Port ssl and hashlib modules to OpenSSL 1.1.0 and drop hashlib patch

This commit is contained in:
Charalampos Stratakis 2016-10-12 16:52:17 +02:00
parent 55d65adde0
commit f7bd058f3c
2 changed files with 189 additions and 158 deletions

View File

@ -1,20 +1,15 @@
diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl.rst
--- Python-3.5.2/Doc/library/ssl.rst.openssl11 2016-06-25 23:38:35.000000000 +0200
+++ Python-3.5.2/Doc/library/ssl.rst 2016-10-10 16:34:37.695049119 +0200
@@ -49,6 +49,12 @@ For more sophisticated applications, the
helps manage settings and certificates, which can then be inherited
by SSL sockets created through the :meth:`SSLContext.wrap_socket` method.
+.. versionchanged:: 3.6
+
+ OpenSSL 0.9.8, 1.0.0 and 1.0.1 are deprecated and no longer supported.
+ In the future the ssl module will require at least OpenSSL 1.0.2 or
+ 1.1.0.
+
# HG changeset patch
# User Christian Heimes <christian@python.org>
# Date 1473110345 -7200
# Node ID 5c75b315152b714f7c84258ea511b461e2c06154
# Parent 82467d0dbaea31a7971d1429ca5f4a251a995f33
Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.
Functions, Constants, and Exceptions
------------------------------------
@@ -178,7 +184,7 @@ instead.
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -178,7 +178,7 @@ instead.
use. Typically, the server chooses a particular protocol version, and the
client must adapt to the server's choice. Most of the versions are not
interoperable with the other versions. If not specified, the default is
@ -23,7 +18,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
versions.
Here's a table showing which versions in a client (down the side) can connect
@@ -187,11 +193,11 @@ instead.
@@ -187,11 +187,11 @@ instead.
.. table::
======================== ========= ========= ========== ========= =========== ===========
@ -37,7 +32,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
*TLSv1* no no yes yes no no
*TLSv1.1* no no yes no yes no
*TLSv1.2* no no yes no no yes
@@ -244,7 +250,7 @@ purposes.
@@ -244,7 +244,7 @@ purposes.
:const:`None`, this function can choose to trust the system's default
CA certificates instead.
@ -46,11 +41,11 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
:data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and
without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH`
as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED`
@@ -316,6 +322,11 @@ Random generation
@@ -316,6 +316,11 @@ Random generation
.. versionadded:: 3.3
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use
+ :func:`ssl.RAND_bytes` instead.
@ -58,7 +53,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. function:: RAND_status()
Return ``True`` if the SSL pseudo-random number generator has been seeded
@@ -334,7 +345,7 @@ Random generation
@@ -334,7 +339,7 @@ Random generation
See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources
of entropy-gathering daemons.
@ -67,7 +62,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. function:: RAND_add(bytes, entropy)
@@ -409,7 +420,7 @@ Certificate handling
@@ -409,7 +414,7 @@ Certificate handling
previously. Return an integer (no fractions of a second in the
input format)
@ -76,7 +71,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
*port-number*) pair, fetches the server's certificate, and returns it as a
@@ -425,7 +436,7 @@ Certificate handling
@@ -425,7 +430,7 @@ Certificate handling
.. versionchanged:: 3.5
The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to
@ -85,7 +80,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. function:: DER_cert_to_PEM_cert(DER_cert_bytes)
@@ -451,6 +462,9 @@ Certificate handling
@@ -451,6 +456,9 @@ Certificate handling
* :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,
* :attr:`openssl_capath` - hard coded path to a capath directory
@ -95,7 +90,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.4
.. function:: enum_certificates(store_name)
@@ -568,11 +582,21 @@ Constants
@@ -568,11 +576,21 @@ Constants
.. versionadded:: 3.4.4
@ -105,35 +100,35 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
Selects the highest protocol version that both the client and server support.
Despite the name, this option can select "TLS" protocols as well as "SSL".
+ .. versionadded:: 3.6
+ .. versionadded:: 3.5.3
+
+.. data:: PROTOCOL_SSLv23
+
+ Alias for data:`PROTOCOL_TLS`.
+
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ Use data:`PROTOCOL_TLS` instead.
+
.. data:: PROTOCOL_SSLv2
Selects SSL version 2 as the channel encryption protocol.
@@ -584,6 +608,10 @@ Constants
@@ -584,6 +602,10 @@ Constants
SSL version 2 is insecure. Its use is highly discouraged.
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ OpenSSL has removed support for SSLv2.
+
.. data:: PROTOCOL_SSLv3
Selects SSL version 3 as the channel encryption protocol.
@@ -595,10 +623,20 @@ Constants
@@ -595,10 +617,20 @@ Constants
SSL version 3 is insecure. Its use is highly discouraged.
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -142,7 +137,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
Selects TLS version 1.0 as the channel encryption protocol.
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -150,11 +145,11 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. data:: PROTOCOL_TLSv1_1
Selects TLS version 1.1 as the channel encryption protocol.
@@ -606,6 +644,11 @@ Constants
@@ -606,6 +638,11 @@ Constants
.. versionadded:: 3.4
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -162,11 +157,11 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. data:: PROTOCOL_TLSv1_2
Selects TLS version 1.2 as the channel encryption protocol. This is the
@@ -614,6 +657,11 @@ Constants
@@ -614,6 +651,11 @@ Constants
.. versionadded:: 3.4
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -174,7 +169,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. data:: OP_ALL
Enables workarounds for various bugs present in other SSL implementations.
@@ -625,23 +673,32 @@ Constants
@@ -625,23 +667,32 @@ Constants
.. data:: OP_NO_SSLv2
Prevents an SSLv2 connection. This option is only applicable in
@ -184,7 +179,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.2
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ SSLv2 is deprecated
+
@ -198,7 +193,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.2
+ .. deprecated:: 3.6
+ .. deprecated:: 3.5.3
+
+ SSLv3 is deprecated
+
@ -210,7 +205,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
choosing TLSv1 as the protocol version.
.. versionadded:: 3.2
@@ -649,7 +706,7 @@ Constants
@@ -649,7 +700,7 @@ Constants
.. data:: OP_NO_TLSv1_1
Prevents a TLSv1.1 connection. This option is only applicable in conjunction
@ -219,7 +214,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
the protocol version. Available only with openssl version 1.0.1+.
.. versionadded:: 3.4
@@ -657,7 +714,7 @@ Constants
@@ -657,7 +708,7 @@ Constants
.. data:: OP_NO_TLSv1_2
Prevents a TLSv1.2 connection. This option is only applicable in conjunction
@ -228,14 +223,15 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
the protocol version. Available only with openssl version 1.0.1+.
.. versionadded:: 3.4
@@ -1081,17 +1138,21 @@ such as SSL configuration options, certi
@@ -1081,17 +1132,21 @@ such as SSL configuration options, certi
It also manages a cache of SSL sessions for server-side sockets, in order
to speed up repeated connections from the same clients.
-.. class:: SSLContext(protocol)
+.. class:: SSLContext(protocol=PROTOCOL_TLS)
-
- Create a new SSL context. You must pass *protocol* which must be one
+.. class:: SSLContext(protocol=PROTOCOL_TLS)
+
+ Create a new SSL context. You may pass *protocol* which must be one
of the ``PROTOCOL_*`` constants defined in this module.
- :data:`PROTOCOL_SSLv23` is currently recommended for maximum
@ -247,14 +243,14 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
:func:`create_default_context` lets the :mod:`ssl` module choose
security settings for a given purpose.
+ .. versionchanged:: 3.6
+ .. versionchanged:: 3.5.3
+
+ :data:`PROTOCOL_TLS` is the default value.
+
:class:`SSLContext` objects have the following methods and attributes:
@@ -1232,6 +1293,9 @@ to speed up repeated connections from th
@@ -1232,6 +1287,9 @@ to speed up repeated connections from th
This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
False.
@ -264,7 +260,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.5
.. method:: SSLContext.set_npn_protocols(protocols)
@@ -1598,7 +1662,7 @@ If you prefer to tune security settings
@@ -1598,7 +1656,7 @@ If you prefer to tune security settings
a context from scratch (but beware that you might not get the settings
right)::
@ -273,7 +269,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
>>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True
>>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
@@ -1999,15 +2063,17 @@ Protocol versions
@@ -1999,15 +2057,17 @@ Protocol versions
SSL versions 2 and 3 are considered insecure and are therefore dangerous to
use. If you want maximum compatibility between clients and servers, it is
@ -286,17 +282,18 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
+ context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3
-
-The SSL context created above will only allow TLSv1 and later (if
+ context.options |= ssl.OP_NO_TLSv1
+ context.options |= ssl.OP_NO_TLSv1_1
-The SSL context created above will only allow TLSv1 and later (if
+
+The SSL context created above will only allow TLSv1.2 and later (if
supported by your system) connections.
Cipher selection
diff -up Python-3.5.2/Lib/ssl.py.openssl11 Python-3.5.2/Lib/ssl.py
--- Python-3.5.2/Lib/ssl.py.openssl11 2016-06-25 23:38:36.000000000 +0200
+++ Python-3.5.2/Lib/ssl.py 2016-10-10 16:34:37.695049119 +0200
diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -51,6 +51,7 @@ The following constants identify various
PROTOCOL_SSLv2
PROTOCOL_SSLv3
@ -378,9 +375,9 @@ diff -up Python-3.5.2/Lib/ssl.py.openssl11 Python-3.5.2/Lib/ssl.py
"""Retrieve the certificate from the server at the specified address,
and return it as a PEM-encoded string.
If 'ca_certs' is specified, validate the server cert against it.
diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_ssl.py
--- Python-3.5.2/Lib/test/test_ssl.py.openssl11 2016-06-25 23:38:37.000000000 +0200
+++ Python-3.5.2/Lib/test/test_ssl.py 2016-10-10 16:37:52.812573136 +0200
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -23,6 +23,9 @@ ssl = support.import_module("ssl")
PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
@ -470,7 +467,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
self.assertTrue(sslobj.getpeercert())
if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
self.assertTrue(sslobj.get_channel_binding('tls-unique'))
@@ -2980,7 +2985,7 @@ else:
@@ -2993,7 +2998,7 @@ else:
with context.wrap_socket(socket.socket()) as s:
self.assertIs(s.version(), None)
s.connect((HOST, server.port))
@ -479,7 +476,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
self.assertIs(s.version(), None)
@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
@@ -3122,24 +3127,36 @@ else:
@@ -3135,24 +3140,36 @@ else:
(['http/3.0', 'http/4.0'], None)
]
for client_protocols, expected in protocol_tests:
@ -493,7 +490,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
client_context.set_alpn_protocols(client_protocols)
- stats = server_params_test(client_context, server_context,
- chatty=True, connectionchatty=True)
-
- msg = "failed trying %s (s) and %s (c).\n" \
- "was expecting %s, but got %%s from the %%s" \
- % (str(server_protocols), str(client_protocols),
@ -503,6 +500,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
- server_result = stats['server_alpn_protocols'][-1] \
- if len(stats['server_alpn_protocols']) else 'nothing'
- self.assertEqual(server_result, expected, msg % (server_result, "server"))
+
+ try:
+ stats = server_params_test(client_context,
+ server_context,
@ -529,7 +527,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
def test_selected_npn_protocol(self):
# selected_npn_protocol() is None unless NPN is used
@@ -3287,13 +3304,23 @@ else:
@@ -3300,13 +3317,23 @@ else:
client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
client_context.verify_mode = ssl.CERT_REQUIRED
client_context.load_verify_locations(SIGNING_CA)
@ -556,18 +554,19 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
def test_read_write_after_close_raises_valuerror(self):
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_hashopenssl.c
--- Python-3.5.2/Modules/_hashopenssl.c.openssl11 2016-10-10 16:34:15.460533587 +0200
+++ Python-3.5.2/Modules/_hashopenssl.c 2016-10-10 17:07:28.883123976 +0200
@@ -23,7 +23,6 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -21,7 +21,6 @@
/* EVP is the preferred interface to hashing in OpenSSL */
#include <openssl/evp.h>
-#include <openssl/hmac.h>
/* We use the object interface to discover what hashes OpenSSL supports. */
#include <openssl/objects.h>
#include "openssl/err.h"
@@ -34,11 +33,22 @@
@@ -32,11 +31,22 @@
#define HASH_OBJ_CONSTRUCTOR 0
#endif
@ -591,17 +590,15 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
#ifdef WITH_THREAD
PyThread_type_lock lock; /* OpenSSL context lock */
#endif
@@ -51,9 +61,6 @@ static PyTypeObject EVPtype;
We have one of these per algorithm */
typedef struct {
PyObject *name_obj;
- EVP_MD_CTX ctxs[2];
- /* ctx_ptrs will point to ctxs unless an error occurred, when it will
- be NULL: */
EVP_MD_CTX *ctx_ptrs[2];
PyObject *error_msgs[2];
} EVPCachedInfo;
@@ -69,19 +76,57 @@ DEFINE_CONSTS_FOR_NEW(sha384)
@@ -48,7 +58,6 @@ static PyTypeObject EVPtype;
#define DEFINE_CONSTS_FOR_NEW(Name) \
static PyObject *CONST_ ## Name ## _name_obj = NULL; \
- static EVP_MD_CTX CONST_new_ ## Name ## _ctx; \
static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL;
DEFINE_CONSTS_FOR_NEW(md5)
@@ -59,19 +68,57 @@ DEFINE_CONSTS_FOR_NEW(sha384)
DEFINE_CONSTS_FOR_NEW(sha512)
@ -664,7 +661,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return retval;
}
@@ -96,7 +141,7 @@ EVP_hash(EVPobject *self, const void *vp
@@ -86,7 +133,7 @@ EVP_hash(EVPobject *self, const void *vp
process = MUNCH_SIZE;
else
process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int);
@ -673,7 +670,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
len -= process;
cp += process;
}
@@ -153,16 +198,19 @@ EVP_dealloc(EVPobject *self)
@@ -101,16 +148,19 @@ EVP_dealloc(EVPobject *self)
if (self->lock != NULL)
PyThread_free_lock(self->lock);
#endif
@ -696,7 +693,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
}
/* External methods for a hash object */
@@ -178,7 +226,9 @@ EVP_copy(EVPobject *self, PyObject *unus
@@ -126,7 +176,9 @@ EVP_copy(EVPobject *self, PyObject *unus
if ( (newobj = newEVPobject(self->name))==NULL)
return NULL;
@ -707,7 +704,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return (PyObject *)newobj;
}
@@ -189,16 +239,24 @@ static PyObject *
@@ -137,16 +189,24 @@ static PyObject *
EVP_digest(EVPobject *self, PyObject *unused)
{
unsigned char digest[EVP_MAX_MD_SIZE];
@ -737,7 +734,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return retval;
}
@@ -209,15 +267,23 @@ static PyObject *
@@ -157,15 +217,23 @@ static PyObject *
EVP_hexdigest(EVPobject *self, PyObject *unused)
{
unsigned char digest[EVP_MAX_MD_SIZE];
@ -766,7 +763,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return _Py_strhex((const char *)digest, digest_size);
}
@@ -271,7 +337,7 @@ static PyObject *
@@ -219,7 +287,7 @@ static PyObject *
EVP_get_block_size(EVPobject *self, void *closure)
{
long block_size;
@ -775,7 +772,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return PyLong_FromLong(block_size);
}
@@ -279,7 +345,7 @@ static PyObject *
@@ -227,7 +295,7 @@ static PyObject *
EVP_get_digest_size(EVPobject *self, void *closure)
{
long size;
@ -784,32 +781,28 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return PyLong_FromLong(size);
}
@@ -341,8 +407,8 @@ EVP_tp_init(EVPobject *self, PyObject *a
@@ -288,7 +356,7 @@ EVP_tp_init(EVPobject *self, PyObject *a
PyBuffer_Release(&view);
return -1;
}
- mc_ctx_init(&self->ctx, usedforsecurity);
- if (!EVP_DigestInit_ex(&self->ctx, digest, NULL)) {
+ mc_ctx_init(self->ctx, usedforsecurity);
+ if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) {
set_evp_exception();
PyBuffer_Release(&view);
return -1;
@@ -444,10 +510,10 @@ EVPnew(PyObject *name_obj,
- EVP_DigestInit(&self->ctx, digest);
+ EVP_DigestInit(self->ctx, digest);
self->name = name_obj;
Py_INCREF(self->name);
@@ -385,9 +453,9 @@ EVPnew(PyObject *name_obj,
return NULL;
if (initial_ctx) {
- EVP_MD_CTX_copy(&self->ctx, initial_ctx);
+ EVP_MD_CTX_copy(self->ctx, initial_ctx);
} else {
- mc_ctx_init(&self->ctx, usedforsecurity);
- if (!EVP_DigestInit_ex(&self->ctx, digest, NULL)) {
+ mc_ctx_init(self->ctx, usedforsecurity);
+ if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) {
set_evp_exception();
Py_DECREF(self);
return NULL;
@@ -526,6 +592,7 @@ EVP_new(PyObject *self, PyObject *args,
- EVP_DigestInit(&self->ctx, digest);
+ EVP_DigestInit(self->ctx, digest);
}
if (cp && len) {
@@ -453,6 +521,7 @@ EVP_new(PyObject *self, PyObject *args,
#define PY_PBKDF2_HMAC 1
@ -817,7 +810,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
/* Improved implementation of PKCS5_PBKDF2_HMAC()
*
* PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of
@@ -607,37 +674,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass,
@@ -534,37 +603,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass,
HMAC_CTX_cleanup(&hctx_tpl);
return 1;
}
@ -856,7 +849,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
PyDoc_STRVAR(pbkdf2_hmac__doc__,
"pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\
@@ -719,10 +757,17 @@ pbkdf2_hmac(PyObject *self, PyObject *ar
@@ -646,10 +686,17 @@ pbkdf2_hmac(PyObject *self, PyObject *ar
key = PyBytes_AS_STRING(key_obj);
Py_BEGIN_ALLOW_THREADS
@ -874,29 +867,18 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
Py_END_ALLOW_THREADS
if (!retval) {
@@ -890,13 +935,15 @@ init_constructor_constant(EVPCachedInfo
if (EVP_get_digestbyname(name)) {
int i;
for (i=0; i<2; i++) {
- mc_ctx_init(&cached_info->ctxs[i], i);
- if (EVP_DigestInit_ex(&cached_info->ctxs[i],
+ cached_info->ctx_ptrs[i] = EVP_MD_CTX_new();
+ if (cached_info->ctx_ptrs[i] == NULL)
+ break;
+ mc_ctx_init(cached_info->ctx_ptrs[i], i);
+ if (EVP_DigestInit_ex(cached_info->ctx_ptrs[i],
EVP_get_digestbyname(name), NULL)) {
- /* Success: */
- cached_info->ctx_ptrs[i] = &cached_info->ctxs[i];
} else {
/* Failure: */
+ EVP_MD_CTX_free(cached_info->ctx_ptrs[i]);
cached_info->ctx_ptrs[i] = NULL;
cached_info->error_msgs[i] = error_msg_for_last_error();
}
diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
--- Python-3.5.2/Modules/_ssl.c.openssl11 2016-06-25 23:38:38.000000000 +0200
+++ Python-3.5.2/Modules/_ssl.c 2016-10-10 16:34:37.699049212 +0200
@@ -768,7 +815,7 @@ generate_hash_name_list(void)
if (CONST_ ## NAME ## _name_obj == NULL) { \
CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \
if (EVP_get_digestbyname(#NAME)) { \
- CONST_new_ ## NAME ## _ctx_p = &CONST_new_ ## NAME ## _ctx; \
+ CONST_new_ ## NAME ## _ctx_p = EVP_MD_CTX_new(); \
EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \
} \
} \
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -55,6 +55,14 @@ static PySocketModule_APIObject PySocket
#include <sys/poll.h>
#endif
@ -923,7 +905,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
http://www.openssl.org/news/changelog.html
*/
@@ -113,6 +125,72 @@ struct py_ssl_library_code {
@@ -117,6 +129,72 @@ struct py_ssl_library_code {
# define HAVE_ALPN
#endif
@ -996,7 +978,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
enum py_ssl_error {
/* these mirror ssl.h */
PY_SSL_ERROR_NONE,
@@ -143,7 +221,7 @@ enum py_ssl_cert_requirements {
@@ -147,7 +225,7 @@ enum py_ssl_cert_requirements {
enum py_ssl_version {
PY_SSL_VERSION_SSL2,
PY_SSL_VERSION_SSL3=1,
@ -1005,7 +987,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
#if HAVE_TLSv1_2
PY_SSL_VERSION_TLS1,
PY_SSL_VERSION_TLS1_1,
@@ -524,8 +602,8 @@ newPySSLSocket(PySSLContext *sslctx, PyS
@@ -527,8 +605,8 @@ newPySSLSocket(PySSLContext *sslctx, PyS
/* BIOs are reference counted and SSL_set_bio borrows our reference.
* To prevent a double free in memory_bio_dealloc() we need to take an
* extra reference here. */
@ -1016,7 +998,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
}
mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
@@ -736,7 +814,7 @@ _create_tuple_for_X509_NAME (X509_NAME *
@@ -738,7 +816,7 @@ static PyObject *
/* check to see if we've gotten to a new RDN */
if (rdn_level >= 0) {
@ -1025,7 +1007,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
/* yes, new RDN */
/* add old RDN to DN */
rdnt = PyList_AsTuple(rdn);
@@ -753,7 +831,7 @@ _create_tuple_for_X509_NAME (X509_NAME *
@@ -755,7 +833,7 @@ static PyObject *
goto fail0;
}
}
@ -1034,7 +1016,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
/* now add this attribute to the current RDN */
name = X509_NAME_ENTRY_get_object(entry);
@@ -851,18 +929,18 @@ _get_peer_alt_names (X509 *certificate)
@@ -853,18 +931,18 @@ static PyObject *
goto fail;
}
@ -1056,7 +1038,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
/* get a rendering of each name in the set of names */
@@ -1073,13 +1151,11 @@ _get_crl_dp(X509 *certificate) {
@@ -1075,13 +1153,11 @@ static PyObject *
int i, j;
PyObject *lst, *res = NULL;
@ -1072,7 +1054,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
if (dps == NULL)
return Py_None;
@@ -1449,14 +1525,13 @@ static PyObject *
@@ -1451,14 +1527,13 @@ static PyObject *
_ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self)
/*[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]*/
{
@ -1089,7 +1071,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
res = PyList_New(sk_SSL_CIPHER_num(ciphers));
if (!res)
return NULL;
@@ -1565,9 +1640,9 @@ _ssl__SSLSocket_compression_impl(PySSLSo
@@ -1567,9 +1642,9 @@ static PyObject *
if (self->ssl == NULL)
Py_RETURN_NONE;
comp_method = SSL_get_current_compression(self->ssl);
@ -1101,7 +1083,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
if (short_name == NULL)
Py_RETURN_NONE;
return PyUnicode_DecodeFSDefault(short_name);
@@ -2245,8 +2320,8 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -2255,8 +2330,8 @@ static PyObject *
else if (proto_version == PY_SSL_VERSION_SSL2)
ctx = SSL_CTX_new(SSLv2_method());
#endif
@ -1112,7 +1094,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
else
proto_version = -1;
PySSL_END_ALLOW_THREADS
@@ -2308,8 +2383,9 @@ _ssl__SSLContext_impl(PyTypeObject *type
@@ -2318,8 +2393,9 @@ static PyObject *
#ifndef OPENSSL_NO_ECDH
/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
prime256v1 by default. This is Apache mod_ssl's initialization
@ -1124,7 +1106,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else
{
@@ -2576,10 +2652,12 @@ static PyObject *
@@ -2586,10 +2662,12 @@ static PyObject *
get_verify_flags(PySSLContext *self, void *c)
{
X509_STORE *store;
@ -1138,7 +1120,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
return PyLong_FromUnsignedLong(flags);
}
@@ -2587,22 +2665,24 @@ static int
@@ -2597,22 +2675,24 @@ static int
set_verify_flags(PySSLContext *self, PyObject *arg, void *c)
{
X509_STORE *store;
@ -1166,7 +1148,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
_setSSLError(NULL, 0, __FILE__, __LINE__);
return -1;
}
@@ -2779,8 +2859,8 @@ _ssl__SSLContext_load_cert_chain_impl(Py
@@ -2789,8 +2869,8 @@ static PyObject *
/*[clinic end generated code: output=9480bc1c380e2095 input=7cf9ac673cbee6fc]*/
{
PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;
@ -1177,7 +1159,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
_PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
int r;
@@ -2907,8 +2987,9 @@ _add_ca_certs(PySSLContext *self, void *
@@ -2917,8 +2997,9 @@ static int
cert = d2i_X509_bio(biobuf, NULL);
} else {
cert = PEM_read_bio_X509(biobuf, NULL,
@ -1189,7 +1171,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
}
if (cert == NULL) {
break;
@@ -3434,25 +3515,24 @@ _ssl__SSLContext_cert_store_stats_impl(P
@@ -3444,25 +3525,24 @@ static PyObject *
/*[clinic end generated code: output=5f356f4d9cca874d input=eb40dd0f6d0e40cf]*/
{
X509_STORE *store;
@ -1222,7 +1204,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
default:
/* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
* As far as I can tell they are internal states and never
@@ -3482,6 +3562,7 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL
@@ -3492,6 +3572,7 @@ static PyObject *
/*[clinic end generated code: output=0d58f148f37e2938 input=6887b5a09b7f9076]*/
{
X509_STORE *store;
@ -1230,7 +1212,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
PyObject *ci = NULL, *rlist = NULL;
int i;
@@ -3490,17 +3571,18 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL
@@ -3500,17 +3581,18 @@ static PyObject *
}
store = SSL_CTX_get_cert_store(self->ctx);
@ -1253,7 +1235,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
if (!X509_check_ca(cert)) {
continue;
}
@@ -4364,10 +4446,12 @@ static PyMethodDef PySSL_methods[] = {
@@ -4374,10 +4456,12 @@ static PyMethodDef PySSL_methods[] = {
};
@ -1268,7 +1250,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
static PyThread_type_lock *_ssl_locks = NULL;
@@ -4448,7 +4532,7 @@ static int _setup_ssl_threads(void) {
@@ -4458,7 +4542,7 @@ static int _setup_ssl_threads(void) {
return 1;
}
@ -1277,7 +1259,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
PyDoc_STRVAR(module_doc,
"Implementation module for SSL socket operations. See the socket module\n\
@@ -4517,11 +4601,16 @@ PyInit__ssl(void)
@@ -4527,11 +4611,16 @@ PyInit__ssl(void)
SSL_load_error_strings();
SSL_library_init();
#ifdef WITH_THREAD
@ -1294,7 +1276,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
OpenSSL_add_all_algorithms();
/* Add symbols to module dict */
@@ -4668,7 +4757,9 @@ PyInit__ssl(void)
@@ -4678,7 +4767,9 @@ PyInit__ssl(void)
PY_SSL_VERSION_SSL3);
#endif
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
@ -1305,3 +1287,28 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
PY_SSL_VERSION_TLS1);
#if HAVE_TLSv1_2
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -151,11 +151,6 @@ static int COMP_get_type(const COMP_METH
{
return meth->type;
}
-
-static const char *COMP_get_name(const COMP_METHOD *meth)
-{
- return meth->name;
-}
#endif
static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
@@ -1644,7 +1639,7 @@ static PyObject *
comp_method = SSL_get_current_compression(self->ssl);
if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef)
Py_RETURN_NONE;
- short_name = COMP_get_name(comp_method);
+ short_name = OBJ_nid2sn(COMP_get_type(comp_method));
if (short_name == NULL)
Py_RETURN_NONE;
return PyUnicode_DecodeFSDefault(short_name);

View File

@ -112,7 +112,7 @@
Summary: Version 3 of the Python programming language aka Python 3000
Name: python3
Version: %{pybasever}.2
Release: 5%{?dist}
Release: 6%{?dist}
License: Python
Group: Development/Languages
@ -413,8 +413,12 @@ Patch242: 00242-CVE-2016-1000110-httpoxy.patch
# Fedora needs the default mips64-linux-gnu
Patch243: 00243-fix-mips64-triplet.patch
# Make it build with OpenSSL-1.1.0 based on upstream patch
Patch244: Python-3.5.2-openssl11.patch
# 00247 #
# Port ssl and hashlib modules to OpenSSL 1.1.0.
# As of F26, OpenSSL is rebased to 1.1.0, so in order for python
# to not FTBFS we need to backport this patch from 3.5.3
# FIXED UPSTREAM: https://bugs.python.org/issue26470
Patch247: 00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch
# (New patches go here ^^^)
#
@ -605,6 +609,8 @@ done
# Remove embedded copy of zlib:
rm -r Modules/zlib || exit 1
## Disabling hashlib patch for now as it needs to be reimplemented
## for OpenSSL 1.1.0.
# Don't build upstream Python's implementation of these crypto algorithms;
# instead rely on _hashlib and OpenSSL.
#
@ -612,9 +618,9 @@ rm -r Modules/zlib || exit 1
# OpenSSL (and thus respects FIPS mode), and does not fall back to _md5
# TODO: there seems to be no OpenSSL support in Python for sha3 so far
# when it is there, also remove _sha3/ dir
for f in md5module.c sha1module.c sha256module.c sha512module.c; do
rm Modules/$f
done
#for f in md5module.c sha1module.c sha256module.c sha512module.c; do
# rm Modules/$f
#done
%if 0%{with_rewheel}
%global pip_version 8.1.2
@ -638,7 +644,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
%patch132 -p1
%patch137 -p1
%patch143 -p1 -b .tsc-on-ppc
%patch146 -p1
#patch146 -p1
%patch155 -p1
%patch157 -p1
%patch160 -p1
@ -659,7 +665,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
%patch209 -p1
%patch242 -p1
%patch243 -p1
%patch244 -p1
%patch247 -p1
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
# are many differences between 2.6 and the Python 3 library.
@ -1226,6 +1232,12 @@ rm -fr %{buildroot}
%doc LICENSE README
%dir %{pylibdir}
%dir %{dynload_dir}
%{dynload_dir}/_md5.%{SOABI_optimized}.so
%{dynload_dir}/_sha256.%{SOABI_optimized}.so
%{dynload_dir}/_sha512.%{SOABI_optimized}.so
%{dynload_dir}/_sha1.%{SOABI_optimized}.so
%{dynload_dir}/_bisect.%{SOABI_optimized}.so
%{dynload_dir}/_bz2.%{SOABI_optimized}.so
%{dynload_dir}/_codecs_cn.%{SOABI_optimized}.so
@ -1448,6 +1460,12 @@ rm -fr %{buildroot}
# Analog of the -libs subpackage's files:
# ...with debug builds of the built-in "extension" modules:
%{dynload_dir}/_md5.%{SOABI_debug}.so
%{dynload_dir}/_sha256.%{SOABI_debug}.so
%{dynload_dir}/_sha512.%{SOABI_debug}.so
%{dynload_dir}/_sha1.%{SOABI_debug}.so
%{dynload_dir}/_bisect.%{SOABI_debug}.so
%{dynload_dir}/_bz2.%{SOABI_debug}.so
%{dynload_dir}/_codecs_cn.%{SOABI_debug}.so
@ -1559,6 +1577,12 @@ rm -fr %{buildroot}
# ======================================================
%changelog
* Wed Oct 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.2-6
- Use proper patch numbering and base upstream branch for
porting ssl and hashlib modules to OpenSSL 1.1.0
- Drop hashlib patch for now
- Add riscv64 arch to 64bit and no-valgrind arches
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 3.5.2-5
- Make it build with OpenSSL-1.1.0 based on upstream patch