diff --git a/00102-lib64.patch b/00102-lib64.patch index 35a442e..8e9ae4e 100644 --- a/00102-lib64.patch +++ b/00102-lib64.patch @@ -1,5 +1,5 @@ diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py -index 67db007..b16fe0f 100644 +index 9474e9c..c0ce4c6 100644 --- a/Lib/distutils/command/install.py +++ b/Lib/distutils/command/install.py @@ -30,14 +30,14 @@ WINDOWS_SCHEME = { @@ -20,7 +20,7 @@ index 67db007..b16fe0f 100644 'scripts': '$base/bin', 'data' : '$base', diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py -index e5c493d..a4846eb 100644 +index 026cca7..6d3e077 100644 --- a/Lib/distutils/sysconfig.py +++ b/Lib/distutils/sysconfig.py @@ -132,8 +132,12 @@ def get_python_lib(plat_specific=0, standard_lib=0, prefix=None): @@ -38,7 +38,7 @@ index e5c493d..a4846eb 100644 return libpython else: diff --git a/Lib/site.py b/Lib/site.py -index 3f78ef5..ad1033e 100644 +index a84e3bb..ba0d3ea 100644 --- a/Lib/site.py +++ b/Lib/site.py @@ -303,11 +303,15 @@ def getsitepackages(prefixes=None): @@ -49,7 +49,7 @@ index 3f78ef5..ad1033e 100644 + "python" + sys.version[:3], + "site-packages")) sitepackages.append(os.path.join(prefix, "lib", - "python" + sys.version[:3], + "python%d.%d" % sys.version_info[:2], "site-packages")) else: sitepackages.append(prefix) @@ -58,7 +58,7 @@ index 3f78ef5..ad1033e 100644 if sys.platform == "darwin": # for framework builds *only* we add the standard Apple diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py -index 61451b2..b021cce 100644 +index b9bbfe5..2a5f29c 100644 --- a/Lib/sysconfig.py +++ b/Lib/sysconfig.py @@ -20,10 +20,10 @@ __all__ = [ @@ -90,7 +90,7 @@ index 61451b2..b021cce 100644 'scripts': '{userbase}/bin', 'data': '{userbase}', diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py -index da20a3d..f38ce06 100644 +index f698927..bc977b5 100644 --- a/Lib/test/test_site.py +++ b/Lib/test/test_site.py @@ -248,8 +248,8 @@ class HelperFunctionsTests(unittest.TestCase): @@ -98,17 +98,17 @@ index da20a3d..f38ce06 100644 elif os.sep == '/': # OS X non-framwework builds, Linux, FreeBSD, etc - self.assertEqual(len(dirs), 1) -- wanted = os.path.join('xoxo', 'lib', 'python' + sys.version[:3], +- wanted = os.path.join('xoxo', 'lib', + self.assertEqual(len(dirs), 2) -+ wanted = os.path.join('xoxo', 'lib64', 'python' + sys.version[:3], ++ wanted = os.path.join('xoxo', 'lib64', + 'python%d.%d' % sys.version_info[:2], 'site-packages') self.assertEqual(dirs[0], wanted) - else: diff --git a/Makefile.pre.in b/Makefile.pre.in -index 58d4258..e8364f0 100644 +index 8fa7934..a693917 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -125,7 +125,7 @@ LIBDIR= @libdir@ +@@ -126,7 +126,7 @@ LIBDIR= @libdir@ MANDIR= @mandir@ INCLUDEDIR= @includedir@ CONFINCLUDEDIR= $(exec_prefix)/include @@ -118,7 +118,7 @@ index 58d4258..e8364f0 100644 # Detailed destination directories diff --git a/Modules/getpath.c b/Modules/getpath.c -index 18deb60..27ca814 100644 +index 65b47a3..eaa756c 100644 --- a/Modules/getpath.c +++ b/Modules/getpath.c @@ -494,7 +494,7 @@ calculate_path(void) @@ -149,7 +149,7 @@ index 18deb60..27ca814 100644 /* If we found EXEC_PREFIX do *not* reduce it! (Yet.) */ diff --git a/setup.py b/setup.py -index be33c46..f2779cc 100644 +index 0f2dfc4..da37896 100644 --- a/setup.py +++ b/setup.py @@ -492,7 +492,7 @@ class PyBuildExt(build_ext): diff --git a/00111-no-static-lib.patch b/00111-no-static-lib.patch index 006bb90..6929fda 100644 --- a/00111-no-static-lib.patch +++ b/00111-no-static-lib.patch @@ -1,19 +1,20 @@ -diff -up cpython-59223da36dec/Makefile.pre.in.no-static-lib cpython-59223da36dec/Makefile.pre.in ---- cpython-59223da36dec/Makefile.pre.in.no-static-lib 2012-08-07 16:43:43.296466422 -0400 -+++ cpython-59223da36dec/Makefile.pre.in 2012-08-07 16:44:13.299464371 -0400 -@@ -550,7 +550,7 @@ clinic: $(BUILDPYTHON) +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 70e5927..04c8e3d 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -556,7 +556,7 @@ clinic: $(BUILDPYTHON) $(srcdir)/Modules/_blake2/blake2s_impl.c $(RUNSHARED) $(PYTHON_FOR_BUILD) ./Tools/clinic/clinic.py --make # Build the interpreter -$(BUILDPYTHON): Programs/python.o $(LIBRARY) $(LDLIBRARY) $(PY3LIBRARY) -+$(BUILDPYTHON): Programs/python.o $(LDLIBRARY) $(PY3LIBRARY) ++$(BUILDPYTHON): Programs/python.o $(LDLIBRARY) $(PY3LIBRARY) $(LINKCC) $(PY_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/python.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) platform: $(BUILDPYTHON) pybuilddir.txt -@@ -480,18 +480,6 @@ sharedmods: $(BUILDPYTHON) $(SYSCONFIGDA - _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ +@@ -601,18 +601,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build + -# Build static library -# avoid long command lines, same as LIBRARY_OBJS -$(LIBRARY): $(LIBRARY_OBJS) @@ -22,14 +23,14 @@ diff -up cpython-59223da36dec/Makefile.pre.in.no-static-lib cpython-59223da36dec - $(AR) $(ARFLAGS) $@ $(PARSER_OBJS) - $(AR) $(ARFLAGS) $@ $(OBJECT_OBJS) - $(AR) $(ARFLAGS) $@ $(PYTHON_OBJS) Python/frozen.o -- $(AR) $(ARFLAGS) $@ $(MODULE_OBJS) $(SIGNAL_OBJS) +- $(AR) $(ARFLAGS) $@ $(MODULE_OBJS) - $(AR) $(ARFLAGS) $@ $(MODOBJS) - $(RANLIB) $@ - libpython$(LDVERSION).so: $(LIBRARY_OBJS) if test $(INSTSONAME) != $(LDLIBRARY); then \ $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ -@@ -674,7 +674,7 @@ Modules/Setup: $(srcdir)/Modules/Setup.d +@@ -702,7 +690,7 @@ Modules/Setup: $(srcdir)/Modules/Setup.dist echo "-----------------------------------------------"; \ fi @@ -38,7 +39,7 @@ diff -up cpython-59223da36dec/Makefile.pre.in.no-static-lib cpython-59223da36dec $(LINKCC) $(PY_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/_testembed.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) ############################################################################ -@@ -1354,18 +1354,6 @@ libainstall: all python-config +@@ -1382,18 +1370,6 @@ libainstall: all python-config else true; \ fi; \ done diff --git a/00170-gc-assertions.patch b/00170-gc-assertions.patch index 9e34c21..f491733 100644 --- a/00170-gc-assertions.patch +++ b/00170-gc-assertions.patch @@ -1,8 +1,8 @@ -Index: Include/object.h -=================================================================== ---- Include/object.h (revision 87911) -+++ Include/object.h (working copy) -@@ -914,6 +914,49 @@ +diff --git a/Include/object.h b/Include/object.h +index 0c88603..e3413e8 100644 +--- a/Include/object.h ++++ b/Include/object.h +@@ -1059,6 +1059,49 @@ PyAPI_FUNC(void) _PyObject_DebugTypeStats(FILE *out); #endif /* ifndef Py_LIMITED_API */ @@ -52,63 +52,38 @@ Index: Include/object.h #ifdef __cplusplus } #endif -Index: Objects/object.c -=================================================================== ---- Objects/object.c (revision 87911) -+++ Objects/object.c (working copy) -@@ -1899,6 +1899,35 @@ - } - } - -+PyAPI_FUNC(void) -+_PyObject_AssertFailed(PyObject *obj, const char *msg, const char *expr, -+ const char *file, int line, const char *function) -+{ -+ fprintf(stderr, -+ "%s:%d: %s: Assertion \"%s\" failed.\n", -+ file, line, function, expr); -+ if (msg) { -+ fprintf(stderr, "%s\n", msg); -+ } -+ -+ fflush(stderr); -+ -+ if (obj) { -+ /* This might succeed or fail, but we're about to abort, so at least -+ try to provide any extra info we can: */ -+ _PyObject_Dump(obj); -+ } -+ else { -+ fprintf(stderr, "NULL object\n"); -+ } -+ -+ fflush(stdout); -+ fflush(stderr); -+ -+ /* Terminate the process: */ -+ abort(); -+} -+ - #ifndef Py_TRACE_REFS - /* For Py_LIMITED_API, we need an out-of-line version of _Py_Dealloc. - Define this here, so we can undefine the macro. */ -Index: Lib/test/test_gc.py -=================================================================== ---- Lib/test/test_gc.py (revision 87911) -+++ Lib/test/test_gc.py (working copy) -@@ -1,7 +1,7 @@ +diff --git a/Lib/test/test_gc.py b/Lib/test/test_gc.py +index e727499..6efcafb 100644 +--- a/Lib/test/test_gc.py ++++ b/Lib/test/test_gc.py +@@ -1,10 +1,11 @@ import unittest from test.support import (verbose, refcount_test, run_unittest, - strip_python_stderr, cpython_only, start_threads, -- temp_dir) -+ temp_dir, import_module) + strip_python_stderr, cpython_only, start_threads, +- temp_dir, requires_type_collecting) ++ temp_dir, import_module, requires_type_collecting) from test.support.script_helper import assert_python_ok, make_script import sys -@@ -512,6 +512,48 @@ ++import sysconfig + import time + import gc + import weakref +@@ -50,6 +51,8 @@ class GC_Detector(object): + # gc collects it. + self.wr = weakref.ref(C1055820(666), it_happened) + ++BUILD_WITH_NDEBUG = ('-DNDEBUG' in sysconfig.get_config_vars()['PY_CFLAGS']) ++ + @with_tp_del + class Uncollectable(object): + """Create a reference cycle with multiple __del__ methods. +@@ -862,6 +865,50 @@ class GCCallbackTests(unittest.TestCase): self.assertEqual(len(gc.garbage), 0) ++ @unittest.skipIf(BUILD_WITH_NDEBUG, ++ 'built with -NDEBUG') + def test_refcount_errors(self): + self.preclean() + # Verify the "handling" of objects with broken refcounts @@ -154,9 +129,10 @@ Index: Lib/test/test_gc.py class GCTogglingTests(unittest.TestCase): def setUp(self): gc.enable() -diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c ---- Modules/gcmodule.c.orig2 2014-12-08 10:54:14.251742911 +0100 -+++ Modules/gcmodule.c 2014-12-08 10:52:45.674771917 +0100 +diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c +index 0c6f444..87edd5a 100644 +--- a/Modules/gcmodule.c ++++ b/Modules/gcmodule.c @@ -341,7 +341,8 @@ update_refs(PyGC_Head *containers) { PyGC_Head *gc = containers->gc.gc_next; @@ -188,7 +164,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c if (_PyGCHead_REFS(gc) > 0) _PyGCHead_DECREF(gc); } -@@ -436,9 +440,10 @@ visit_reachable(PyObject *op, PyGC_Head +@@ -436,9 +440,10 @@ visit_reachable(PyObject *op, PyGC_Head *reachable) * If gc_refs == GC_UNTRACKED, it must be ignored. */ else { @@ -202,7 +178,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c } } return 0; -@@ -480,7 +485,7 @@ move_unreachable(PyGC_Head *young, PyGC_ +@@ -480,7 +485,7 @@ move_unreachable(PyGC_Head *young, PyGC_Head *unreachable) */ PyObject *op = FROM_GC(gc); traverseproc traverse = Py_TYPE(op)->tp_traverse; @@ -211,7 +187,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c _PyGCHead_SET_REFS(gc, GC_REACHABLE); (void) traverse(op, (visitproc)visit_reachable, -@@ -543,7 +548,7 @@ move_legacy_finalizers(PyGC_Head *unreac +@@ -543,7 +548,7 @@ move_legacy_finalizers(PyGC_Head *unreachable, PyGC_Head *finalizers) for (gc = unreachable->gc.gc_next; gc != unreachable; gc = next) { PyObject *op = FROM_GC(gc); @@ -220,7 +196,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c next = gc->gc.gc_next; if (has_legacy_finalizer(op)) { -@@ -619,7 +624,7 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -619,7 +624,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) PyWeakReference **wrlist; op = FROM_GC(gc); @@ -229,7 +205,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c next = gc->gc.gc_next; if (! PyType_SUPPORTS_WEAKREFS(Py_TYPE(op))) -@@ -640,9 +645,9 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -640,9 +645,9 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) * the callback pointer intact. Obscure: it also * changes *wrlist. */ @@ -241,7 +217,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c if (wr->wr_callback == NULL) continue; /* no callback */ -@@ -676,7 +681,7 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -676,7 +681,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) */ if (IS_TENTATIVELY_UNREACHABLE(wr)) continue; @@ -250,7 +226,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c /* Create a new reference so that wr can't go away * before we can process it again. -@@ -685,7 +690,8 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -685,7 +690,8 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) /* Move wr to wrcb_to_call, for the next pass. */ wrasgc = AS_GC(wr); @@ -260,7 +236,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c next isn't, so they can't be the same */ gc_list_move(wrasgc, &wrcb_to_call); -@@ -701,11 +707,11 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -701,11 +707,11 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) gc = wrcb_to_call.gc.gc_next; op = FROM_GC(gc); @@ -292,35 +268,43 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c if (_PyGCHead_REFS(gc) != 0) return -1; } -diff -up Lib/test/test_gc.py.old Lib/test/test_gc.py ---- Lib/test/test_gc.py.old 2014-12-10 11:19:33.503982288 +0100 -+++ Lib/test/test_gc.py 2014-12-10 11:21:13.220021364 +0100 -@@ -49,6 +49,8 @@ class GC_Detector(object): - # gc collects it. - self.wr = weakref.ref(C1055820(666), it_happened) +diff --git a/Objects/object.c b/Objects/object.c +index 559794f..a47d47f 100644 +--- a/Objects/object.c ++++ b/Objects/object.c +@@ -2022,6 +2022,35 @@ _PyTrash_thread_destroy_chain(void) + } + } -+BUILD_WITH_NDEBUG = ('-DNDEBUG' in sysconfig.get_config_vars()['PY_CFLAGS']) ++PyAPI_FUNC(void) ++_PyObject_AssertFailed(PyObject *obj, const char *msg, const char *expr, ++ const char *file, int line, const char *function) ++{ ++ fprintf(stderr, ++ "%s:%d: %s: Assertion \"%s\" failed.\n", ++ file, line, function, expr); ++ if (msg) { ++ fprintf(stderr, "%s\n", msg); ++ } + - @with_tp_del - class Uncollectable(object): - """Create a reference cycle with multiple __del__ methods. -@@ -854,6 +856,8 @@ class GCCallbackTests(unittest.TestCase) - self.assertEqual(len(gc.garbage), 0) - - -+ @unittest.skipIf(BUILD_WITH_NDEBUG, -+ 'built with -NDEBUG') - def test_refcount_errors(self): - self.preclean() - # Verify the "handling" of objects with broken refcounts -diff -up Lib/test/test_gc.py.old Lib/test/test_gc.py ---- Lib/test/test_gc.py.old 2014-12-10 12:50:58.252121318 +0100 -+++ Lib/test/test_gc.py 2014-12-10 12:51:08.594266653 +0100 -@@ -4,6 +4,7 @@ from test.support import (verbose, refco - from test.support.script_helper import assert_python_ok, make_script - - import sys -+import sysconfig - import time - import gc - import weakref ++ fflush(stderr); ++ ++ if (obj) { ++ /* This might succeed or fail, but we're about to abort, so at least ++ try to provide any extra info we can: */ ++ _PyObject_Dump(obj); ++ } ++ else { ++ fprintf(stderr, "NULL object\n"); ++ } ++ ++ fflush(stdout); ++ fflush(stderr); ++ ++ /* Terminate the process: */ ++ abort(); ++} ++ + #ifndef Py_TRACE_REFS + /* For Py_LIMITED_API, we need an out-of-line version of _Py_Dealloc. + Define this here, so we can undefine the macro. */ diff --git a/00209-fix-test-pyexpat-failure.patch b/00209-fix-test-pyexpat-failure.patch deleted file mode 100644 index 7b40280..0000000 --- a/00209-fix-test-pyexpat-failure.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -r 682a8e36dd18 Lib/test/test_pyexpat.py ---- a/Lib/test/test_pyexpat.py Tue Jul 05 17:08:52 2016 +0300 -+++ b/Lib/test/test_pyexpat.py Thu Jul 07 17:04:35 2016 +0800 -@@ -656,11 +656,9 @@ - # \xc2\x85 is UTF-8 encoded U+0085 (NEXT LINE) - xml = b"\r\n" - parser = expat.ParserCreate() -- try: -+ err_pattern = r'XML declaration not well-formed: line 1, column \d+' -+ with self.assertRaisesRegex(expat.ExpatError, err_pattern): - parser.Parse(xml, True) -- self.fail() -- except expat.ExpatError as e: -- self.assertEqual(str(e), 'XML declaration not well-formed: line 1, column 14') - - class ErrorMessageTest(unittest.TestCase): - def test_codes(self): diff --git a/00242-CVE-2016-1000110-httpoxy.patch b/00242-CVE-2016-1000110-httpoxy.patch deleted file mode 100644 index 244ebec..0000000 --- a/00242-CVE-2016-1000110-httpoxy.patch +++ /dev/null @@ -1,89 +0,0 @@ -diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst -index 24a4156..d2c7991 100644 ---- a/Doc/howto/urllib2.rst -+++ b/Doc/howto/urllib2.rst -@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: :: - through a proxy. However, this can be enabled by extending urllib.request as - shown in the recipe [#]_. - -+.. note:: -+ -+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see -+ the documentation on :func:`~urllib.request.getproxies`. -+ - - Sockets and Layers - ================== -diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst -index 6c1bfb8..1291aeb 100644 ---- a/Doc/library/urllib.request.rst -+++ b/Doc/library/urllib.request.rst -@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions: - If both lowercase and uppercase environment variables exist (and disagree), - lowercase is preferred. - -+ .. note:: -+ -+ If the environment variable ``REQUEST_METHOD`` is set, which usually -+ indicates your script is running in a CGI environment, the environment -+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is -+ because that variable can be injected by a client using the "Proxy:" HTTP -+ header. If you need to use an HTTP proxy in a CGI environment, either use -+ ``ProxyHandler`` explicitly, or make sure the variable name is in -+ lowercase (or at least the ``_proxy`` suffix). -+ - - The following classes are provided: - -@@ -280,6 +290,11 @@ The following classes are provided: - list of hostname suffixes, optionally with ``:port`` appended, for example - ``cern.ch,ncsa.uiuc.edu,some.host:8080``. - -+ .. note:: -+ -+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; -+ see the documentation on :func:`~urllib.request.getproxies`. -+ - - .. class:: HTTPPasswordMgr() - -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py -index 5d05f8d..c26c52a 100644 ---- a/Lib/test/test_urllib.py -+++ b/Lib/test/test_urllib.py -@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase): - self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888')) - self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234')) - -+ def test_proxy_cgi_ignore(self): -+ try: -+ self.env.set('HTTP_PROXY', 'http://somewhere:3128') -+ proxies = urllib.request.getproxies_environment() -+ self.assertEqual('http://somewhere:3128', proxies['http']) -+ self.env.set('REQUEST_METHOD', 'GET') -+ proxies = urllib.request.getproxies_environment() -+ self.assertNotIn('http', proxies) -+ finally: -+ self.env.unset('REQUEST_METHOD') -+ self.env.unset('HTTP_PROXY') -+ - def test_proxy_bypass_environment_host_match(self): - bypass = urllib.request.proxy_bypass_environment - self.env.set('NO_PROXY', -diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py -index 1731fe3..3be327d 100644 ---- a/Lib/urllib/request.py -+++ b/Lib/urllib/request.py -@@ -2412,6 +2412,12 @@ def getproxies_environment(): - name = name.lower() - if value and name[-6:] == '_proxy': - proxies[name[:-6]] = value -+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY -+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:" -+ # header from the client -+ # If "proxy" is lowercase, it will still be used thanks to the next block -+ if 'REQUEST_METHOD' in os.environ: -+ proxies.pop('http', None) - for name, value in os.environ.items(): - if name[-6:] == '_proxy': - name = name.lower() diff --git a/00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch b/00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch deleted file mode 100644 index 5760d67..0000000 --- a/00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,1314 +0,0 @@ - -# HG changeset patch -# User Christian Heimes -# Date 1473110345 -7200 -# Node ID 5c75b315152b714f7c84258ea511b461e2c06154 -# Parent 82467d0dbaea31a7971d1429ca5f4a251a995f33 -Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. - -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst ---- a/Doc/library/ssl.rst -+++ b/Doc/library/ssl.rst -@@ -178,7 +178,7 @@ instead. - use. Typically, the server chooses a particular protocol version, and the - client must adapt to the server's choice. Most of the versions are not - interoperable with the other versions. If not specified, the default is -- :data:`PROTOCOL_SSLv23`; it provides the most compatibility with other -+ :data:`PROTOCOL_TLS`; it provides the most compatibility with other - versions. - - Here's a table showing which versions in a client (down the side) can connect -@@ -187,11 +187,11 @@ instead. - .. table:: - - ======================== ========= ========= ========== ========= =========== =========== -- *client* / **server** **SSLv2** **SSLv3** **SSLv23** **TLSv1** **TLSv1.1** **TLSv1.2** -+ *client* / **server** **SSLv2** **SSLv3** **TLS** **TLSv1** **TLSv1.1** **TLSv1.2** - ------------------------ --------- --------- ---------- --------- ----------- ----------- - *SSLv2* yes no yes no no no - *SSLv3* no yes yes no no no -- *SSLv23* no yes yes yes yes yes -+ *TLS* (*SSLv23*) no yes yes yes yes yes - *TLSv1* no no yes yes no no - *TLSv1.1* no no yes no yes no - *TLSv1.2* no no yes no no yes -@@ -244,7 +244,7 @@ purposes. - :const:`None`, this function can choose to trust the system's default - CA certificates instead. - -- The settings are: :data:`PROTOCOL_SSLv23`, :data:`OP_NO_SSLv2`, and -+ The settings are: :data:`PROTOCOL_TLS`, :data:`OP_NO_SSLv2`, and - :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and - without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH` - as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED` -@@ -316,6 +316,11 @@ Random generation - - .. versionadded:: 3.3 - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use -+ :func:`ssl.RAND_bytes` instead. -+ - .. function:: RAND_status() - - Return ``True`` if the SSL pseudo-random number generator has been seeded -@@ -334,7 +339,7 @@ Random generation - See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources - of entropy-gathering daemons. - -- Availability: not available with LibreSSL. -+ Availability: not available with LibreSSL and OpenSSL > 1.1.0 - - .. function:: RAND_add(bytes, entropy) - -@@ -409,7 +414,7 @@ Certificate handling - previously. Return an integer (no fractions of a second in the - input format) - --.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None) -+.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None) - - Given the address ``addr`` of an SSL-protected server, as a (*hostname*, - *port-number*) pair, fetches the server's certificate, and returns it as a -@@ -425,7 +430,7 @@ Certificate handling - - .. versionchanged:: 3.5 - The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to -- :data:`PROTOCOL_SSLv23` for maximum compatibility with modern servers. -+ :data:`PROTOCOL_TLS` for maximum compatibility with modern servers. - - .. function:: DER_cert_to_PEM_cert(DER_cert_bytes) - -@@ -451,6 +456,9 @@ Certificate handling - * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath, - * :attr:`openssl_capath` - hard coded path to a capath directory - -+ Availability: LibreSSL ignores the environment vars -+ :attr:`openssl_cafile_env` and :attr:`openssl_capath_env` -+ - .. versionadded:: 3.4 - - .. function:: enum_certificates(store_name) -@@ -568,11 +576,21 @@ Constants - - .. versionadded:: 3.4.4 - --.. data:: PROTOCOL_SSLv23 -+.. data:: PROTOCOL_TLS - - Selects the highest protocol version that both the client and server support. - Despite the name, this option can select "TLS" protocols as well as "SSL". - -+ .. versionadded:: 3.5.3 -+ -+.. data:: PROTOCOL_SSLv23 -+ -+ Alias for data:`PROTOCOL_TLS`. -+ -+ .. deprecated:: 3.5.3 -+ -+ Use data:`PROTOCOL_TLS` instead. -+ - .. data:: PROTOCOL_SSLv2 - - Selects SSL version 2 as the channel encryption protocol. -@@ -584,6 +602,10 @@ Constants - - SSL version 2 is insecure. Its use is highly discouraged. - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has removed support for SSLv2. -+ - .. data:: PROTOCOL_SSLv3 - - Selects SSL version 3 as the channel encryption protocol. -@@ -595,10 +617,20 @@ Constants - - SSL version 3 is insecure. Its use is highly discouraged. - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: PROTOCOL_TLSv1 - - Selects TLS version 1.0 as the channel encryption protocol. - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: PROTOCOL_TLSv1_1 - - Selects TLS version 1.1 as the channel encryption protocol. -@@ -606,6 +638,11 @@ Constants - - .. versionadded:: 3.4 - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: PROTOCOL_TLSv1_2 - - Selects TLS version 1.2 as the channel encryption protocol. This is the -@@ -614,6 +651,11 @@ Constants - - .. versionadded:: 3.4 - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: OP_ALL - - Enables workarounds for various bugs present in other SSL implementations. -@@ -625,23 +667,32 @@ Constants - .. data:: OP_NO_SSLv2 - - Prevents an SSLv2 connection. This option is only applicable in -- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from -+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from - choosing SSLv2 as the protocol version. - - .. versionadded:: 3.2 - -+ .. deprecated:: 3.5.3 -+ -+ SSLv2 is deprecated -+ -+ - .. data:: OP_NO_SSLv3 - - Prevents an SSLv3 connection. This option is only applicable in -- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from -+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from - choosing SSLv3 as the protocol version. - - .. versionadded:: 3.2 - -+ .. deprecated:: 3.5.3 -+ -+ SSLv3 is deprecated -+ - .. data:: OP_NO_TLSv1 - - Prevents a TLSv1 connection. This option is only applicable in -- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from -+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from - choosing TLSv1 as the protocol version. - - .. versionadded:: 3.2 -@@ -649,7 +700,7 @@ Constants - .. data:: OP_NO_TLSv1_1 - - Prevents a TLSv1.1 connection. This option is only applicable in conjunction -- with :const:`PROTOCOL_SSLv23`. It prevents the peers from choosing TLSv1.1 as -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.1 as - the protocol version. Available only with openssl version 1.0.1+. - - .. versionadded:: 3.4 -@@ -657,7 +708,7 @@ Constants - .. data:: OP_NO_TLSv1_2 - - Prevents a TLSv1.2 connection. This option is only applicable in conjunction -- with :const:`PROTOCOL_SSLv23`. It prevents the peers from choosing TLSv1.2 as -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.2 as - the protocol version. Available only with openssl version 1.0.1+. - - .. versionadded:: 3.4 -@@ -1081,17 +1132,21 @@ such as SSL configuration options, certi - It also manages a cache of SSL sessions for server-side sockets, in order - to speed up repeated connections from the same clients. - --.. class:: SSLContext(protocol) -- -- Create a new SSL context. You must pass *protocol* which must be one -+.. class:: SSLContext(protocol=PROTOCOL_TLS) -+ -+ Create a new SSL context. You may pass *protocol* which must be one - of the ``PROTOCOL_*`` constants defined in this module. -- :data:`PROTOCOL_SSLv23` is currently recommended for maximum -- interoperability. -+ :data:`PROTOCOL_TLS` is currently recommended for maximum -+ interoperability and default value. - - .. seealso:: - :func:`create_default_context` lets the :mod:`ssl` module choose - security settings for a given purpose. - -+ .. versionchanged:: 3.5.3 -+ -+ :data:`PROTOCOL_TLS` is the default value. -+ - - :class:`SSLContext` objects have the following methods and attributes: - -@@ -1232,6 +1287,9 @@ to speed up repeated connections from th - This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is - False. - -+ OpenSSL 1.1.0+ will abort the handshake and raise :exc:`SSLError` when -+ both sides support ALPN but cannot agree on a protocol. -+ - .. versionadded:: 3.5 - - .. method:: SSLContext.set_npn_protocols(protocols) -@@ -1598,7 +1656,7 @@ If you prefer to tune security settings - a context from scratch (but beware that you might not get the settings - right):: - -- >>> context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ >>> context = ssl.SSLContext(ssl.PROTOCOL_TLS) - >>> context.verify_mode = ssl.CERT_REQUIRED - >>> context.check_hostname = True - >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt") -@@ -1999,15 +2057,17 @@ Protocol versions - - SSL versions 2 and 3 are considered insecure and are therefore dangerous to - use. If you want maximum compatibility between clients and servers, it is --recommended to use :const:`PROTOCOL_SSLv23` as the protocol version and then -+recommended to use :const:`PROTOCOL_TLS` as the protocol version and then - disable SSLv2 and SSLv3 explicitly using the :data:`SSLContext.options` - attribute:: - -- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.options |= ssl.OP_NO_SSLv2 - context.options |= ssl.OP_NO_SSLv3 -- --The SSL context created above will only allow TLSv1 and later (if -+ context.options |= ssl.OP_NO_TLSv1 -+ context.options |= ssl.OP_NO_TLSv1_1 -+ -+The SSL context created above will only allow TLSv1.2 and later (if - supported by your system) connections. - - Cipher selection -diff --git a/Lib/ssl.py b/Lib/ssl.py ---- a/Lib/ssl.py -+++ b/Lib/ssl.py -@@ -51,6 +51,7 @@ The following constants identify various - PROTOCOL_SSLv2 - PROTOCOL_SSLv3 - PROTOCOL_SSLv23 -+PROTOCOL_TLS - PROTOCOL_TLSv1 - PROTOCOL_TLSv1_1 - PROTOCOL_TLSv1_2 -@@ -128,9 +129,10 @@ from _ssl import _OPENSSL_API_VERSION - - _IntEnum._convert( - '_SSLMethod', __name__, -- lambda name: name.startswith('PROTOCOL_'), -+ lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23', - source=_ssl) - -+PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS - _PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()} - - try: -@@ -357,13 +359,13 @@ class SSLContext(_SSLContext): - __slots__ = ('protocol', '__weakref__') - _windows_cert_stores = ("CA", "ROOT") - -- def __new__(cls, protocol, *args, **kwargs): -+ def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs): - self = _SSLContext.__new__(cls, protocol) - if protocol != _SSLv2_IF_EXISTS: - self.set_ciphers(_DEFAULT_CIPHERS) - return self - -- def __init__(self, protocol): -+ def __init__(self, protocol=PROTOCOL_TLS): - self.protocol = protocol - - def wrap_socket(self, sock, server_side=False, -@@ -438,7 +440,7 @@ def create_default_context(purpose=Purpo - if not isinstance(purpose, _ASN1Object): - raise TypeError(purpose) - -- context = SSLContext(PROTOCOL_SSLv23) -+ context = SSLContext(PROTOCOL_TLS) - - # SSLv2 considered harmful. - context.options |= OP_NO_SSLv2 -@@ -475,7 +477,7 @@ def create_default_context(purpose=Purpo - context.load_default_certs(purpose) - return context - --def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None, -+def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None, - check_hostname=False, purpose=Purpose.SERVER_AUTH, - certfile=None, keyfile=None, - cafile=None, capath=None, cadata=None): -@@ -666,7 +668,7 @@ class SSLSocket(socket): - - def __init__(self, sock=None, keyfile=None, certfile=None, - server_side=False, cert_reqs=CERT_NONE, -- ssl_version=PROTOCOL_SSLv23, ca_certs=None, -+ ssl_version=PROTOCOL_TLS, ca_certs=None, - do_handshake_on_connect=True, - family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, - suppress_ragged_eofs=True, npn_protocols=None, ciphers=None, -@@ -1056,7 +1058,7 @@ class SSLSocket(socket): - - def wrap_socket(sock, keyfile=None, certfile=None, - server_side=False, cert_reqs=CERT_NONE, -- ssl_version=PROTOCOL_SSLv23, ca_certs=None, -+ ssl_version=PROTOCOL_TLS, ca_certs=None, - do_handshake_on_connect=True, - suppress_ragged_eofs=True, - ciphers=None): -@@ -1125,7 +1127,7 @@ def PEM_cert_to_DER_cert(pem_cert_string - d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] - return base64.decodebytes(d.encode('ASCII', 'strict')) - --def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None): -+def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None): - """Retrieve the certificate from the server at the specified address, - and return it as a PEM-encoded string. - If 'ca_certs' is specified, validate the server cert against it. -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -23,6 +23,9 @@ ssl = support.import_module("ssl") - - PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) - HOST = support.HOST -+IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') -+IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) -+ - - def data_file(*name): - return os.path.join(os.path.dirname(__file__), *name) -@@ -143,8 +146,8 @@ class BasicSocketTests(unittest.TestCase - def test_str_for_enums(self): - # Make sure that the PROTOCOL_* constants have enum-like string - # reprs. -- proto = ssl.PROTOCOL_SSLv23 -- self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_SSLv23') -+ proto = ssl.PROTOCOL_TLS -+ self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_TLS') - ctx = ssl.SSLContext(proto) - self.assertIs(ctx.protocol, proto) - -@@ -312,8 +315,8 @@ class BasicSocketTests(unittest.TestCase - self.assertGreaterEqual(status, 0) - self.assertLessEqual(status, 15) - # Version string as returned by {Open,Libre}SSL, the format might change -- if "LibreSSL" in s: -- self.assertTrue(s.startswith("LibreSSL {:d}.{:d}".format(major, minor)), -+ if IS_LIBRESSL: -+ self.assertTrue(s.startswith("LibreSSL {:d}".format(major)), - (s, t, hex(n))) - else: - self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)), -@@ -790,7 +793,8 @@ class ContextTests(unittest.TestCase): - def test_constructor(self): - for protocol in PROTOCOLS: - ssl.SSLContext(protocol) -- self.assertRaises(TypeError, ssl.SSLContext) -+ ctx = ssl.SSLContext() -+ self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS) - self.assertRaises(ValueError, ssl.SSLContext, -1) - self.assertRaises(ValueError, ssl.SSLContext, 42) - -@@ -811,15 +815,15 @@ class ContextTests(unittest.TestCase): - def test_options(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, -- ctx.options) -+ default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) -+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): -+ default |= ssl.OP_NO_COMPRESSION -+ self.assertEqual(default, ctx.options) - ctx.options |= ssl.OP_NO_TLSv1 -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, -- ctx.options) -+ self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) - if can_clear_options(): -- ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1 -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3, -- ctx.options) -+ ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1) -+ self.assertEqual(default, ctx.options) - ctx.options = 0 - # Ubuntu has OP_NO_SSLv3 forced on by default - self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3) -@@ -1155,6 +1159,7 @@ class ContextTests(unittest.TestCase): - self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH') - - @unittest.skipIf(sys.platform == "win32", "not-Windows specific") -+ @unittest.skipIf(IS_LIBRESSL, "LibreSSL doesn't support env vars") - def test_load_default_certs_env(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - with support.EnvironmentVarGuard() as env: -@@ -1750,13 +1755,13 @@ class NetworkedBIOTests(unittest.TestCas - sslobj = ctx.wrap_bio(incoming, outgoing, False, REMOTE_HOST) - self.assertIs(sslobj._sslobj.owner, sslobj) - self.assertIsNone(sslobj.cipher()) -- self.assertIsNone(sslobj.shared_ciphers()) -+ self.assertIsNotNone(sslobj.shared_ciphers()) - self.assertRaises(ValueError, sslobj.getpeercert) - if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: - self.assertIsNone(sslobj.get_channel_binding('tls-unique')) - self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake) - self.assertTrue(sslobj.cipher()) -- self.assertIsNone(sslobj.shared_ciphers()) -+ self.assertIsNotNone(sslobj.shared_ciphers()) - self.assertTrue(sslobj.getpeercert()) - if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: - self.assertTrue(sslobj.get_channel_binding('tls-unique')) -@@ -2993,7 +2998,7 @@ else: - with context.wrap_socket(socket.socket()) as s: - self.assertIs(s.version(), None) - s.connect((HOST, server.port)) -- self.assertEqual(s.version(), "TLSv1") -+ self.assertEqual(s.version(), 'TLSv1') - self.assertIs(s.version(), None) - - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") -@@ -3135,24 +3140,36 @@ else: - (['http/3.0', 'http/4.0'], None) - ] - for client_protocols, expected in protocol_tests: -- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) - server_context.load_cert_chain(CERTFILE) - server_context.set_alpn_protocols(server_protocols) -- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) - client_context.load_cert_chain(CERTFILE) - client_context.set_alpn_protocols(client_protocols) -- stats = server_params_test(client_context, server_context, -- chatty=True, connectionchatty=True) -- -- msg = "failed trying %s (s) and %s (c).\n" \ -- "was expecting %s, but got %%s from the %%s" \ -- % (str(server_protocols), str(client_protocols), -- str(expected)) -- client_result = stats['client_alpn_protocol'] -- self.assertEqual(client_result, expected, msg % (client_result, "client")) -- server_result = stats['server_alpn_protocols'][-1] \ -- if len(stats['server_alpn_protocols']) else 'nothing' -- self.assertEqual(server_result, expected, msg % (server_result, "server")) -+ -+ try: -+ stats = server_params_test(client_context, -+ server_context, -+ chatty=True, -+ connectionchatty=True) -+ except ssl.SSLError as e: -+ stats = e -+ -+ if expected is None and IS_OPENSSL_1_1: -+ # OpenSSL 1.1.0 raises handshake error -+ self.assertIsInstance(stats, ssl.SSLError) -+ else: -+ msg = "failed trying %s (s) and %s (c).\n" \ -+ "was expecting %s, but got %%s from the %%s" \ -+ % (str(server_protocols), str(client_protocols), -+ str(expected)) -+ client_result = stats['client_alpn_protocol'] -+ self.assertEqual(client_result, expected, -+ msg % (client_result, "client")) -+ server_result = stats['server_alpn_protocols'][-1] \ -+ if len(stats['server_alpn_protocols']) else 'nothing' -+ self.assertEqual(server_result, expected, -+ msg % (server_result, "server")) - - def test_selected_npn_protocol(self): - # selected_npn_protocol() is None unless NPN is used -@@ -3300,13 +3317,23 @@ else: - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - client_context.verify_mode = ssl.CERT_REQUIRED - client_context.load_verify_locations(SIGNING_CA) -- client_context.set_ciphers("RC4") -- server_context.set_ciphers("AES:RC4") -+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2): -+ client_context.set_ciphers("AES128:AES256") -+ server_context.set_ciphers("AES256") -+ alg1 = "AES256" -+ alg2 = "AES-256" -+ else: -+ client_context.set_ciphers("AES:3DES") -+ server_context.set_ciphers("3DES") -+ alg1 = "3DES" -+ alg2 = "DES-CBC3" -+ - stats = server_params_test(client_context, server_context) - ciphers = stats['server_shared_ciphers'][0] - self.assertGreater(len(ciphers), 0) - for name, tls_version, bits in ciphers: -- self.assertIn("RC4", name.split("-")) -+ if not alg1 in name.split("-") and alg2 not in name: -+ self.fail(name) - - def test_read_write_after_close_raises_valuerror(self): - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - -diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c ---- a/Modules/_hashopenssl.c -+++ b/Modules/_hashopenssl.c -@@ -21,7 +21,6 @@ - - /* EVP is the preferred interface to hashing in OpenSSL */ - #include --#include - /* We use the object interface to discover what hashes OpenSSL supports. */ - #include - #include "openssl/err.h" -@@ -32,11 +31,22 @@ - #define HASH_OBJ_CONSTRUCTOR 0 - #endif - -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) -+/* OpenSSL < 1.1.0 */ -+#define EVP_MD_CTX_new EVP_MD_CTX_create -+#define EVP_MD_CTX_free EVP_MD_CTX_destroy -+#define HAS_FAST_PKCS5_PBKDF2_HMAC 0 -+#include -+#else -+/* OpenSSL >= 1.1.0 */ -+#define HAS_FAST_PKCS5_PBKDF2_HMAC 1 -+#endif -+ - - typedef struct { - PyObject_HEAD - PyObject *name; /* name of this hash algorithm */ -- EVP_MD_CTX ctx; /* OpenSSL message digest context */ -+ EVP_MD_CTX *ctx; /* OpenSSL message digest context */ - #ifdef WITH_THREAD - PyThread_type_lock lock; /* OpenSSL context lock */ - #endif -@@ -48,7 +58,6 @@ static PyTypeObject EVPtype; - - #define DEFINE_CONSTS_FOR_NEW(Name) \ - static PyObject *CONST_ ## Name ## _name_obj = NULL; \ -- static EVP_MD_CTX CONST_new_ ## Name ## _ctx; \ - static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL; - - DEFINE_CONSTS_FOR_NEW(md5) -@@ -59,19 +68,57 @@ DEFINE_CONSTS_FOR_NEW(sha384) - DEFINE_CONSTS_FOR_NEW(sha512) - - -+/* LCOV_EXCL_START */ -+static PyObject * -+_setException(PyObject *exc) -+{ -+ unsigned long errcode; -+ const char *lib, *func, *reason; -+ -+ errcode = ERR_peek_last_error(); -+ if (!errcode) { -+ PyErr_SetString(exc, "unknown reasons"); -+ return NULL; -+ } -+ ERR_clear_error(); -+ -+ lib = ERR_lib_error_string(errcode); -+ func = ERR_func_error_string(errcode); -+ reason = ERR_reason_error_string(errcode); -+ -+ if (lib && func) { -+ PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); -+ } -+ else if (lib) { -+ PyErr_Format(exc, "[%s] %s", lib, reason); -+ } -+ else { -+ PyErr_SetString(exc, reason); -+ } -+ return NULL; -+} -+/* LCOV_EXCL_STOP */ -+ - static EVPobject * - newEVPobject(PyObject *name) - { - EVPobject *retval = (EVPobject *)PyObject_New(EVPobject, &EVPtype); -+ if (retval == NULL) { -+ return NULL; -+ } -+ -+ retval->ctx = EVP_MD_CTX_new(); -+ if (retval->ctx == NULL) { -+ PyErr_NoMemory(); -+ return NULL; -+ } - - /* save the name for .name to return */ -- if (retval != NULL) { -- Py_INCREF(name); -- retval->name = name; -+ Py_INCREF(name); -+ retval->name = name; - #ifdef WITH_THREAD -- retval->lock = NULL; -+ retval->lock = NULL; - #endif -- } - - return retval; - } -@@ -86,7 +133,7 @@ EVP_hash(EVPobject *self, const void *vp - process = MUNCH_SIZE; - else - process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int); -- EVP_DigestUpdate(&self->ctx, (const void*)cp, process); -+ EVP_DigestUpdate(self->ctx, (const void*)cp, process); - len -= process; - cp += process; - } -@@ -101,16 +148,19 @@ EVP_dealloc(EVPobject *self) - if (self->lock != NULL) - PyThread_free_lock(self->lock); - #endif -- EVP_MD_CTX_cleanup(&self->ctx); -+ EVP_MD_CTX_free(self->ctx); - Py_XDECREF(self->name); - PyObject_Del(self); - } - --static void locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self) -+static int -+locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self) - { -+ int result; - ENTER_HASHLIB(self); -- EVP_MD_CTX_copy(new_ctx_p, &self->ctx); -+ result = EVP_MD_CTX_copy(new_ctx_p, self->ctx); - LEAVE_HASHLIB(self); -+ return result; - } - - /* External methods for a hash object */ -@@ -126,7 +176,9 @@ EVP_copy(EVPobject *self, PyObject *unus - if ( (newobj = newEVPobject(self->name))==NULL) - return NULL; - -- locked_EVP_MD_CTX_copy(&newobj->ctx, self); -+ if (!locked_EVP_MD_CTX_copy(newobj->ctx, self)) { -+ return _setException(PyExc_ValueError); -+ } - return (PyObject *)newobj; - } - -@@ -137,16 +189,24 @@ static PyObject * - EVP_digest(EVPobject *self, PyObject *unused) - { - unsigned char digest[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX temp_ctx; -+ EVP_MD_CTX *temp_ctx; - PyObject *retval; - unsigned int digest_size; - -- locked_EVP_MD_CTX_copy(&temp_ctx, self); -- digest_size = EVP_MD_CTX_size(&temp_ctx); -- EVP_DigestFinal(&temp_ctx, digest, NULL); -+ temp_ctx = EVP_MD_CTX_new(); -+ if (temp_ctx == NULL) { -+ PyErr_NoMemory(); -+ return NULL; -+ } -+ -+ if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) { -+ return _setException(PyExc_ValueError); -+ } -+ digest_size = EVP_MD_CTX_size(temp_ctx); -+ EVP_DigestFinal(temp_ctx, digest, NULL); - - retval = PyBytes_FromStringAndSize((const char *)digest, digest_size); -- EVP_MD_CTX_cleanup(&temp_ctx); -+ EVP_MD_CTX_free(temp_ctx); - return retval; - } - -@@ -157,15 +217,23 @@ static PyObject * - EVP_hexdigest(EVPobject *self, PyObject *unused) - { - unsigned char digest[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX temp_ctx; -+ EVP_MD_CTX *temp_ctx; - unsigned int digest_size; - -+ temp_ctx = EVP_MD_CTX_new(); -+ if (temp_ctx == NULL) { -+ PyErr_NoMemory(); -+ return NULL; -+ } -+ - /* Get the raw (binary) digest value */ -- locked_EVP_MD_CTX_copy(&temp_ctx, self); -- digest_size = EVP_MD_CTX_size(&temp_ctx); -- EVP_DigestFinal(&temp_ctx, digest, NULL); -+ if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) { -+ return _setException(PyExc_ValueError); -+ } -+ digest_size = EVP_MD_CTX_size(temp_ctx); -+ EVP_DigestFinal(temp_ctx, digest, NULL); - -- EVP_MD_CTX_cleanup(&temp_ctx); -+ EVP_MD_CTX_free(temp_ctx); - - return _Py_strhex((const char *)digest, digest_size); - } -@@ -219,7 +287,7 @@ static PyObject * - EVP_get_block_size(EVPobject *self, void *closure) - { - long block_size; -- block_size = EVP_MD_CTX_block_size(&self->ctx); -+ block_size = EVP_MD_CTX_block_size(self->ctx); - return PyLong_FromLong(block_size); - } - -@@ -227,7 +295,7 @@ static PyObject * - EVP_get_digest_size(EVPobject *self, void *closure) - { - long size; -- size = EVP_MD_CTX_size(&self->ctx); -+ size = EVP_MD_CTX_size(self->ctx); - return PyLong_FromLong(size); - } - -@@ -288,7 +356,7 @@ EVP_tp_init(EVPobject *self, PyObject *a - PyBuffer_Release(&view); - return -1; - } -- EVP_DigestInit(&self->ctx, digest); -+ EVP_DigestInit(self->ctx, digest); - - self->name = name_obj; - Py_INCREF(self->name); -@@ -385,9 +453,9 @@ EVPnew(PyObject *name_obj, - return NULL; - - if (initial_ctx) { -- EVP_MD_CTX_copy(&self->ctx, initial_ctx); -+ EVP_MD_CTX_copy(self->ctx, initial_ctx); - } else { -- EVP_DigestInit(&self->ctx, digest); -+ EVP_DigestInit(self->ctx, digest); - } - - if (cp && len) { -@@ -453,6 +521,7 @@ EVP_new(PyObject *self, PyObject *args, - - #define PY_PBKDF2_HMAC 1 - -+#if !HAS_FAST_PKCS5_PBKDF2_HMAC - /* Improved implementation of PKCS5_PBKDF2_HMAC() - * - * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of -@@ -534,37 +603,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass, - HMAC_CTX_cleanup(&hctx_tpl); - return 1; - } -+#endif - --/* LCOV_EXCL_START */ --static PyObject * --_setException(PyObject *exc) --{ -- unsigned long errcode; -- const char *lib, *func, *reason; -- -- errcode = ERR_peek_last_error(); -- if (!errcode) { -- PyErr_SetString(exc, "unknown reasons"); -- return NULL; -- } -- ERR_clear_error(); -- -- lib = ERR_lib_error_string(errcode); -- func = ERR_func_error_string(errcode); -- reason = ERR_reason_error_string(errcode); -- -- if (lib && func) { -- PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); -- } -- else if (lib) { -- PyErr_Format(exc, "[%s] %s", lib, reason); -- } -- else { -- PyErr_SetString(exc, reason); -- } -- return NULL; --} --/* LCOV_EXCL_STOP */ - - PyDoc_STRVAR(pbkdf2_hmac__doc__, - "pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\ -@@ -646,10 +686,17 @@ pbkdf2_hmac(PyObject *self, PyObject *ar - key = PyBytes_AS_STRING(key_obj); - - Py_BEGIN_ALLOW_THREADS -+#if HAS_FAST_PKCS5_PBKDF2_HMAC -+ retval = PKCS5_PBKDF2_HMAC((char*)password.buf, (int)password.len, -+ (unsigned char *)salt.buf, (int)salt.len, -+ iterations, digest, dklen, -+ (unsigned char *)key); -+#else - retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len, - (unsigned char *)salt.buf, (int)salt.len, - iterations, digest, dklen, - (unsigned char *)key); -+#endif - Py_END_ALLOW_THREADS - - if (!retval) { -@@ -768,7 +815,7 @@ generate_hash_name_list(void) - if (CONST_ ## NAME ## _name_obj == NULL) { \ - CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \ - if (EVP_get_digestbyname(#NAME)) { \ -- CONST_new_ ## NAME ## _ctx_p = &CONST_new_ ## NAME ## _ctx; \ -+ CONST_new_ ## NAME ## _ctx_p = EVP_MD_CTX_new(); \ - EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \ - } \ - } \ -diff --git a/Modules/_ssl.c b/Modules/_ssl.c ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -55,6 +55,14 @@ static PySocketModule_APIObject PySocket - #include - #endif - -+/* Don't warn about deprecated functions */ -+#ifdef __GNUC__ -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -+#endif -+#ifdef __clang__ -+#pragma clang diagnostic ignored "-Wdeprecated-declarations" -+#endif -+ - /* Include OpenSSL header files */ - #include "openssl/rsa.h" - #include "openssl/crypto.h" -@@ -91,6 +99,10 @@ struct py_ssl_library_code { - /* Include generated data (error codes) */ - #include "_ssl_data.h" - -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) -+# define OPENSSL_VERSION_1_1 1 -+#endif -+ - /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 - http://www.openssl.org/news/changelog.html - */ -@@ -117,6 +129,72 @@ struct py_ssl_library_code { - # define HAVE_ALPN - #endif - -+#ifdef OPENSSL_VERSION_1_1 -+/* OpenSSL 1.1.0+ */ -+#ifndef OPENSSL_NO_SSL2 -+#define OPENSSL_NO_SSL2 -+#endif -+#else /* OpenSSL < 1.1.0 */ -+#if defined(WITH_THREAD) -+#define HAVE_OPENSSL_CRYPTO_LOCK -+#endif -+ -+#define TLS_method SSLv23_method -+ -+static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) -+{ -+ return ne->set; -+} -+ -+#ifndef OPENSSL_NO_COMP -+static int COMP_get_type(const COMP_METHOD *meth) -+{ -+ return meth->type; -+} -+ -+static const char *COMP_get_name(const COMP_METHOD *meth) -+{ -+ return meth->name; -+} -+#endif -+ -+static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) -+{ -+ return ctx->default_passwd_callback; -+} -+ -+static void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) -+{ -+ return ctx->default_passwd_callback_userdata; -+} -+ -+static int X509_OBJECT_get_type(X509_OBJECT *x) -+{ -+ return x->type; -+} -+ -+static X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) -+{ -+ return x->data.x509; -+} -+ -+static int BIO_up_ref(BIO *b) -+{ -+ CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO); -+ return 1; -+} -+ -+static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) { -+ return store->objs; -+} -+ -+static X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) -+{ -+ return store->param; -+} -+#endif /* OpenSSL < 1.1.0 or LibreSSL */ -+ -+ - enum py_ssl_error { - /* these mirror ssl.h */ - PY_SSL_ERROR_NONE, -@@ -147,7 +225,7 @@ enum py_ssl_cert_requirements { - enum py_ssl_version { - PY_SSL_VERSION_SSL2, - PY_SSL_VERSION_SSL3=1, -- PY_SSL_VERSION_SSL23, -+ PY_SSL_VERSION_TLS, - #if HAVE_TLSv1_2 - PY_SSL_VERSION_TLS1, - PY_SSL_VERSION_TLS1_1, -@@ -527,8 +605,8 @@ newPySSLSocket(PySSLContext *sslctx, PyS - /* BIOs are reference counted and SSL_set_bio borrows our reference. - * To prevent a double free in memory_bio_dealloc() we need to take an - * extra reference here. */ -- CRYPTO_add(&inbio->bio->references, 1, CRYPTO_LOCK_BIO); -- CRYPTO_add(&outbio->bio->references, 1, CRYPTO_LOCK_BIO); -+ BIO_up_ref(inbio->bio); -+ BIO_up_ref(outbio->bio); - SSL_set_bio(self->ssl, inbio->bio, outbio->bio); - } - mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; -@@ -738,7 +816,7 @@ static PyObject * - - /* check to see if we've gotten to a new RDN */ - if (rdn_level >= 0) { -- if (rdn_level != entry->set) { -+ if (rdn_level != X509_NAME_ENTRY_set(entry)) { - /* yes, new RDN */ - /* add old RDN to DN */ - rdnt = PyList_AsTuple(rdn); -@@ -755,7 +833,7 @@ static PyObject * - goto fail0; - } - } -- rdn_level = entry->set; -+ rdn_level = X509_NAME_ENTRY_set(entry); - - /* now add this attribute to the current RDN */ - name = X509_NAME_ENTRY_get_object(entry); -@@ -853,18 +931,18 @@ static PyObject * - goto fail; - } - -- p = ext->value->data; -+ p = X509_EXTENSION_get_data(ext)->data; - if (method->it) - names = (GENERAL_NAMES*) - (ASN1_item_d2i(NULL, - &p, -- ext->value->length, -+ X509_EXTENSION_get_data(ext)->length, - ASN1_ITEM_ptr(method->it))); - else - names = (GENERAL_NAMES*) - (method->d2i(NULL, - &p, -- ext->value->length)); -+ X509_EXTENSION_get_data(ext)->length)); - - for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { - /* get a rendering of each name in the set of names */ -@@ -1075,13 +1153,11 @@ static PyObject * - int i, j; - PyObject *lst, *res = NULL; - --#if OPENSSL_VERSION_NUMBER < 0x10001000L -- dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL); --#else -+#if OPENSSL_VERSION_NUMBER >= 0x10001000L - /* Calls x509v3_cache_extensions and sets up crldp */ - X509_check_ca(certificate); -- dps = certificate->crldp; - #endif -+ dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL); - - if (dps == NULL) - return Py_None; -@@ -1451,14 +1527,13 @@ static PyObject * - _ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self) - /*[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]*/ - { -- SSL_SESSION *sess = SSL_get_session(self->ssl); - STACK_OF(SSL_CIPHER) *ciphers; - int i; - PyObject *res; - -- if (!sess || !sess->ciphers) -+ ciphers = SSL_get_ciphers(self->ssl); -+ if (!ciphers) - Py_RETURN_NONE; -- ciphers = sess->ciphers; - res = PyList_New(sk_SSL_CIPHER_num(ciphers)); - if (!res) - return NULL; -@@ -1567,9 +1642,9 @@ static PyObject * - if (self->ssl == NULL) - Py_RETURN_NONE; - comp_method = SSL_get_current_compression(self->ssl); -- if (comp_method == NULL || comp_method->type == NID_undef) -+ if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef) - Py_RETURN_NONE; -- short_name = OBJ_nid2sn(comp_method->type); -+ short_name = COMP_get_name(comp_method); - if (short_name == NULL) - Py_RETURN_NONE; - return PyUnicode_DecodeFSDefault(short_name); -@@ -2255,8 +2330,8 @@ static PyObject * - else if (proto_version == PY_SSL_VERSION_SSL2) - ctx = SSL_CTX_new(SSLv2_method()); - #endif -- else if (proto_version == PY_SSL_VERSION_SSL23) -- ctx = SSL_CTX_new(SSLv23_method()); -+ else if (proto_version == PY_SSL_VERSION_TLS) -+ ctx = SSL_CTX_new(TLS_method()); - else - proto_version = -1; - PySSL_END_ALLOW_THREADS -@@ -2318,8 +2393,9 @@ static PyObject * - #ifndef OPENSSL_NO_ECDH - /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use - prime256v1 by default. This is Apache mod_ssl's initialization -- policy, so we should be safe. */ --#if defined(SSL_CTX_set_ecdh_auto) -+ policy, so we should be safe. OpenSSL 1.1 has it enabled by default. -+ */ -+#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) - SSL_CTX_set_ecdh_auto(self->ctx, 1); - #else - { -@@ -2586,10 +2662,12 @@ static PyObject * - get_verify_flags(PySSLContext *self, void *c) - { - X509_STORE *store; -+ X509_VERIFY_PARAM *param; - unsigned long flags; - - store = SSL_CTX_get_cert_store(self->ctx); -- flags = X509_VERIFY_PARAM_get_flags(store->param); -+ param = X509_STORE_get0_param(store); -+ flags = X509_VERIFY_PARAM_get_flags(param); - return PyLong_FromUnsignedLong(flags); - } - -@@ -2597,22 +2675,24 @@ static int - set_verify_flags(PySSLContext *self, PyObject *arg, void *c) - { - X509_STORE *store; -+ X509_VERIFY_PARAM *param; - unsigned long new_flags, flags, set, clear; - - if (!PyArg_Parse(arg, "k", &new_flags)) - return -1; - store = SSL_CTX_get_cert_store(self->ctx); -- flags = X509_VERIFY_PARAM_get_flags(store->param); -+ param = X509_STORE_get0_param(store); -+ flags = X509_VERIFY_PARAM_get_flags(param); - clear = flags & ~new_flags; - set = ~flags & new_flags; - if (clear) { -- if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) { -+ if (!X509_VERIFY_PARAM_clear_flags(param, clear)) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - return -1; - } - } - if (set) { -- if (!X509_VERIFY_PARAM_set_flags(store->param, set)) { -+ if (!X509_VERIFY_PARAM_set_flags(param, set)) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - return -1; - } -@@ -2789,8 +2869,8 @@ static PyObject * - /*[clinic end generated code: output=9480bc1c380e2095 input=7cf9ac673cbee6fc]*/ - { - PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL; -- pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback; -- void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata; -+ pem_password_cb *orig_passwd_cb = SSL_CTX_get_default_passwd_cb(self->ctx); -+ void *orig_passwd_userdata = SSL_CTX_get_default_passwd_cb_userdata(self->ctx); - _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 }; - int r; - -@@ -2917,8 +2997,9 @@ static int - cert = d2i_X509_bio(biobuf, NULL); - } else { - cert = PEM_read_bio_X509(biobuf, NULL, -- self->ctx->default_passwd_callback, -- self->ctx->default_passwd_callback_userdata); -+ SSL_CTX_get_default_passwd_cb(self->ctx), -+ SSL_CTX_get_default_passwd_cb_userdata(self->ctx) -+ ); - } - if (cert == NULL) { - break; -@@ -3444,25 +3525,24 @@ static PyObject * - /*[clinic end generated code: output=5f356f4d9cca874d input=eb40dd0f6d0e40cf]*/ - { - X509_STORE *store; -+ STACK_OF(X509_OBJECT) *objs; - X509_OBJECT *obj; -- int x509 = 0, crl = 0, pkey = 0, ca = 0, i; -+ int x509 = 0, crl = 0, ca = 0, i; - - store = SSL_CTX_get_cert_store(self->ctx); -- for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { -- obj = sk_X509_OBJECT_value(store->objs, i); -- switch (obj->type) { -+ objs = X509_STORE_get0_objects(store); -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { -+ obj = sk_X509_OBJECT_value(objs, i); -+ switch (X509_OBJECT_get_type(obj)) { - case X509_LU_X509: - x509++; -- if (X509_check_ca(obj->data.x509)) { -+ if (X509_check_ca(X509_OBJECT_get0_X509(obj))) { - ca++; - } - break; - case X509_LU_CRL: - crl++; - break; -- case X509_LU_PKEY: -- pkey++; -- break; - default: - /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY. - * As far as I can tell they are internal states and never -@@ -3492,6 +3572,7 @@ static PyObject * - /*[clinic end generated code: output=0d58f148f37e2938 input=6887b5a09b7f9076]*/ - { - X509_STORE *store; -+ STACK_OF(X509_OBJECT) *objs; - PyObject *ci = NULL, *rlist = NULL; - int i; - -@@ -3500,17 +3581,18 @@ static PyObject * - } - - store = SSL_CTX_get_cert_store(self->ctx); -- for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { -+ objs = X509_STORE_get0_objects(store); -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { - X509_OBJECT *obj; - X509 *cert; - -- obj = sk_X509_OBJECT_value(store->objs, i); -- if (obj->type != X509_LU_X509) { -+ obj = sk_X509_OBJECT_value(objs, i); -+ if (X509_OBJECT_get_type(obj) != X509_LU_X509) { - /* not a x509 cert */ - continue; - } - /* CA for any purpose */ -- cert = obj->data.x509; -+ cert = X509_OBJECT_get0_X509(obj); - if (!X509_check_ca(cert)) { - continue; - } -@@ -4374,10 +4456,12 @@ static PyMethodDef PySSL_methods[] = { - }; - - --#ifdef WITH_THREAD -+#ifdef HAVE_OPENSSL_CRYPTO_LOCK - - /* an implementation of OpenSSL threading operations in terms -- of the Python C thread library */ -+ * of the Python C thread library -+ * Only used up to 1.0.2. OpenSSL 1.1.0+ has its own locking code. -+ */ - - static PyThread_type_lock *_ssl_locks = NULL; - -@@ -4458,7 +4542,7 @@ static int _setup_ssl_threads(void) { - return 1; - } - --#endif /* def HAVE_THREAD */ -+#endif /* HAVE_OPENSSL_CRYPTO_LOCK for WITH_THREAD && OpenSSL < 1.1.0 */ - - PyDoc_STRVAR(module_doc, - "Implementation module for SSL socket operations. See the socket module\n\ -@@ -4527,11 +4611,16 @@ PyInit__ssl(void) - SSL_load_error_strings(); - SSL_library_init(); - #ifdef WITH_THREAD -+#ifdef HAVE_OPENSSL_CRYPTO_LOCK - /* note that this will start threading if not already started */ - if (!_setup_ssl_threads()) { - return NULL; - } -+#elif OPENSSL_VERSION_1_1 && defined(OPENSSL_THREADS) -+ /* OpenSSL 1.1.0 builtin thread support is enabled */ -+ _ssl_locks_count++; - #endif -+#endif /* WITH_THREAD */ - OpenSSL_add_all_algorithms(); - - /* Add symbols to module dict */ -@@ -4678,7 +4767,9 @@ PyInit__ssl(void) - PY_SSL_VERSION_SSL3); - #endif - PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", -- PY_SSL_VERSION_SSL23); -+ PY_SSL_VERSION_TLS); -+ PyModule_AddIntConstant(m, "PROTOCOL_TLS", -+ PY_SSL_VERSION_TLS); - PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", - PY_SSL_VERSION_TLS1); - #if HAVE_TLSv1_2 - -diff --git a/Modules/_ssl.c b/Modules/_ssl.c ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -151,11 +151,6 @@ static int COMP_get_type(const COMP_METH - { - return meth->type; - } -- --static const char *COMP_get_name(const COMP_METHOD *meth) --{ -- return meth->name; --} - #endif - - static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) -@@ -1644,7 +1639,7 @@ static PyObject * - comp_method = SSL_get_current_compression(self->ssl); - if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef) - Py_RETURN_NONE; -- short_name = COMP_get_name(comp_method); -+ short_name = OBJ_nid2sn(COMP_get_type(comp_method)); - if (short_name == NULL) - Py_RETURN_NONE; - return PyUnicode_DecodeFSDefault(short_name); diff --git a/python3.spec b/python3.spec index 6f2a462..b0d8d7a 100644 --- a/python3.spec +++ b/python3.spec @@ -395,20 +395,6 @@ Patch205: 00205-make-libpl-respect-lib64.patch # by debian but fedora infra uses only eabi without hf Patch206: 00206-remove-hf-from-arm-triplet.patch -# 00209 # -# Fix test breakage with version 2.2.0 of Expat -# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918 -# FIXED UPSTREAM: http://bugs.python.org/issue27369 -Patch209: 00209-fix-test-pyexpat-failure.patch - -# 00242 # -# HTTPoxy attack (CVE-2016-1000110) -# https://httpoxy.org/ -# FIXED UPSTREAM: http://bugs.python.org/issue27568 -# Based on a patch by RĂ©mi Rampin -# Resolves: rhbz#1359177 -Patch242: 00242-CVE-2016-1000110-httpoxy.patch - # 00243 # # Fix the triplet used on 64-bit MIPS # rhbz#1322526: https://bugzilla.redhat.com/show_bug.cgi?id=1322526 @@ -416,13 +402,6 @@ Patch242: 00242-CVE-2016-1000110-httpoxy.patch # Fedora needs the default mips64-linux-gnu Patch243: 00243-fix-mips64-triplet.patch -# 00247 # -# Port ssl and hashlib modules to OpenSSL 1.1.0. -# As of F26, OpenSSL is rebased to 1.1.0, so in order for python -# to not FTBFS we need to backport this patch from 3.5.3 -# FIXED UPSTREAM: https://bugs.python.org/issue26470 -Patch247: 00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -641,13 +620,13 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch111 -p1 %patch132 -p1 %patch137 -p1 -%patch143 -p1 -b .tsc-on-ppc +#patch143 -p1 -b .tsc-on-ppc #patch146 -p1 %patch155 -p1 %patch157 -p1 %patch160 -p1 %patch163 -p1 -%patch170 -p0 +%patch170 -p1 %patch178 -p1 %patch180 -p1 %patch184 -p1 @@ -660,10 +639,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch205 -p1 %patch206 -p1 -%patch209 -p1 -%patch242 -p1 %patch243 -p1 -%patch247 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library.