(s.version(), None) + s.connect((HOST, server.port)) +- self.assertEqual(s.version(), 'TLSv1') ++ self.assertEqual(s.version(), 'TLSv1.3') + self.assertIs(s.version(), None) + + @unittest.skipUnless(ssl.HAS_TLSv1_3, +@@ -2940,7 +2893,7 @@ + + server = ThreadedEchoServer(CERTFILE, + certreqs=ssl.CERT_NONE, +- ssl_version=ssl.PROTOCOL_TLSv1, ++ ssl_version=ssl.PROTOCOL_TLSv1_2, + cacerts=CERTFILE, + chatty=True, + connectionchatty=False) +@@ -2950,7 +2903,7 @@ + certfile=CERTFILE, + ca_certs=CERTFILE, + cert_reqs=ssl.CERT_NONE, +- ssl_version=ssl.PROTOCOL_TLSv1) ++ ssl_version=ssl.PROTOCOL_TLSv1_2) + s.connect((HOST, server.port)) + # get the data + cb_data = s.get_channel_binding("tls-unique") +@@ -2975,7 +2928,7 @@ + certfile=CERTFILE, + ca_certs=CERTFILE, + cert_reqs=ssl.CERT_NONE, +- ssl_version=ssl.PROTOCOL_TLSv1) ++ ssl_version=ssl.PROTOCOL_TLSv1_2) + s.connect((HOST, server.port)) + new_cb_data = s.get_channel_binding("tls-unique") + if support.verbose: +@@ -2992,7 +2945,7 @@ + s.close() + + def test_compression(self): +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.load_cert_chain(CERTFILE) + stats = server_params_test(context, context, + chatty=True, connectionchatty=True) +@@ -3003,7 +2956,7 @@ + @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'), + "ssl.OP_NO_COMPRESSION needed for this test") + def test_compression_disabled(self): +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.load_cert_chain(CERTFILE) + context.options |= ssl.OP_NO_COMPRESSION + stats = server_params_test(context, context, +@@ -3012,7 +2965,8 @@ + + def test_dh_params(self): + # Check we can get a connection with ephemeral Diffie-Hellman +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) ++ context.options |= ssl.OP_NO_TLSv1_3 + context.load_cert_chain(CERTFILE) + context.load_dh_params(DHFILE) + context.set_ciphers("kEDH") +@@ -3025,7 +2979,7 @@ + + def test_selected_alpn_protocol(self): + # selected_alpn_protocol() is None unless ALPN is used. +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.load_cert_chain(CERTFILE) + stats = server_params_test(context, context, + chatty=True, connectionchatty=True) +@@ -3034,9 +2988,9 @@ + @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required") + def test_selected_alpn_protocol_if_server_uses_alpn(self): + # selected_alpn_protocol() is None unless ALPN is used by the client. +- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + client_context.load_verify_locations(CERTFILE) +- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + server_context.load_cert_chain(CERTFILE) + server_context.set_alpn_protocols(['foo', 'bar']) + stats = server_params_test(client_context, server_context, +@@ -3087,7 +3041,7 @@ + + def test_selected_npn_protocol(self): + # selected_npn_protocol() is None unless NPN is used +- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context.load_cert_chain(CERTFILE) + stats = server_params_test(context, context, + chatty=True, connectionchatty=True) +@@ -3123,11 +3077,11 @@ + self.assertEqual(server_result, expected, msg % (server_result, "server")) + + def sni_contexts(self): +- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + server_context.load_cert_chain(SIGNED_CERTFILE) +- other_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ other_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + other_context.load_cert_chain(SIGNED_CERTFILE2) +- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ++ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS) + client_context.verify_mode = ssl.CERT_REQUIRED + client_context.load_verify_locations(SIGNING_CA) + return server_context, other_context, client_context +diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.ssl3/Modules/_ssl.c --- Python-2.7.18/Modules/_ssl.c 2020-04-19 23:13:39.000000000 +0200 -+++ Python-2.7.18.openssl3/Modules/_ssl.c 2021-09-26 17:48:18.378332556 +0200 ++++ Python-2.7.18.ssl3/Modules/_ssl.c 2021-09-28 21:37:21.022223239 +0200 @@ -99,7 +99,13 @@ }; @@ -97,7 +440,44 @@ diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.openssl3/Modules/_ssl.c SSL_CTX_set_options(self->ctx, options); /* A bare minimum cipher list without completly broken cipher suites. -@@ -4415,6 +4425,10 @@ +@@ -2920,7 +2930,16 @@ + } + + err = ERR_peek_last_error(); +- if ((filetype == SSL_FILETYPE_ASN1) && ++ if (loaded == 0) { ++ const char *msg = NULL; ++ if (filetype == SSL_FILETYPE_PEM) { ++ msg = "no start line: cadata does not contain a certificate"; ++ } else { ++ msg = "not enough data: cadata does not contain a certificate"; ++ } ++ _setSSLError(msg, 0, __FILE__, __LINE__); ++ retval = -1; ++ } else if ((filetype == SSL_FILETYPE_ASN1) && + (loaded > 0) && + (ERR_GET_LIB(err) == ERR_LIB_ASN1) && + (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) { +@@ -2928,15 +2947,16 @@ + ERR_clear_error(); + retval = 0; + } else if ((filetype == SSL_FILETYPE_PEM) && +- (loaded > 0) && + (ERR_GET_LIB(err) == ERR_LIB_PEM) && + (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { + /* EOF PEM file, not an error */ + ERR_clear_error(); + retval = 0; +- } else { ++ } else if (err != 0) { + _setSSLError(NULL, 0, __FILE__, __LINE__); + retval = -1; ++ } else { ++ retval = 0; + } + + BIO_free(biobuf); +@@ -4415,6 +4435,10 @@ PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT", SSL_OP_ENABLE_MIDDLEBOX_COMPAT); #endif @@ -108,9 +488,9 @@ diff -urN Python-2.7.18/Modules/_ssl.c Python-2.7.18.openssl3/Modules/_ssl.c #if HAVE_SNI r = Py_True; -diff -urN Python-2.7.18/Modules/_ssl_data_111.h Python-2.7.18.openssl3/Modules/_ssl_data_111.h +diff -urN Python-2.7.18/Modules/_ssl_data_111.h Python-2.7.18.ssl3/Modules/_ssl_data_111.h --- Python-2.7.18/Modules/_ssl_data_111.h 1970-01-01 01:00:00.000000000 +0100 -+++ Python-2.7.18.openssl3/Modules/_ssl_data_111.h 2021-09-26 17:39:37.004624441 +0200 ++++ Python-2.7.18.ssl3/Modules/_ssl_data_111.h 2021-09-28 21:17:48.697403980 +0200 @@ -0,0 +1,6525 @@ +/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:36:21.493286 */ +static struct py_ssl_library_code library_codes[] = { @@ -6637,9 +7017,9 @@ diff -urN Python-2.7.18/Modules/_ssl_data_111.h Python-2.7.18.openssl3/Modules/_ + { NULL } +}; + -diff -urN Python-2.7.18/Modules/_ssl_data_300.h Python-2.7.18.openssl3/Modules/_ssl_data_300.h +diff -urN Python-2.7.18/Modules/_ssl_data_300.h Python-2.7.18.ssl3/Modules/_ssl_data_300.h --- Python-2.7.18/Modules/_ssl_data_300.h 1970-01-01 01:00:00.000000000 +0100 -+++ Python-2.7.18.openssl3/Modules/_ssl_data_300.h 2021-09-26 17:39:37.004624441 +0200 ++++ Python-2.7.18.ssl3/Modules/_ssl_data_300.h 2021-09-28 21:17:48.700737298 +0200 @@ -0,0 +1,8435 @@ +/* File generated by Tools/ssl/make_ssl_data.py *//* Generated on 2021-04-09T09:44:43.288448 */ +static struct py_ssl_library_code library_codes[] = { @@ -15076,9 +15456,9 @@ diff -urN Python-2.7.18/Modules/_ssl_data_300.h Python-2.7.18.openssl3/Modules/_ + { NULL } +}; + -diff -urN Python-2.7.18/setup.py Python-2.7.18.openssl3/setup.py ---- Python-2.7.18/setup.py 2021-09-26 19:00:24.336371243 +0200 -+++ Python-2.7.18.openssl3/setup.py 2021-09-26 17:39:37.827966394 +0200 +diff -urN Python-2.7.18/setup.py Python-2.7.18.ssl3/setup.py +--- Python-2.7.18/setup.py 2021-09-28 22:33:44.718519973 +0200 ++++ Python-2.7.18.ssl3/setup.py 2021-09-28 21:17:49.454067071 +0200 @@ -877,7 +877,12 @@ include_dirs = ssl_incs, library_dirs = ssl_libs, @@ -15093,9 +15473,19 @@ diff -urN Python-2.7.18/setup.py Python-2.7.18.openssl3/setup.py else: missing.append('_ssl') -diff -urN Python-2.7.18/Tools/ssl/make_ssl_data.py Python-2.7.18.openssl3/Tools/ssl/make_ssl_data.py ---- Python-2.7.18/Tools/ssl/make_ssl_data.py 2021-09-26 19:00:24.349704777 +0200 -+++ Python-2.7.18.openssl3/Tools/ssl/make_ssl_data.py 2021-09-26 17:39:37.844633236 +0200 +@@ -910,8 +910,7 @@ + + min_openssl_ver = 0x00907000 + have_any_openssl = ssl_incs is not None and ssl_libs is not None +- have_usable_openssl = (have_any_openssl and +- openssl_ver >= min_openssl_ver) ++ have_usable_openssl = True + + if have_any_openssl: + if have_usable_openssl: +diff -urN Python-2.7.18/Tools/ssl/make_ssl_data.py Python-2.7.18.ssl3/Tools/ssl/make_ssl_data.py +--- Python-2.7.18/Tools/ssl/make_ssl_data.py 2021-09-28 22:33:44.731853312 +0200 ++++ Python-2.7.18.ssl3/Tools/ssl/make_ssl_data.py 2021-09-28 21:17:49.467400341 +0200 @@ -2,86 +2,133 @@ """ @@ -15298,245 +15688,3 @@ diff -urN Python-2.7.18/Tools/ssl/make_ssl_data.py Python-2.7.18.openssl3/Tools/ - if not use_stdout: - f.close() + main() -diff -ur Python-2.7.18/Lib/test/test_ssl.py Python-2.7.18.ssl3/Lib/test/test_ssl.py ---- Python-2.7.18/Lib/test/test_ssl.py 2021-09-27 23:43:12.111251846 +0200 -+++ Python-2.7.18.ssl3/Lib/test/test_ssl.py 2021-09-27 23:41:03.000000000 +0200 -@@ -1005,7 +1005,7 @@ - neuronio_der = ssl.PEM_cert_to_DER_cert(neuronio_pem) - - # test PEM -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 0) - ctx.load_verify_locations(cadata=cacert_pem) - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 1) -@@ -1016,20 +1016,20 @@ - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) - - # combined -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - combined = "\n".join((cacert_pem, neuronio_pem)) - ctx.load_verify_locations(cadata=combined) - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) - - # with junk around the certs -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - combined = ["head", cacert_pem, "other", neuronio_pem, "again", - neuronio_pem, "tail"] - ctx.load_verify_locations(cadata="\n".join(combined)) - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) - - # test DER -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - ctx.load_verify_locations(cadata=cacert_der) - ctx.load_verify_locations(cadata=neuronio_der) - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) -@@ -1038,13 +1038,13 @@ - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) - - # combined -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - combined = b"".join((cacert_der, neuronio_der)) - ctx.load_verify_locations(cadata=combined) - self.assertEqual(ctx.cert_store_stats()["x509_ca"], 2) - - # error cases -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object) - - with self.assertRaisesRegexp(ssl.SSLError, "no start line"): -@@ -1334,7 +1334,7 @@ - assert_python_ok("-c", https_is_verified, **extra_env) - - def test_check_hostname(self): -- ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) - self.assertFalse(ctx.check_hostname) - - # Requires CERT_REQUIRED or CERT_OPTIONAL -@@ -2211,10 +2211,10 @@ - if support.verbose: - sys.stdout.write("\n") - -- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) - server_context.load_cert_chain(SIGNED_CERTFILE) - -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.verify_mode = ssl.CERT_REQUIRED - context.load_verify_locations(SIGNING_CA) - tf = getattr(ssl, "VERIFY_X509_TRUSTED_FIRST", 0) -@@ -2252,10 +2252,10 @@ - if support.verbose: - sys.stdout.write("\n") - -- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) - server_context.load_cert_chain(SIGNED_CERTFILE) - -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.verify_mode = ssl.CERT_REQUIRED - context.check_hostname = True - context.load_verify_locations(SIGNING_CA) -@@ -2445,43 +2445,6 @@ - False, client_options=ssl.OP_NO_SSLv2) - - @skip_if_broken_ubuntu_ssl -- def test_protocol_tlsv1(self): -- """Connecting to a TLSv1 server with various client options""" -- if support.verbose: -- sys.stdout.write("\n") -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1') -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_OPTIONAL) -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1, 'TLSv1', ssl.CERT_REQUIRED) -- if hasattr(ssl, 'PROTOCOL_SSLv2'): -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, False) -- if hasattr(ssl, 'PROTOCOL_SSLv3'): -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv3, False) -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv23, False, -- client_options=ssl.OP_NO_TLSv1) -- -- @skip_if_broken_ubuntu_ssl -- @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_1"), -- "TLS version 1.1 not supported.") -- @skip_if_openssl_cnf_minprotocol_gt_tls1 -- def test_protocol_tlsv1_1(self): -- """Connecting to a TLSv1.1 server with various client options. -- Testing against older TLS versions.""" -- if support.verbose: -- sys.stdout.write("\n") -- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') -- if hasattr(ssl, 'PROTOCOL_SSLv2'): -- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv2, False) -- if hasattr(ssl, 'PROTOCOL_SSLv3'): -- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv3, False) -- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_SSLv23, False, -- client_options=ssl.OP_NO_TLSv1_1) -- -- try_protocol_combo(ssl.PROTOCOL_SSLv23, ssl.PROTOCOL_TLSv1_1, 'TLSv1.1') -- try_protocol_combo(ssl.PROTOCOL_TLSv1_1, ssl.PROTOCOL_TLSv1, False) -- try_protocol_combo(ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_TLSv1_1, False) -- -- -- @skip_if_broken_ubuntu_ssl - @unittest.skipUnless(hasattr(ssl, "PROTOCOL_TLSv1_2"), - "TLS version 1.2 not supported.") - def test_protocol_tlsv1_2(self): -@@ -2510,7 +2473,7 @@ - msgs = (b"msg 1", b"MSG 2", b"STARTTLS", b"MSG 3", b"msg 4", b"ENDTLS", b"msg 5", b"msg 6") - - server = ThreadedEchoServer(CERTFILE, -- ssl_version=ssl.PROTOCOL_TLSv1, -+ ssl_version=ssl.PROTOCOL_TLS, - starttls_server=True, - chatty=True, - connectionchatty=True) -@@ -2538,7 +2501,7 @@ - sys.stdout.write( - " client: read %r from server, starting TLS...\n" - % msg) -- conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLSv1) -+ conn = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_TLS) - wrapped = True - elif indata == b"ENDTLS" and msg.startswith(b"ok"): - # ENDTLS ok, switch back to clear text -@@ -2625,7 +2588,7 @@ - - server = ThreadedEchoServer(CERTFILE, - certreqs=ssl.CERT_NONE, -- ssl_version=ssl.PROTOCOL_TLSv1, -+ ssl_version=ssl.PROTOCOL_TLS, - cacerts=CERTFILE, - chatty=True, - connectionchatty=False) -@@ -2635,7 +2598,7 @@ - certfile=CERTFILE, - ca_certs=CERTFILE, - cert_reqs=ssl.CERT_NONE, -- ssl_version=ssl.PROTOCOL_TLSv1) -+ ssl_version=ssl.PROTOCOL_TLS) - s.connect((HOST, server.port)) - # helper methods for standardising recv* method signatures - def _recv_into(): -@@ -2884,14 +2847,14 @@ - Basic tests for SSLSocket.version(). - More tests are done in the test_protocol_*() methods. - """ -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - with ThreadedEchoServer(CERTFILE, -- ssl_version=ssl.PROTOCOL_TLSv1, -+ ssl_version=ssl.PROTOCOL_TLS, - chatty=False) as server: - with closing(context.wrap_socket(socket.socket())) as s: - self.assertIs(s.version(), None) - s.connect((HOST, server.port)) -- self.assertEqual(s.version(), 'TLSv1') -+ self.assertEqual(s.version(), 'TLSv1.3') - self.assertIs(s.version(), None) - - @unittest.skipUnless(ssl.HAS_TLSv1_3, -@@ -2994,7 +2957,7 @@ - s.close() - - def test_compression(self): -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.load_cert_chain(CERTFILE) - stats = server_params_test(context, context, - chatty=True, connectionchatty=True) -@@ -3005,7 +2968,7 @@ - @unittest.skipUnless(hasattr(ssl, 'OP_NO_COMPRESSION'), - "ssl.OP_NO_COMPRESSION needed for this test") - def test_compression_disabled(self): -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.load_cert_chain(CERTFILE) - context.options |= ssl.OP_NO_COMPRESSION - stats = server_params_test(context, context, -@@ -3014,7 +2977,7 @@ - - def test_dh_params(self): - # Check we can get a connection with ephemeral Diffie-Hellman -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.load_cert_chain(CERTFILE) - context.load_dh_params(DHFILE) - context.set_ciphers("kEDH") -@@ -3027,7 +2990,7 @@ - - def test_selected_alpn_protocol(self): - # selected_alpn_protocol() is None unless ALPN is used. -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.load_cert_chain(CERTFILE) - stats = server_params_test(context, context, - chatty=True, connectionchatty=True) -@@ -3036,9 +2999,9 @@ - @unittest.skipUnless(ssl.HAS_ALPN, "ALPN support required") - def test_selected_alpn_protocol_if_server_uses_alpn(self): - # selected_alpn_protocol() is None unless ALPN is used by the client. -- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ client_context = ssl.SSLContext(ssl.PROTOCOL_TLS) - client_context.load_verify_locations(CERTFILE) -- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLS) - server_context.load_cert_chain(CERTFILE) - server_context.set_alpn_protocols(['foo', 'bar']) - stats = server_params_test(client_context, server_context, -@@ -3089,7 +3052,7 @@ - - def test_selected_npn_protocol(self): - # selected_npn_protocol() is None unless NPN is used -- context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.load_cert_chain(CERTFILE) - stats = server_params_test(context, context, - chatty=True, connectionchatty=True) diff --git a/python.spec b/python.spec index baa4f97..f24a550 100644 --- a/python.spec +++ b/python.spec @@ -39,7 +39,7 @@ Summary(tr.UTF-8): X arayüzlü, yüksek düzeyli, kabuk yorumlayıcı dili Summary(uk.UTF-8): Мова програмування дуже високого рівня з X-інтерфейсом Name: python Version: %{py_ver}.18 -Release: 4 +Release: 5 Epoch: 1 License: PSF Group: Development/Languages/Python