Port ssl and hashlib modules to OpenSSL 1.1.0 and drop hashlib patch

This commit is contained in:
Charalampos Stratakis 2016-10-12 16:52:17 +02:00
parent 55d65adde0
commit f7bd058f3c
2 changed files with 189 additions and 158 deletions

View File

@ -1,20 +1,15 @@
diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl.rst
--- Python-3.5.2/Doc/library/ssl.rst.openssl11 2016-06-25 23:38:35.000000000 +0200
+++ Python-3.5.2/Doc/library/ssl.rst 2016-10-10 16:34:37.695049119 +0200
@@ -49,6 +49,12 @@ For more sophisticated applications, the
helps manage settings and certificates, which can then be inherited
by SSL sockets created through the :meth:`SSLContext.wrap_socket` method.
+.. versionchanged:: 3.6 # HG changeset patch
+ # User Christian Heimes <christian@python.org>
+ OpenSSL 0.9.8, 1.0.0 and 1.0.1 are deprecated and no longer supported. # Date 1473110345 -7200
+ In the future the ssl module will require at least OpenSSL 1.0.2 or # Node ID 5c75b315152b714f7c84258ea511b461e2c06154
+ 1.1.0. # Parent 82467d0dbaea31a7971d1429ca5f4a251a995f33
+ Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.
Functions, Constants, and Exceptions diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
------------------------------------ --- a/Doc/library/ssl.rst
@@ -178,7 +184,7 @@ instead. +++ b/Doc/library/ssl.rst
@@ -178,7 +178,7 @@ instead.
use. Typically, the server chooses a particular protocol version, and the use. Typically, the server chooses a particular protocol version, and the
client must adapt to the server's choice. Most of the versions are not client must adapt to the server's choice. Most of the versions are not
interoperable with the other versions. If not specified, the default is interoperable with the other versions. If not specified, the default is
@ -23,7 +18,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
versions. versions.
Here's a table showing which versions in a client (down the side) can connect Here's a table showing which versions in a client (down the side) can connect
@@ -187,11 +193,11 @@ instead. @@ -187,11 +187,11 @@ instead.
.. table:: .. table::
======================== ========= ========= ========== ========= =========== =========== ======================== ========= ========= ========== ========= =========== ===========
@ -37,7 +32,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
*TLSv1* no no yes yes no no *TLSv1* no no yes yes no no
*TLSv1.1* no no yes no yes no *TLSv1.1* no no yes no yes no
*TLSv1.2* no no yes no no yes *TLSv1.2* no no yes no no yes
@@ -244,7 +250,7 @@ purposes. @@ -244,7 +244,7 @@ purposes.
:const:`None`, this function can choose to trust the system's default :const:`None`, this function can choose to trust the system's default
CA certificates instead. CA certificates instead.
@ -46,11 +41,11 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
:data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and
without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH` without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH`
as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED` as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED`
@@ -316,6 +322,11 @@ Random generation @@ -316,6 +316,11 @@ Random generation
.. versionadded:: 3.3 .. versionadded:: 3.3
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use + OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use
+ :func:`ssl.RAND_bytes` instead. + :func:`ssl.RAND_bytes` instead.
@ -58,7 +53,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. function:: RAND_status() .. function:: RAND_status()
Return ``True`` if the SSL pseudo-random number generator has been seeded Return ``True`` if the SSL pseudo-random number generator has been seeded
@@ -334,7 +345,7 @@ Random generation @@ -334,7 +339,7 @@ Random generation
See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources
of entropy-gathering daemons. of entropy-gathering daemons.
@ -67,7 +62,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. function:: RAND_add(bytes, entropy) .. function:: RAND_add(bytes, entropy)
@@ -409,7 +420,7 @@ Certificate handling @@ -409,7 +414,7 @@ Certificate handling
previously. Return an integer (no fractions of a second in the previously. Return an integer (no fractions of a second in the
input format) input format)
@ -76,7 +71,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
Given the address ``addr`` of an SSL-protected server, as a (*hostname*, Given the address ``addr`` of an SSL-protected server, as a (*hostname*,
*port-number*) pair, fetches the server's certificate, and returns it as a *port-number*) pair, fetches the server's certificate, and returns it as a
@@ -425,7 +436,7 @@ Certificate handling @@ -425,7 +430,7 @@ Certificate handling
.. versionchanged:: 3.5 .. versionchanged:: 3.5
The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to
@ -85,7 +80,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. function:: DER_cert_to_PEM_cert(DER_cert_bytes) .. function:: DER_cert_to_PEM_cert(DER_cert_bytes)
@@ -451,6 +462,9 @@ Certificate handling @@ -451,6 +456,9 @@ Certificate handling
* :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath, * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath,
* :attr:`openssl_capath` - hard coded path to a capath directory * :attr:`openssl_capath` - hard coded path to a capath directory
@ -95,7 +90,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.4 .. versionadded:: 3.4
.. function:: enum_certificates(store_name) .. function:: enum_certificates(store_name)
@@ -568,11 +582,21 @@ Constants @@ -568,11 +576,21 @@ Constants
.. versionadded:: 3.4.4 .. versionadded:: 3.4.4
@ -105,35 +100,35 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
Selects the highest protocol version that both the client and server support. Selects the highest protocol version that both the client and server support.
Despite the name, this option can select "TLS" protocols as well as "SSL". Despite the name, this option can select "TLS" protocols as well as "SSL".
+ .. versionadded:: 3.6 + .. versionadded:: 3.5.3
+ +
+.. data:: PROTOCOL_SSLv23 +.. data:: PROTOCOL_SSLv23
+ +
+ Alias for data:`PROTOCOL_TLS`. + Alias for data:`PROTOCOL_TLS`.
+ +
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ Use data:`PROTOCOL_TLS` instead. + Use data:`PROTOCOL_TLS` instead.
+ +
.. data:: PROTOCOL_SSLv2 .. data:: PROTOCOL_SSLv2
Selects SSL version 2 as the channel encryption protocol. Selects SSL version 2 as the channel encryption protocol.
@@ -584,6 +608,10 @@ Constants @@ -584,6 +602,10 @@ Constants
SSL version 2 is insecure. Its use is highly discouraged. SSL version 2 is insecure. Its use is highly discouraged.
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ OpenSSL has removed support for SSLv2. + OpenSSL has removed support for SSLv2.
+ +
.. data:: PROTOCOL_SSLv3 .. data:: PROTOCOL_SSLv3
Selects SSL version 3 as the channel encryption protocol. Selects SSL version 3 as the channel encryption protocol.
@@ -595,10 +623,20 @@ Constants @@ -595,10 +617,20 @@ Constants
SSL version 3 is insecure. Its use is highly discouraged. SSL version 3 is insecure. Its use is highly discouraged.
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ OpenSSL has deprecated all version specific protocols. Use the default + OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. + protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -142,7 +137,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
Selects TLS version 1.0 as the channel encryption protocol. Selects TLS version 1.0 as the channel encryption protocol.
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ OpenSSL has deprecated all version specific protocols. Use the default + OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. + protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -150,11 +145,11 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. data:: PROTOCOL_TLSv1_1 .. data:: PROTOCOL_TLSv1_1
Selects TLS version 1.1 as the channel encryption protocol. Selects TLS version 1.1 as the channel encryption protocol.
@@ -606,6 +644,11 @@ Constants @@ -606,6 +638,11 @@ Constants
.. versionadded:: 3.4 .. versionadded:: 3.4
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ OpenSSL has deprecated all version specific protocols. Use the default + OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. + protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -162,11 +157,11 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. data:: PROTOCOL_TLSv1_2 .. data:: PROTOCOL_TLSv1_2
Selects TLS version 1.2 as the channel encryption protocol. This is the Selects TLS version 1.2 as the channel encryption protocol. This is the
@@ -614,6 +657,11 @@ Constants @@ -614,6 +651,11 @@ Constants
.. versionadded:: 3.4 .. versionadded:: 3.4
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ OpenSSL has deprecated all version specific protocols. Use the default + OpenSSL has deprecated all version specific protocols. Use the default
+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. + protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead.
@ -174,7 +169,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. data:: OP_ALL .. data:: OP_ALL
Enables workarounds for various bugs present in other SSL implementations. Enables workarounds for various bugs present in other SSL implementations.
@@ -625,23 +673,32 @@ Constants @@ -625,23 +667,32 @@ Constants
.. data:: OP_NO_SSLv2 .. data:: OP_NO_SSLv2
Prevents an SSLv2 connection. This option is only applicable in Prevents an SSLv2 connection. This option is only applicable in
@ -184,7 +179,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.2 .. versionadded:: 3.2
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ SSLv2 is deprecated + SSLv2 is deprecated
+ +
@ -198,7 +193,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.2 .. versionadded:: 3.2
+ .. deprecated:: 3.6 + .. deprecated:: 3.5.3
+ +
+ SSLv3 is deprecated + SSLv3 is deprecated
+ +
@ -210,7 +205,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
choosing TLSv1 as the protocol version. choosing TLSv1 as the protocol version.
.. versionadded:: 3.2 .. versionadded:: 3.2
@@ -649,7 +706,7 @@ Constants @@ -649,7 +700,7 @@ Constants
.. data:: OP_NO_TLSv1_1 .. data:: OP_NO_TLSv1_1
Prevents a TLSv1.1 connection. This option is only applicable in conjunction Prevents a TLSv1.1 connection. This option is only applicable in conjunction
@ -219,7 +214,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
the protocol version. Available only with openssl version 1.0.1+. the protocol version. Available only with openssl version 1.0.1+.
.. versionadded:: 3.4 .. versionadded:: 3.4
@@ -657,7 +714,7 @@ Constants @@ -657,7 +708,7 @@ Constants
.. data:: OP_NO_TLSv1_2 .. data:: OP_NO_TLSv1_2
Prevents a TLSv1.2 connection. This option is only applicable in conjunction Prevents a TLSv1.2 connection. This option is only applicable in conjunction
@ -228,14 +223,15 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
the protocol version. Available only with openssl version 1.0.1+. the protocol version. Available only with openssl version 1.0.1+.
.. versionadded:: 3.4 .. versionadded:: 3.4
@@ -1081,17 +1138,21 @@ such as SSL configuration options, certi @@ -1081,17 +1132,21 @@ such as SSL configuration options, certi
It also manages a cache of SSL sessions for server-side sockets, in order It also manages a cache of SSL sessions for server-side sockets, in order
to speed up repeated connections from the same clients. to speed up repeated connections from the same clients.
-.. class:: SSLContext(protocol) -.. class:: SSLContext(protocol)
+.. class:: SSLContext(protocol=PROTOCOL_TLS) -
- Create a new SSL context. You must pass *protocol* which must be one - Create a new SSL context. You must pass *protocol* which must be one
+.. class:: SSLContext(protocol=PROTOCOL_TLS)
+
+ Create a new SSL context. You may pass *protocol* which must be one + Create a new SSL context. You may pass *protocol* which must be one
of the ``PROTOCOL_*`` constants defined in this module. of the ``PROTOCOL_*`` constants defined in this module.
- :data:`PROTOCOL_SSLv23` is currently recommended for maximum - :data:`PROTOCOL_SSLv23` is currently recommended for maximum
@ -247,14 +243,14 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
:func:`create_default_context` lets the :mod:`ssl` module choose :func:`create_default_context` lets the :mod:`ssl` module choose
security settings for a given purpose. security settings for a given purpose.
+ .. versionchanged:: 3.6 + .. versionchanged:: 3.5.3
+ +
+ :data:`PROTOCOL_TLS` is the default value. + :data:`PROTOCOL_TLS` is the default value.
+ +
:class:`SSLContext` objects have the following methods and attributes: :class:`SSLContext` objects have the following methods and attributes:
@@ -1232,6 +1293,9 @@ to speed up repeated connections from th @@ -1232,6 +1287,9 @@ to speed up repeated connections from th
This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is
False. False.
@ -264,7 +260,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
.. versionadded:: 3.5 .. versionadded:: 3.5
.. method:: SSLContext.set_npn_protocols(protocols) .. method:: SSLContext.set_npn_protocols(protocols)
@@ -1598,7 +1662,7 @@ If you prefer to tune security settings @@ -1598,7 +1656,7 @@ If you prefer to tune security settings
a context from scratch (but beware that you might not get the settings a context from scratch (but beware that you might not get the settings
right):: right)::
@ -273,7 +269,7 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
>>> context.verify_mode = ssl.CERT_REQUIRED >>> context.verify_mode = ssl.CERT_REQUIRED
>>> context.check_hostname = True >>> context.check_hostname = True
>>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt") >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt")
@@ -1999,15 +2063,17 @@ Protocol versions @@ -1999,15 +2057,17 @@ Protocol versions
SSL versions 2 and 3 are considered insecure and are therefore dangerous to SSL versions 2 and 3 are considered insecure and are therefore dangerous to
use. If you want maximum compatibility between clients and servers, it is use. If you want maximum compatibility between clients and servers, it is
@ -286,17 +282,18 @@ diff -up Python-3.5.2/Doc/library/ssl.rst.openssl11 Python-3.5.2/Doc/library/ssl
+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) + context = ssl.SSLContext(ssl.PROTOCOL_TLS)
context.options |= ssl.OP_NO_SSLv2 context.options |= ssl.OP_NO_SSLv2
context.options |= ssl.OP_NO_SSLv3 context.options |= ssl.OP_NO_SSLv3
-
-The SSL context created above will only allow TLSv1 and later (if
+ context.options |= ssl.OP_NO_TLSv1 + context.options |= ssl.OP_NO_TLSv1
+ context.options |= ssl.OP_NO_TLSv1_1 + context.options |= ssl.OP_NO_TLSv1_1
+
-The SSL context created above will only allow TLSv1 and later (if
+The SSL context created above will only allow TLSv1.2 and later (if +The SSL context created above will only allow TLSv1.2 and later (if
supported by your system) connections. supported by your system) connections.
Cipher selection Cipher selection
diff -up Python-3.5.2/Lib/ssl.py.openssl11 Python-3.5.2/Lib/ssl.py diff --git a/Lib/ssl.py b/Lib/ssl.py
--- Python-3.5.2/Lib/ssl.py.openssl11 2016-06-25 23:38:36.000000000 +0200 --- a/Lib/ssl.py
+++ Python-3.5.2/Lib/ssl.py 2016-10-10 16:34:37.695049119 +0200 +++ b/Lib/ssl.py
@@ -51,6 +51,7 @@ The following constants identify various @@ -51,6 +51,7 @@ The following constants identify various
PROTOCOL_SSLv2 PROTOCOL_SSLv2
PROTOCOL_SSLv3 PROTOCOL_SSLv3
@ -378,9 +375,9 @@ diff -up Python-3.5.2/Lib/ssl.py.openssl11 Python-3.5.2/Lib/ssl.py
"""Retrieve the certificate from the server at the specified address, """Retrieve the certificate from the server at the specified address,
and return it as a PEM-encoded string. and return it as a PEM-encoded string.
If 'ca_certs' is specified, validate the server cert against it. If 'ca_certs' is specified, validate the server cert against it.
diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_ssl.py diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- Python-3.5.2/Lib/test/test_ssl.py.openssl11 2016-06-25 23:38:37.000000000 +0200 --- a/Lib/test/test_ssl.py
+++ Python-3.5.2/Lib/test/test_ssl.py 2016-10-10 16:37:52.812573136 +0200 +++ b/Lib/test/test_ssl.py
@@ -23,6 +23,9 @@ ssl = support.import_module("ssl") @@ -23,6 +23,9 @@ ssl = support.import_module("ssl")
PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
@ -470,7 +467,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
self.assertTrue(sslobj.getpeercert()) self.assertTrue(sslobj.getpeercert())
if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
self.assertTrue(sslobj.get_channel_binding('tls-unique')) self.assertTrue(sslobj.get_channel_binding('tls-unique'))
@@ -2980,7 +2985,7 @@ else: @@ -2993,7 +2998,7 @@ else:
with context.wrap_socket(socket.socket()) as s: with context.wrap_socket(socket.socket()) as s:
self.assertIs(s.version(), None) self.assertIs(s.version(), None)
s.connect((HOST, server.port)) s.connect((HOST, server.port))
@ -479,7 +476,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
self.assertIs(s.version(), None) self.assertIs(s.version(), None)
@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
@@ -3122,24 +3127,36 @@ else: @@ -3135,24 +3140,36 @@ else:
(['http/3.0', 'http/4.0'], None) (['http/3.0', 'http/4.0'], None)
] ]
for client_protocols, expected in protocol_tests: for client_protocols, expected in protocol_tests:
@ -493,7 +490,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
client_context.set_alpn_protocols(client_protocols) client_context.set_alpn_protocols(client_protocols)
- stats = server_params_test(client_context, server_context, - stats = server_params_test(client_context, server_context,
- chatty=True, connectionchatty=True) - chatty=True, connectionchatty=True)
-
- msg = "failed trying %s (s) and %s (c).\n" \ - msg = "failed trying %s (s) and %s (c).\n" \
- "was expecting %s, but got %%s from the %%s" \ - "was expecting %s, but got %%s from the %%s" \
- % (str(server_protocols), str(client_protocols), - % (str(server_protocols), str(client_protocols),
@ -503,6 +500,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
- server_result = stats['server_alpn_protocols'][-1] \ - server_result = stats['server_alpn_protocols'][-1] \
- if len(stats['server_alpn_protocols']) else 'nothing' - if len(stats['server_alpn_protocols']) else 'nothing'
- self.assertEqual(server_result, expected, msg % (server_result, "server")) - self.assertEqual(server_result, expected, msg % (server_result, "server"))
+
+ try: + try:
+ stats = server_params_test(client_context, + stats = server_params_test(client_context,
+ server_context, + server_context,
@ -529,7 +527,7 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
def test_selected_npn_protocol(self): def test_selected_npn_protocol(self):
# selected_npn_protocol() is None unless NPN is used # selected_npn_protocol() is None unless NPN is used
@@ -3287,13 +3304,23 @@ else: @@ -3300,13 +3317,23 @@ else:
client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
client_context.verify_mode = ssl.CERT_REQUIRED client_context.verify_mode = ssl.CERT_REQUIRED
client_context.load_verify_locations(SIGNING_CA) client_context.load_verify_locations(SIGNING_CA)
@ -556,18 +554,19 @@ diff -up Python-3.5.2/Lib/test/test_ssl.py.openssl11 Python-3.5.2/Lib/test/test_
def test_read_write_after_close_raises_valuerror(self): def test_read_write_after_close_raises_valuerror(self):
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_hashopenssl.c
--- Python-3.5.2/Modules/_hashopenssl.c.openssl11 2016-10-10 16:34:15.460533587 +0200 diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
+++ Python-3.5.2/Modules/_hashopenssl.c 2016-10-10 17:07:28.883123976 +0200 --- a/Modules/_hashopenssl.c
@@ -23,7 +23,6 @@ +++ b/Modules/_hashopenssl.c
#include <openssl/ssl.h> @@ -21,7 +21,6 @@
#include <openssl/err.h>
/* EVP is the preferred interface to hashing in OpenSSL */
#include <openssl/evp.h> #include <openssl/evp.h>
-#include <openssl/hmac.h> -#include <openssl/hmac.h>
/* We use the object interface to discover what hashes OpenSSL supports. */ /* We use the object interface to discover what hashes OpenSSL supports. */
#include <openssl/objects.h> #include <openssl/objects.h>
#include "openssl/err.h" #include "openssl/err.h"
@@ -34,11 +33,22 @@ @@ -32,11 +31,22 @@
#define HASH_OBJ_CONSTRUCTOR 0 #define HASH_OBJ_CONSTRUCTOR 0
#endif #endif
@ -591,17 +590,15 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
#ifdef WITH_THREAD #ifdef WITH_THREAD
PyThread_type_lock lock; /* OpenSSL context lock */ PyThread_type_lock lock; /* OpenSSL context lock */
#endif #endif
@@ -51,9 +61,6 @@ static PyTypeObject EVPtype; @@ -48,7 +58,6 @@ static PyTypeObject EVPtype;
We have one of these per algorithm */
typedef struct { #define DEFINE_CONSTS_FOR_NEW(Name) \
PyObject *name_obj; static PyObject *CONST_ ## Name ## _name_obj = NULL; \
- EVP_MD_CTX ctxs[2]; - static EVP_MD_CTX CONST_new_ ## Name ## _ctx; \
- /* ctx_ptrs will point to ctxs unless an error occurred, when it will static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL;
- be NULL: */
EVP_MD_CTX *ctx_ptrs[2]; DEFINE_CONSTS_FOR_NEW(md5)
PyObject *error_msgs[2]; @@ -59,19 +68,57 @@ DEFINE_CONSTS_FOR_NEW(sha384)
} EVPCachedInfo;
@@ -69,19 +76,57 @@ DEFINE_CONSTS_FOR_NEW(sha384)
DEFINE_CONSTS_FOR_NEW(sha512) DEFINE_CONSTS_FOR_NEW(sha512)
@ -664,7 +661,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return retval; return retval;
} }
@@ -96,7 +141,7 @@ EVP_hash(EVPobject *self, const void *vp @@ -86,7 +133,7 @@ EVP_hash(EVPobject *self, const void *vp
process = MUNCH_SIZE; process = MUNCH_SIZE;
else else
process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int); process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int);
@ -673,7 +670,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
len -= process; len -= process;
cp += process; cp += process;
} }
@@ -153,16 +198,19 @@ EVP_dealloc(EVPobject *self) @@ -101,16 +148,19 @@ EVP_dealloc(EVPobject *self)
if (self->lock != NULL) if (self->lock != NULL)
PyThread_free_lock(self->lock); PyThread_free_lock(self->lock);
#endif #endif
@ -696,7 +693,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
} }
/* External methods for a hash object */ /* External methods for a hash object */
@@ -178,7 +226,9 @@ EVP_copy(EVPobject *self, PyObject *unus @@ -126,7 +176,9 @@ EVP_copy(EVPobject *self, PyObject *unus
if ( (newobj = newEVPobject(self->name))==NULL) if ( (newobj = newEVPobject(self->name))==NULL)
return NULL; return NULL;
@ -707,7 +704,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return (PyObject *)newobj; return (PyObject *)newobj;
} }
@@ -189,16 +239,24 @@ static PyObject * @@ -137,16 +189,24 @@ static PyObject *
EVP_digest(EVPobject *self, PyObject *unused) EVP_digest(EVPobject *self, PyObject *unused)
{ {
unsigned char digest[EVP_MAX_MD_SIZE]; unsigned char digest[EVP_MAX_MD_SIZE];
@ -737,7 +734,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return retval; return retval;
} }
@@ -209,15 +267,23 @@ static PyObject * @@ -157,15 +217,23 @@ static PyObject *
EVP_hexdigest(EVPobject *self, PyObject *unused) EVP_hexdigest(EVPobject *self, PyObject *unused)
{ {
unsigned char digest[EVP_MAX_MD_SIZE]; unsigned char digest[EVP_MAX_MD_SIZE];
@ -766,7 +763,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return _Py_strhex((const char *)digest, digest_size); return _Py_strhex((const char *)digest, digest_size);
} }
@@ -271,7 +337,7 @@ static PyObject * @@ -219,7 +287,7 @@ static PyObject *
EVP_get_block_size(EVPobject *self, void *closure) EVP_get_block_size(EVPobject *self, void *closure)
{ {
long block_size; long block_size;
@ -775,7 +772,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return PyLong_FromLong(block_size); return PyLong_FromLong(block_size);
} }
@@ -279,7 +345,7 @@ static PyObject * @@ -227,7 +295,7 @@ static PyObject *
EVP_get_digest_size(EVPobject *self, void *closure) EVP_get_digest_size(EVPobject *self, void *closure)
{ {
long size; long size;
@ -784,32 +781,28 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
return PyLong_FromLong(size); return PyLong_FromLong(size);
} }
@@ -341,8 +407,8 @@ EVP_tp_init(EVPobject *self, PyObject *a @@ -288,7 +356,7 @@ EVP_tp_init(EVPobject *self, PyObject *a
PyBuffer_Release(&view); PyBuffer_Release(&view);
return -1; return -1;
} }
- mc_ctx_init(&self->ctx, usedforsecurity); - EVP_DigestInit(&self->ctx, digest);
- if (!EVP_DigestInit_ex(&self->ctx, digest, NULL)) { + EVP_DigestInit(self->ctx, digest);
+ mc_ctx_init(self->ctx, usedforsecurity);
+ if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) { self->name = name_obj;
set_evp_exception(); Py_INCREF(self->name);
PyBuffer_Release(&view); @@ -385,9 +453,9 @@ EVPnew(PyObject *name_obj,
return -1;
@@ -444,10 +510,10 @@ EVPnew(PyObject *name_obj,
return NULL; return NULL;
if (initial_ctx) { if (initial_ctx) {
- EVP_MD_CTX_copy(&self->ctx, initial_ctx); - EVP_MD_CTX_copy(&self->ctx, initial_ctx);
+ EVP_MD_CTX_copy(self->ctx, initial_ctx); + EVP_MD_CTX_copy(self->ctx, initial_ctx);
} else { } else {
- mc_ctx_init(&self->ctx, usedforsecurity); - EVP_DigestInit(&self->ctx, digest);
- if (!EVP_DigestInit_ex(&self->ctx, digest, NULL)) { + EVP_DigestInit(self->ctx, digest);
+ mc_ctx_init(self->ctx, usedforsecurity); }
+ if (!EVP_DigestInit_ex(self->ctx, digest, NULL)) {
set_evp_exception(); if (cp && len) {
Py_DECREF(self); @@ -453,6 +521,7 @@ EVP_new(PyObject *self, PyObject *args,
return NULL;
@@ -526,6 +592,7 @@ EVP_new(PyObject *self, PyObject *args,
#define PY_PBKDF2_HMAC 1 #define PY_PBKDF2_HMAC 1
@ -817,7 +810,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
/* Improved implementation of PKCS5_PBKDF2_HMAC() /* Improved implementation of PKCS5_PBKDF2_HMAC()
* *
* PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of
@@ -607,37 +674,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass, @@ -534,37 +603,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass,
HMAC_CTX_cleanup(&hctx_tpl); HMAC_CTX_cleanup(&hctx_tpl);
return 1; return 1;
} }
@ -856,7 +849,7 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
PyDoc_STRVAR(pbkdf2_hmac__doc__, PyDoc_STRVAR(pbkdf2_hmac__doc__,
"pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\ "pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\
@@ -719,10 +757,17 @@ pbkdf2_hmac(PyObject *self, PyObject *ar @@ -646,10 +686,17 @@ pbkdf2_hmac(PyObject *self, PyObject *ar
key = PyBytes_AS_STRING(key_obj); key = PyBytes_AS_STRING(key_obj);
Py_BEGIN_ALLOW_THREADS Py_BEGIN_ALLOW_THREADS
@ -874,29 +867,18 @@ diff -up Python-3.5.2/Modules/_hashopenssl.c.openssl11 Python-3.5.2/Modules/_has
Py_END_ALLOW_THREADS Py_END_ALLOW_THREADS
if (!retval) { if (!retval) {
@@ -890,13 +935,15 @@ init_constructor_constant(EVPCachedInfo @@ -768,7 +815,7 @@ generate_hash_name_list(void)
if (EVP_get_digestbyname(name)) { if (CONST_ ## NAME ## _name_obj == NULL) { \
int i; CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \
for (i=0; i<2; i++) { if (EVP_get_digestbyname(#NAME)) { \
- mc_ctx_init(&cached_info->ctxs[i], i); - CONST_new_ ## NAME ## _ctx_p = &CONST_new_ ## NAME ## _ctx; \
- if (EVP_DigestInit_ex(&cached_info->ctxs[i], + CONST_new_ ## NAME ## _ctx_p = EVP_MD_CTX_new(); \
+ cached_info->ctx_ptrs[i] = EVP_MD_CTX_new(); EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \
+ if (cached_info->ctx_ptrs[i] == NULL) } \
+ break; } \
+ mc_ctx_init(cached_info->ctx_ptrs[i], i); diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+ if (EVP_DigestInit_ex(cached_info->ctx_ptrs[i], --- a/Modules/_ssl.c
EVP_get_digestbyname(name), NULL)) { +++ b/Modules/_ssl.c
- /* Success: */
- cached_info->ctx_ptrs[i] = &cached_info->ctxs[i];
} else {
/* Failure: */
+ EVP_MD_CTX_free(cached_info->ctx_ptrs[i]);
cached_info->ctx_ptrs[i] = NULL;
cached_info->error_msgs[i] = error_msg_for_last_error();
}
diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
--- Python-3.5.2/Modules/_ssl.c.openssl11 2016-06-25 23:38:38.000000000 +0200
+++ Python-3.5.2/Modules/_ssl.c 2016-10-10 16:34:37.699049212 +0200
@@ -55,6 +55,14 @@ static PySocketModule_APIObject PySocket @@ -55,6 +55,14 @@ static PySocketModule_APIObject PySocket
#include <sys/poll.h> #include <sys/poll.h>
#endif #endif
@ -923,7 +905,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
/* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
http://www.openssl.org/news/changelog.html http://www.openssl.org/news/changelog.html
*/ */
@@ -113,6 +125,72 @@ struct py_ssl_library_code { @@ -117,6 +129,72 @@ struct py_ssl_library_code {
# define HAVE_ALPN # define HAVE_ALPN
#endif #endif
@ -996,7 +978,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
enum py_ssl_error { enum py_ssl_error {
/* these mirror ssl.h */ /* these mirror ssl.h */
PY_SSL_ERROR_NONE, PY_SSL_ERROR_NONE,
@@ -143,7 +221,7 @@ enum py_ssl_cert_requirements { @@ -147,7 +225,7 @@ enum py_ssl_cert_requirements {
enum py_ssl_version { enum py_ssl_version {
PY_SSL_VERSION_SSL2, PY_SSL_VERSION_SSL2,
PY_SSL_VERSION_SSL3=1, PY_SSL_VERSION_SSL3=1,
@ -1005,7 +987,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
#if HAVE_TLSv1_2 #if HAVE_TLSv1_2
PY_SSL_VERSION_TLS1, PY_SSL_VERSION_TLS1,
PY_SSL_VERSION_TLS1_1, PY_SSL_VERSION_TLS1_1,
@@ -524,8 +602,8 @@ newPySSLSocket(PySSLContext *sslctx, PyS @@ -527,8 +605,8 @@ newPySSLSocket(PySSLContext *sslctx, PyS
/* BIOs are reference counted and SSL_set_bio borrows our reference. /* BIOs are reference counted and SSL_set_bio borrows our reference.
* To prevent a double free in memory_bio_dealloc() we need to take an * To prevent a double free in memory_bio_dealloc() we need to take an
* extra reference here. */ * extra reference here. */
@ -1016,7 +998,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
SSL_set_bio(self->ssl, inbio->bio, outbio->bio); SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
} }
mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
@@ -736,7 +814,7 @@ _create_tuple_for_X509_NAME (X509_NAME * @@ -738,7 +816,7 @@ static PyObject *
/* check to see if we've gotten to a new RDN */ /* check to see if we've gotten to a new RDN */
if (rdn_level >= 0) { if (rdn_level >= 0) {
@ -1025,7 +1007,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
/* yes, new RDN */ /* yes, new RDN */
/* add old RDN to DN */ /* add old RDN to DN */
rdnt = PyList_AsTuple(rdn); rdnt = PyList_AsTuple(rdn);
@@ -753,7 +831,7 @@ _create_tuple_for_X509_NAME (X509_NAME * @@ -755,7 +833,7 @@ static PyObject *
goto fail0; goto fail0;
} }
} }
@ -1034,7 +1016,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
/* now add this attribute to the current RDN */ /* now add this attribute to the current RDN */
name = X509_NAME_ENTRY_get_object(entry); name = X509_NAME_ENTRY_get_object(entry);
@@ -851,18 +929,18 @@ _get_peer_alt_names (X509 *certificate) @@ -853,18 +931,18 @@ static PyObject *
goto fail; goto fail;
} }
@ -1056,7 +1038,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
/* get a rendering of each name in the set of names */ /* get a rendering of each name in the set of names */
@@ -1073,13 +1151,11 @@ _get_crl_dp(X509 *certificate) { @@ -1075,13 +1153,11 @@ static PyObject *
int i, j; int i, j;
PyObject *lst, *res = NULL; PyObject *lst, *res = NULL;
@ -1072,7 +1054,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
if (dps == NULL) if (dps == NULL)
return Py_None; return Py_None;
@@ -1449,14 +1525,13 @@ static PyObject * @@ -1451,14 +1527,13 @@ static PyObject *
_ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self) _ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self)
/*[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]*/ /*[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]*/
{ {
@ -1089,7 +1071,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
res = PyList_New(sk_SSL_CIPHER_num(ciphers)); res = PyList_New(sk_SSL_CIPHER_num(ciphers));
if (!res) if (!res)
return NULL; return NULL;
@@ -1565,9 +1640,9 @@ _ssl__SSLSocket_compression_impl(PySSLSo @@ -1567,9 +1642,9 @@ static PyObject *
if (self->ssl == NULL) if (self->ssl == NULL)
Py_RETURN_NONE; Py_RETURN_NONE;
comp_method = SSL_get_current_compression(self->ssl); comp_method = SSL_get_current_compression(self->ssl);
@ -1101,7 +1083,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
if (short_name == NULL) if (short_name == NULL)
Py_RETURN_NONE; Py_RETURN_NONE;
return PyUnicode_DecodeFSDefault(short_name); return PyUnicode_DecodeFSDefault(short_name);
@@ -2245,8 +2320,8 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -2255,8 +2330,8 @@ static PyObject *
else if (proto_version == PY_SSL_VERSION_SSL2) else if (proto_version == PY_SSL_VERSION_SSL2)
ctx = SSL_CTX_new(SSLv2_method()); ctx = SSL_CTX_new(SSLv2_method());
#endif #endif
@ -1112,7 +1094,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
else else
proto_version = -1; proto_version = -1;
PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS
@@ -2308,8 +2383,9 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -2318,8 +2393,9 @@ static PyObject *
#ifndef OPENSSL_NO_ECDH #ifndef OPENSSL_NO_ECDH
/* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
prime256v1 by default. This is Apache mod_ssl's initialization prime256v1 by default. This is Apache mod_ssl's initialization
@ -1124,7 +1106,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
SSL_CTX_set_ecdh_auto(self->ctx, 1); SSL_CTX_set_ecdh_auto(self->ctx, 1);
#else #else
{ {
@@ -2576,10 +2652,12 @@ static PyObject * @@ -2586,10 +2662,12 @@ static PyObject *
get_verify_flags(PySSLContext *self, void *c) get_verify_flags(PySSLContext *self, void *c)
{ {
X509_STORE *store; X509_STORE *store;
@ -1138,7 +1120,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
return PyLong_FromUnsignedLong(flags); return PyLong_FromUnsignedLong(flags);
} }
@@ -2587,22 +2665,24 @@ static int @@ -2597,22 +2675,24 @@ static int
set_verify_flags(PySSLContext *self, PyObject *arg, void *c) set_verify_flags(PySSLContext *self, PyObject *arg, void *c)
{ {
X509_STORE *store; X509_STORE *store;
@ -1166,7 +1148,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
_setSSLError(NULL, 0, __FILE__, __LINE__); _setSSLError(NULL, 0, __FILE__, __LINE__);
return -1; return -1;
} }
@@ -2779,8 +2859,8 @@ _ssl__SSLContext_load_cert_chain_impl(Py @@ -2789,8 +2869,8 @@ static PyObject *
/*[clinic end generated code: output=9480bc1c380e2095 input=7cf9ac673cbee6fc]*/ /*[clinic end generated code: output=9480bc1c380e2095 input=7cf9ac673cbee6fc]*/
{ {
PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL; PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;
@ -1177,7 +1159,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
_PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 }; _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
int r; int r;
@@ -2907,8 +2987,9 @@ _add_ca_certs(PySSLContext *self, void * @@ -2917,8 +2997,9 @@ static int
cert = d2i_X509_bio(biobuf, NULL); cert = d2i_X509_bio(biobuf, NULL);
} else { } else {
cert = PEM_read_bio_X509(biobuf, NULL, cert = PEM_read_bio_X509(biobuf, NULL,
@ -1189,7 +1171,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
} }
if (cert == NULL) { if (cert == NULL) {
break; break;
@@ -3434,25 +3515,24 @@ _ssl__SSLContext_cert_store_stats_impl(P @@ -3444,25 +3525,24 @@ static PyObject *
/*[clinic end generated code: output=5f356f4d9cca874d input=eb40dd0f6d0e40cf]*/ /*[clinic end generated code: output=5f356f4d9cca874d input=eb40dd0f6d0e40cf]*/
{ {
X509_STORE *store; X509_STORE *store;
@ -1222,7 +1204,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
default: default:
/* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY. /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
* As far as I can tell they are internal states and never * As far as I can tell they are internal states and never
@@ -3482,6 +3562,7 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL @@ -3492,6 +3572,7 @@ static PyObject *
/*[clinic end generated code: output=0d58f148f37e2938 input=6887b5a09b7f9076]*/ /*[clinic end generated code: output=0d58f148f37e2938 input=6887b5a09b7f9076]*/
{ {
X509_STORE *store; X509_STORE *store;
@ -1230,7 +1212,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
PyObject *ci = NULL, *rlist = NULL; PyObject *ci = NULL, *rlist = NULL;
int i; int i;
@@ -3490,17 +3571,18 @@ _ssl__SSLContext_get_ca_certs_impl(PySSL @@ -3500,17 +3581,18 @@ static PyObject *
} }
store = SSL_CTX_get_cert_store(self->ctx); store = SSL_CTX_get_cert_store(self->ctx);
@ -1253,7 +1235,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
if (!X509_check_ca(cert)) { if (!X509_check_ca(cert)) {
continue; continue;
} }
@@ -4364,10 +4446,12 @@ static PyMethodDef PySSL_methods[] = { @@ -4374,10 +4456,12 @@ static PyMethodDef PySSL_methods[] = {
}; };
@ -1268,7 +1250,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
static PyThread_type_lock *_ssl_locks = NULL; static PyThread_type_lock *_ssl_locks = NULL;
@@ -4448,7 +4532,7 @@ static int _setup_ssl_threads(void) { @@ -4458,7 +4542,7 @@ static int _setup_ssl_threads(void) {
return 1; return 1;
} }
@ -1277,7 +1259,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
PyDoc_STRVAR(module_doc, PyDoc_STRVAR(module_doc,
"Implementation module for SSL socket operations. See the socket module\n\ "Implementation module for SSL socket operations. See the socket module\n\
@@ -4517,11 +4601,16 @@ PyInit__ssl(void) @@ -4527,11 +4611,16 @@ PyInit__ssl(void)
SSL_load_error_strings(); SSL_load_error_strings();
SSL_library_init(); SSL_library_init();
#ifdef WITH_THREAD #ifdef WITH_THREAD
@ -1294,7 +1276,7 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
OpenSSL_add_all_algorithms(); OpenSSL_add_all_algorithms();
/* Add symbols to module dict */ /* Add symbols to module dict */
@@ -4668,7 +4757,9 @@ PyInit__ssl(void) @@ -4678,7 +4767,9 @@ PyInit__ssl(void)
PY_SSL_VERSION_SSL3); PY_SSL_VERSION_SSL3);
#endif #endif
PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
@ -1305,3 +1287,28 @@ diff -up Python-3.5.2/Modules/_ssl.c.openssl11 Python-3.5.2/Modules/_ssl.c
PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
PY_SSL_VERSION_TLS1); PY_SSL_VERSION_TLS1);
#if HAVE_TLSv1_2 #if HAVE_TLSv1_2
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -151,11 +151,6 @@ static int COMP_get_type(const COMP_METH
{
return meth->type;
}
-
-static const char *COMP_get_name(const COMP_METHOD *meth)
-{
- return meth->name;
-}
#endif
static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
@@ -1644,7 +1639,7 @@ static PyObject *
comp_method = SSL_get_current_compression(self->ssl);
if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef)
Py_RETURN_NONE;
- short_name = COMP_get_name(comp_method);
+ short_name = OBJ_nid2sn(COMP_get_type(comp_method));
if (short_name == NULL)
Py_RETURN_NONE;
return PyUnicode_DecodeFSDefault(short_name);

View File

@ -112,7 +112,7 @@
Summary: Version 3 of the Python programming language aka Python 3000 Summary: Version 3 of the Python programming language aka Python 3000
Name: python3 Name: python3
Version: %{pybasever}.2 Version: %{pybasever}.2
Release: 5%{?dist} Release: 6%{?dist}
License: Python License: Python
Group: Development/Languages Group: Development/Languages
@ -413,8 +413,12 @@ Patch242: 00242-CVE-2016-1000110-httpoxy.patch
# Fedora needs the default mips64-linux-gnu # Fedora needs the default mips64-linux-gnu
Patch243: 00243-fix-mips64-triplet.patch Patch243: 00243-fix-mips64-triplet.patch
# Make it build with OpenSSL-1.1.0 based on upstream patch # 00247 #
Patch244: Python-3.5.2-openssl11.patch # Port ssl and hashlib modules to OpenSSL 1.1.0.
# As of F26, OpenSSL is rebased to 1.1.0, so in order for python
# to not FTBFS we need to backport this patch from 3.5.3
# FIXED UPSTREAM: https://bugs.python.org/issue26470
Patch247: 00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch
# (New patches go here ^^^) # (New patches go here ^^^)
# #
@ -605,6 +609,8 @@ done
# Remove embedded copy of zlib: # Remove embedded copy of zlib:
rm -r Modules/zlib || exit 1 rm -r Modules/zlib || exit 1
## Disabling hashlib patch for now as it needs to be reimplemented
## for OpenSSL 1.1.0.
# Don't build upstream Python's implementation of these crypto algorithms; # Don't build upstream Python's implementation of these crypto algorithms;
# instead rely on _hashlib and OpenSSL. # instead rely on _hashlib and OpenSSL.
# #
@ -612,9 +618,9 @@ rm -r Modules/zlib || exit 1
# OpenSSL (and thus respects FIPS mode), and does not fall back to _md5 # OpenSSL (and thus respects FIPS mode), and does not fall back to _md5
# TODO: there seems to be no OpenSSL support in Python for sha3 so far # TODO: there seems to be no OpenSSL support in Python for sha3 so far
# when it is there, also remove _sha3/ dir # when it is there, also remove _sha3/ dir
for f in md5module.c sha1module.c sha256module.c sha512module.c; do #for f in md5module.c sha1module.c sha256module.c sha512module.c; do
rm Modules/$f # rm Modules/$f
done #done
%if 0%{with_rewheel} %if 0%{with_rewheel}
%global pip_version 8.1.2 %global pip_version 8.1.2
@ -638,7 +644,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
%patch132 -p1 %patch132 -p1
%patch137 -p1 %patch137 -p1
%patch143 -p1 -b .tsc-on-ppc %patch143 -p1 -b .tsc-on-ppc
%patch146 -p1 #patch146 -p1
%patch155 -p1 %patch155 -p1
%patch157 -p1 %patch157 -p1
%patch160 -p1 %patch160 -p1
@ -659,7 +665,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en
%patch209 -p1 %patch209 -p1
%patch242 -p1 %patch242 -p1
%patch243 -p1 %patch243 -p1
%patch244 -p1 %patch247 -p1
# Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there
# are many differences between 2.6 and the Python 3 library. # are many differences between 2.6 and the Python 3 library.
@ -1226,6 +1232,12 @@ rm -fr %{buildroot}
%doc LICENSE README %doc LICENSE README
%dir %{pylibdir} %dir %{pylibdir}
%dir %{dynload_dir} %dir %{dynload_dir}
%{dynload_dir}/_md5.%{SOABI_optimized}.so
%{dynload_dir}/_sha256.%{SOABI_optimized}.so
%{dynload_dir}/_sha512.%{SOABI_optimized}.so
%{dynload_dir}/_sha1.%{SOABI_optimized}.so
%{dynload_dir}/_bisect.%{SOABI_optimized}.so %{dynload_dir}/_bisect.%{SOABI_optimized}.so
%{dynload_dir}/_bz2.%{SOABI_optimized}.so %{dynload_dir}/_bz2.%{SOABI_optimized}.so
%{dynload_dir}/_codecs_cn.%{SOABI_optimized}.so %{dynload_dir}/_codecs_cn.%{SOABI_optimized}.so
@ -1448,6 +1460,12 @@ rm -fr %{buildroot}
# Analog of the -libs subpackage's files: # Analog of the -libs subpackage's files:
# ...with debug builds of the built-in "extension" modules: # ...with debug builds of the built-in "extension" modules:
%{dynload_dir}/_md5.%{SOABI_debug}.so
%{dynload_dir}/_sha256.%{SOABI_debug}.so
%{dynload_dir}/_sha512.%{SOABI_debug}.so
%{dynload_dir}/_sha1.%{SOABI_debug}.so
%{dynload_dir}/_bisect.%{SOABI_debug}.so %{dynload_dir}/_bisect.%{SOABI_debug}.so
%{dynload_dir}/_bz2.%{SOABI_debug}.so %{dynload_dir}/_bz2.%{SOABI_debug}.so
%{dynload_dir}/_codecs_cn.%{SOABI_debug}.so %{dynload_dir}/_codecs_cn.%{SOABI_debug}.so
@ -1559,6 +1577,12 @@ rm -fr %{buildroot}
# ====================================================== # ======================================================
%changelog %changelog
* Wed Oct 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 3.5.2-6
- Use proper patch numbering and base upstream branch for
porting ssl and hashlib modules to OpenSSL 1.1.0
- Drop hashlib patch for now
- Add riscv64 arch to 64bit and no-valgrind arches
* Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 3.5.2-5 * Tue Oct 11 2016 Tomáš Mráz <tmraz@redhat.com> - 3.5.2-5
- Make it build with OpenSSL-1.1.0 based on upstream patch - Make it build with OpenSSL-1.1.0 based on upstream patch