Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 498600 Details for
Bug 592480
dev-lang/python fails to build with >=dev-libs/openssl-1.1.0
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
python-3.4.6-p1-Port-Python-s-SSL-module-to-OpenSSL-1.1.0.patch
python-3.4.6-p1-Port-Python-s-SSL-module-to-OpenSSL-1.1.0.patch (text/plain), 39.55 KB, created by
Mark Wright
on 2017-10-14 01:20:55 UTC
(
hide
)
Description:
python-3.4.6-p1-Port-Python-s-SSL-module-to-OpenSSL-1.1.0.patch
Filename:
MIME Type:
Creator:
Mark Wright
Created:
2017-10-14 01:20:55 UTC
Size:
39.55 KB
patch
obsolete
>--- Python-3.4.6-orig/Doc/library/ssl.rst 2017-01-17 18:57:38.000000000 +1100 >+++ Python-3.4.6/Doc/library/ssl.rst 2017-10-12 17:31:51.000000000 +1100 >@@ -50,6 +50,12 @@ > helps manage settings and certificates, which can then be inherited > by SSL sockets created through the :meth:`SSLContext.wrap_socket` method. > >+.. versionchanged:: 3.6 >+ >+ OpenSSL 0.9.8, 1.0.0 and 1.0.1 are deprecated and no longer supported. >+ In the future the ssl module will require at least OpenSSL 1.0.2 or >+ 1.1.0. >+ > > Functions, Constants, and Exceptions > ------------------------------------ >@@ -179,7 +185,7 @@ > use. Typically, the server chooses a particular protocol version, and the > client must adapt to the server's choice. Most of the versions are not > interoperable with the other versions. If not specified, the default is >- :data:`PROTOCOL_SSLv23`; it provides the most compatibility with other >+ :data:`PROTOCOL_TLS`; it provides the most compatibility with other > versions. > > Here's a table showing which versions in a client (down the side) can connect >@@ -188,11 +194,11 @@ > .. table:: > > ======================== ========= ========= ========== ========= =========== =========== >- *client* / **server** **SSLv2** **SSLv3** **SSLv23** **TLSv1** **TLSv1.1** **TLSv1.2** >+ *client* / **server** **SSLv2** **SSLv3** **TLS** **TLSv1** **TLSv1.1** **TLSv1.2** > ------------------------ --------- --------- ---------- --------- ----------- ----------- > *SSLv2* yes no yes no no no > *SSLv3* no yes yes no no no >- *SSLv23* no yes yes yes yes yes >+ *TLS* (*SSLv23*) no yes yes yes yes yes > *TLSv1* no no yes yes no no > *TLSv1.1* no no yes no yes no > *TLSv1.2* no no yes no no yes >@@ -245,7 +251,7 @@ > :const:`None`, this function can choose to trust the system's default > CA certificates instead. > >- The settings are: :data:`PROTOCOL_SSLv23`, :data:`OP_NO_SSLv2`, and >+ The settings are: :data:`PROTOCOL_TLS`, :data:`OP_NO_SSLv2`, and > :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and > without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH` > as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED` >@@ -317,6 +323,11 @@ > > .. versionadded:: 3.3 > >+ .. deprecated:: 3.6 >+ >+ OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use >+ :func:`ssl.RAND_bytes` instead. >+ > .. function:: RAND_status() > > Return ``True`` if the SSL pseudo-random number generator has been seeded >@@ -335,6 +346,8 @@ > See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources > of entropy-gathering daemons. > >+ Availability: not available with LibreSSL and OpenSSL > 1.1.0 >+ > .. function:: RAND_add(bytes, entropy) > > Mix the given *bytes* into the SSL pseudo-random number generator. The >@@ -390,7 +403,7 @@ > >>> time.ctime(ssl.cert_time_to_seconds("May 9 00:00:00 2007 GMT")) > 'Wed May 9 00:00:00 2007' > >-.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None) >+.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None) > > Given the address ``addr`` of an SSL-protected server, as a (*hostname*, > *port-number*) pair, fetches the server's certificate, and returns it as a >@@ -428,6 +441,9 @@ > * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath, > * :attr:`openssl_capath` - hard coded path to a capath directory > >+ Availability: LibreSSL ignores the environment vars >+ :attr:`openssl_cafile_env` and :attr:`openssl_capath_env` >+ > .. versionadded:: 3.4 > > .. function:: enum_certificates(store_name) >@@ -545,11 +561,21 @@ > > .. versionadded:: 3.4.4 > >-.. data:: PROTOCOL_SSLv23 >+.. data:: PROTOCOL_TLS > > Selects the highest protocol version that both the client and server support. > Despite the name, this option can select "TLS" protocols as well as "SSL". > >+ .. versionadded:: 3.6 >+ >+.. data:: PROTOCOL_SSLv23 >+ >+ Alias for data:`PROTOCOL_TLS`. >+ >+ .. deprecated:: 3.6 >+ >+ Use data:`PROTOCOL_TLS` instead. >+ > .. data:: PROTOCOL_SSLv2 > > Selects SSL version 2 as the channel encryption protocol. >@@ -561,6 +587,10 @@ > > SSL version 2 is insecure. Its use is highly discouraged. > >+ .. deprecated:: 3.6 >+ >+ OpenSSL has removed support for SSLv2. >+ > .. data:: PROTOCOL_SSLv3 > > Selects SSL version 3 as the channel encryption protocol. >@@ -572,10 +602,20 @@ > > SSL version 3 is insecure. Its use is highly discouraged. > >+ .. deprecated:: 3.6 >+ >+ OpenSSL has deprecated all version specific protocols. Use the default >+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. >+ > .. data:: PROTOCOL_TLSv1 > > Selects TLS version 1.0 as the channel encryption protocol. > >+ .. deprecated:: 3.6 >+ >+ OpenSSL has deprecated all version specific protocols. Use the default >+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. >+ > .. data:: PROTOCOL_TLSv1_1 > > Selects TLS version 1.1 as the channel encryption protocol. >@@ -583,6 +623,11 @@ > > .. versionadded:: 3.4 > >+ .. deprecated:: 3.6 >+ >+ OpenSSL has deprecated all version specific protocols. Use the default >+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. >+ > .. data:: PROTOCOL_TLSv1_2 > > Selects TLS version 1.2 as the channel encryption protocol. This is the >@@ -591,6 +636,11 @@ > > .. versionadded:: 3.4 > >+ .. deprecated:: 3.6 >+ >+ OpenSSL has deprecated all version specific protocols. Use the default >+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. >+ > .. data:: OP_ALL > > Enables workarounds for various bugs present in other SSL implementations. >@@ -602,23 +652,32 @@ > .. data:: OP_NO_SSLv2 > > Prevents an SSLv2 connection. This option is only applicable in >- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from >+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from > choosing SSLv2 as the protocol version. > > .. versionadded:: 3.2 > >+ .. deprecated:: 3.6 >+ >+ SSLv2 is deprecated >+ >+ > .. data:: OP_NO_SSLv3 > > Prevents an SSLv3 connection. This option is only applicable in >- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from >+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from > choosing SSLv3 as the protocol version. > > .. versionadded:: 3.2 > >+ .. deprecated:: 3.6 >+ >+ SSLv3 is deprecated >+ > .. data:: OP_NO_TLSv1 > > Prevents a TLSv1 connection. This option is only applicable in >- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from >+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from > choosing TLSv1 as the protocol version. > > .. versionadded:: 3.2 >@@ -626,7 +685,7 @@ > .. data:: OP_NO_TLSv1_1 > > Prevents a TLSv1.1 connection. This option is only applicable in conjunction >- with :const:`PROTOCOL_SSLv23`. It prevents the peers from choosing TLSv1.1 as >+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.1 as > the protocol version. Available only with openssl version 1.0.1+. > > .. versionadded:: 3.4 >@@ -634,7 +693,7 @@ > .. data:: OP_NO_TLSv1_2 > > Prevents a TLSv1.2 connection. This option is only applicable in conjunction >- with :const:`PROTOCOL_SSLv23`. It prevents the peers from choosing TLSv1.2 as >+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.2 as > the protocol version. Available only with openssl version 1.0.1+. > > .. versionadded:: 3.4 >@@ -996,17 +1055,21 @@ > It also manages a cache of SSL sessions for server-side sockets, in order > to speed up repeated connections from the same clients. > >-.. class:: SSLContext(protocol) >+.. class:: SSLContext(protocol=PROTOCOL_TLS) > >- Create a new SSL context. You must pass *protocol* which must be one >+ Create a new SSL context. You may pass *protocol* which must be one > of the ``PROTOCOL_*`` constants defined in this module. >- :data:`PROTOCOL_SSLv23` is currently recommended for maximum >- interoperability. >+ :data:`PROTOCOL_TLS` is currently recommended for maximum >+ interoperability and default value. > > .. seealso:: > :func:`create_default_context` lets the :mod:`ssl` module choose > security settings for a given purpose. > >+ .. versionchanged:: 3.6 >+ >+ :data:`PROTOCOL_TLS` is the default value. >+ > > :class:`SSLContext` objects have the following methods and attributes: > >@@ -1489,7 +1552,7 @@ > a context from scratch (but beware that you might not get the settings > right):: > >- >>> context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >+ >>> context = ssl.SSLContext(ssl.PROTOCOL_TLS) > >>> context.verify_mode = ssl.CERT_REQUIRED > >>> context.check_hostname = True > >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt") >@@ -1754,15 +1817,17 @@ > > SSL versions 2 and 3 are considered insecure and are therefore dangerous to > use. If you want maximum compatibility between clients and servers, it is >-recommended to use :const:`PROTOCOL_SSLv23` as the protocol version and then >+recommended to use :const:`PROTOCOL_TLS` as the protocol version and then > disable SSLv2 and SSLv3 explicitly using the :data:`SSLContext.options` > attribute:: > >- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) >+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) > context.options |= ssl.OP_NO_SSLv2 > context.options |= ssl.OP_NO_SSLv3 >+ context.options |= ssl.OP_NO_TLSv1 >+ context.options |= ssl.OP_NO_TLSv1_1 > >-The SSL context created above will only allow TLSv1 and later (if >+The SSL context created above will only allow TLSv1.2 and later (if > supported by your system) connections. > > Cipher selection >--- Python-3.4.6-orig/Lib/ssl.py 2017-01-17 18:57:41.000000000 +1100 >+++ Python-3.4.6/Lib/ssl.py 2017-10-13 17:02:12.137397897 +1100 >@@ -51,6 +51,7 @@ > PROTOCOL_SSLv2 > PROTOCOL_SSLv3 > PROTOCOL_SSLv23 >+PROTOCOL_TLS > PROTOCOL_TLSv1 > PROTOCOL_TLSv1_1 > PROTOCOL_TLSv1_2 >@@ -92,7 +93,7 @@ > import sys > import os > from collections import namedtuple >-from enum import Enum as _Enum >+from enum import Enum as _Enum, IntEnum as _IntEnum > > import _ssl # if we can't import it, let the error propagate > >@@ -126,7 +127,12 @@ > > from _ssl import _OPENSSL_API_VERSION > >+_IntEnum._convert( >+ '_SSLMethod', __name__, >+ lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23', >+ source=_ssl) > >+PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS > _PROTOCOL_NAMES = {value: name for name, value in globals().items() if name.startswith('PROTOCOL_')} > try: > from _ssl import PROTOCOL_SSLv2 >@@ -342,13 +348,13 @@ > __slots__ = ('protocol', '__weakref__') > _windows_cert_stores = ("CA", "ROOT") > >- def __new__(cls, protocol, *args, **kwargs): >+ def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs): > self = _SSLContext.__new__(cls, protocol) > if protocol != _SSLv2_IF_EXISTS: > self.set_ciphers(_DEFAULT_CIPHERS) > return self > >- def __init__(self, protocol): >+ def __init__(self, protocol=PROTOCOL_TLS): > self.protocol = protocol > > def wrap_socket(self, sock, server_side=False, >@@ -402,7 +408,7 @@ > if not isinstance(purpose, _ASN1Object): > raise TypeError(purpose) > >- context = SSLContext(PROTOCOL_SSLv23) >+ context = SSLContext(PROTOCOL_TLS) > > # SSLv2 considered harmful. > context.options |= OP_NO_SSLv2 >@@ -439,7 +445,7 @@ > context.load_default_certs(purpose) > return context > >-def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None, >+def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None, > check_hostname=False, purpose=Purpose.SERVER_AUTH, > certfile=None, keyfile=None, > cafile=None, capath=None, cadata=None): >@@ -495,7 +501,7 @@ > > def __init__(self, sock=None, keyfile=None, certfile=None, > server_side=False, cert_reqs=CERT_NONE, >- ssl_version=PROTOCOL_SSLv23, ca_certs=None, >+ ssl_version=PROTOCOL_TLS, ca_certs=None, > do_handshake_on_connect=True, > family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, > suppress_ragged_eofs=True, npn_protocols=None, ciphers=None, >@@ -877,7 +883,7 @@ > > def wrap_socket(sock, keyfile=None, certfile=None, > server_side=False, cert_reqs=CERT_NONE, >- ssl_version=PROTOCOL_SSLv23, ca_certs=None, >+ ssl_version=PROTOCOL_TLS, ca_certs=None, > do_handshake_on_connect=True, > suppress_ragged_eofs=True, > ciphers=None): >@@ -924,7 +930,7 @@ > d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] > return base64.decodebytes(d.encode('ASCII', 'strict')) > >-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None): >+def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None): > """Retrieve the certificate from the server at the specified address, > and return it as a PEM-encoded string. > If 'ca_certs' is specified, validate the server cert against it. >--- Python-3.4.6-orig/Lib/test/test_ssl.py 2017-01-17 18:57:43.000000000 +1100 >+++ Python-3.4.6/Lib/test/test_ssl.py 2017-10-12 17:45:01.000000000 +1100 >@@ -23,6 +23,9 @@ > > PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) > HOST = support.HOST >+IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') >+IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) >+ > > def data_file(*name): > return os.path.join(os.path.dirname(__file__), *name) >@@ -655,7 +658,8 @@ > def test_constructor(self): > for protocol in PROTOCOLS: > ssl.SSLContext(protocol) >- self.assertRaises(TypeError, ssl.SSLContext) >+ ctx = ssl.SSLContext() >+ self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS) > self.assertRaises(ValueError, ssl.SSLContext, -1) > self.assertRaises(ValueError, ssl.SSLContext, 42) > >@@ -676,15 +680,15 @@ > def test_options(self): > ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) > # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value >- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, >- ctx.options) >+ default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) >+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): >+ default |= ssl.OP_NO_COMPRESSION >+ self.assertEqual(default, ctx.options) > ctx.options |= ssl.OP_NO_TLSv1 >- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, >- ctx.options) >+ self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) > if can_clear_options(): >- ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1 >- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3, >- ctx.options) >+ ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1) >+ self.assertEqual(default, ctx.options) > ctx.options = 0 > # Ubuntu has OP_NO_SSLv3 forced on by default > self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3) >@@ -1020,6 +1024,7 @@ > self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH') > > @unittest.skipIf(sys.platform == "win32", "not-Windows specific") >+ @unittest.skipIf(IS_LIBRESSL, "LibreSSL doesn't support env vars") > def test_load_default_certs_env(self): > ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) > with support.EnvironmentVarGuard() as env: >@@ -2756,24 +2761,38 @@ > (['abc', 'def'], 'abc') > ] > for client_protocols, expected in protocol_tests: >- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) > server_context.load_cert_chain(CERTFILE) > server_context.set_npn_protocols(server_protocols) >- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >+ client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) > client_context.load_cert_chain(CERTFILE) > client_context.set_npn_protocols(client_protocols) > stats = server_params_test(client_context, server_context, > chatty=True, connectionchatty=True) > >- msg = "failed trying %s (s) and %s (c).\n" \ >- "was expecting %s, but got %%s from the %%s" \ >- % (str(server_protocols), str(client_protocols), >- str(expected)) >- client_result = stats['client_npn_protocol'] >- self.assertEqual(client_result, expected, msg % (client_result, "client")) >- server_result = stats['server_npn_protocols'][-1] \ >- if len(stats['server_npn_protocols']) else 'nothing' >- self.assertEqual(server_result, expected, msg % (server_result, "server")) >+ try: >+ stats = server_params_test(client_context, >+ server_context, >+ chatty=True, >+ connectionchatty=True) >+ except ssl.SSLError as e: >+ stats = e >+ >+ if expected is None and IS_OPENSSL_1_1: >+ # OpenSSL 1.1.0 raises handshake error >+ self.assertIsInstance(stats, ssl.SSLError) >+ else: >+ msg = "failed trying %s (s) and %s (c).\n" \ >+ "was expecting %s, but got %%s from the %%s" \ >+ % (str(server_protocols), str(client_protocols), >+ str(expected)) >+ client_result = stats['client_alpn_protocol'] >+ self.assertEqual(client_result, expected, >+ msg % (client_result, "client")) >+ server_result = stats['server_alpn_protocols'][-1] \ >+ if len(stats['server_alpn_protocols']) else 'nothing' >+ self.assertEqual(server_result, expected, >+ msg % (server_result, "server")) > > def sni_contexts(self): > server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) >--- Python-3.4.6-orig/Modules/_hashopenssl.c 2017-01-17 18:57:45.000000000 +1100 >+++ Python-3.4.6/Modules/_hashopenssl.c 2017-10-12 17:51:13.000000000 +1100 >@@ -20,7 +20,6 @@ > > /* EVP is the preferred interface to hashing in OpenSSL */ > #include <openssl/evp.h> >-#include <openssl/hmac.h> > /* We use the object interface to discover what hashes OpenSSL supports. */ > #include <openssl/objects.h> > #include "openssl/err.h" >@@ -31,6 +30,18 @@ > #define HASH_OBJ_CONSTRUCTOR 0 > #endif > >+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) >+/* OpenSSL < 1.1.0 */ >+#define EVP_MD_CTX_new EVP_MD_CTX_create >+#define EVP_MD_CTX_free EVP_MD_CTX_destroy >+#define HAS_FAST_PKCS5_PBKDF2_HMAC 0 >+#include <openssl/hmac.h> >+#else >+/* OpenSSL >= 1.1.0 */ >+#define HAS_FAST_PKCS5_PBKDF2_HMAC 1 >+#endif >+ >+ > /* Minimum OpenSSL version needed to support sha224 and higher. */ > #if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x00908000) > #define _OPENSSL_SUPPORTS_SHA2 >@@ -39,7 +50,7 @@ > typedef struct { > PyObject_HEAD > PyObject *name; /* name of this hash algorithm */ >- EVP_MD_CTX ctx; /* OpenSSL message digest context */ >+ EVP_MD_CTX *ctx; /* OpenSSL message digest context */ > #ifdef WITH_THREAD > PyThread_type_lock lock; /* OpenSSL context lock */ > #endif >@@ -51,7 +62,6 @@ > > #define DEFINE_CONSTS_FOR_NEW(Name) \ > static PyObject *CONST_ ## Name ## _name_obj = NULL; \ >- static EVP_MD_CTX CONST_new_ ## Name ## _ctx; \ > static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL; > > DEFINE_CONSTS_FOR_NEW(md5) >@@ -64,19 +74,57 @@ > #endif > > >+/* LCOV_EXCL_START */ >+static PyObject * >+_setException(PyObject *exc) >+{ >+ unsigned long errcode; >+ const char *lib, *func, *reason; >+ >+ errcode = ERR_peek_last_error(); >+ if (!errcode) { >+ PyErr_SetString(exc, "unknown reasons"); >+ return NULL; >+ } >+ ERR_clear_error(); >+ >+ lib = ERR_lib_error_string(errcode); >+ func = ERR_func_error_string(errcode); >+ reason = ERR_reason_error_string(errcode); >+ >+ if (lib && func) { >+ PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); >+ } >+ else if (lib) { >+ PyErr_Format(exc, "[%s] %s", lib, reason); >+ } >+ else { >+ PyErr_SetString(exc, reason); >+ } >+ return NULL; >+} >+/* LCOV_EXCL_STOP */ >+ > static EVPobject * > newEVPobject(PyObject *name) > { > EVPobject *retval = (EVPobject *)PyObject_New(EVPobject, &EVPtype); >+ if (retval == NULL) { >+ return NULL; >+ } >+ >+ retval->ctx = EVP_MD_CTX_new(); >+ if (retval->ctx == NULL) { >+ PyErr_NoMemory(); >+ return NULL; >+ } > > /* save the name for .name to return */ >- if (retval != NULL) { >- Py_INCREF(name); >- retval->name = name; >+ Py_INCREF(name); >+ retval->name = name; > #ifdef WITH_THREAD >- retval->lock = NULL; >+ retval->lock = NULL; > #endif >- } > > return retval; > } >@@ -91,7 +139,7 @@ > process = MUNCH_SIZE; > else > process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int); >- EVP_DigestUpdate(&self->ctx, (const void*)cp, process); >+ EVP_DigestUpdate(self->ctx, (const void*)cp, process); > len -= process; > cp += process; > } >@@ -106,16 +154,19 @@ > if (self->lock != NULL) > PyThread_free_lock(self->lock); > #endif >- EVP_MD_CTX_cleanup(&self->ctx); >+ EVP_MD_CTX_free(self->ctx); > Py_XDECREF(self->name); > PyObject_Del(self); > } > >-static void locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self) >+static int >+locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self) > { >+ int result; > ENTER_HASHLIB(self); >- EVP_MD_CTX_copy(new_ctx_p, &self->ctx); >+ result = EVP_MD_CTX_copy(new_ctx_p, self->ctx); > LEAVE_HASHLIB(self); >+ return result; > } > > /* External methods for a hash object */ >@@ -131,7 +182,9 @@ > if ( (newobj = newEVPobject(self->name))==NULL) > return NULL; > >- locked_EVP_MD_CTX_copy(&newobj->ctx, self); >+ if (!locked_EVP_MD_CTX_copy(newobj->ctx, self)) { >+ return _setException(PyExc_ValueError); >+ } > return (PyObject *)newobj; > } > >@@ -142,16 +195,24 @@ > EVP_digest(EVPobject *self, PyObject *unused) > { > unsigned char digest[EVP_MAX_MD_SIZE]; >- EVP_MD_CTX temp_ctx; >+ EVP_MD_CTX *temp_ctx; > PyObject *retval; > unsigned int digest_size; > >- locked_EVP_MD_CTX_copy(&temp_ctx, self); >- digest_size = EVP_MD_CTX_size(&temp_ctx); >- EVP_DigestFinal(&temp_ctx, digest, NULL); >+ temp_ctx = EVP_MD_CTX_new(); >+ if (temp_ctx == NULL) { >+ PyErr_NoMemory(); >+ return NULL; >+ } >+ >+ if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) { >+ return _setException(PyExc_ValueError); >+ } >+ digest_size = EVP_MD_CTX_size(temp_ctx); >+ EVP_DigestFinal(temp_ctx, digest, NULL); > > retval = PyBytes_FromStringAndSize((const char *)digest, digest_size); >- EVP_MD_CTX_cleanup(&temp_ctx); >+ EVP_MD_CTX_free(temp_ctx); > return retval; > } > >@@ -162,17 +223,25 @@ > EVP_hexdigest(EVPobject *self, PyObject *unused) > { > unsigned char digest[EVP_MAX_MD_SIZE]; >- EVP_MD_CTX temp_ctx; >+ EVP_MD_CTX *temp_ctx; > PyObject *retval; > char *hex_digest; > unsigned int i, j, digest_size; > >+ temp_ctx = EVP_MD_CTX_new(); >+ if (temp_ctx == NULL) { >+ PyErr_NoMemory(); >+ return NULL; >+ } >+ > /* Get the raw (binary) digest value */ >- locked_EVP_MD_CTX_copy(&temp_ctx, self); >- digest_size = EVP_MD_CTX_size(&temp_ctx); >- EVP_DigestFinal(&temp_ctx, digest, NULL); >+ if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) { >+ return _setException(PyExc_ValueError); >+ } >+ digest_size = EVP_MD_CTX_size(temp_ctx); >+ EVP_DigestFinal(temp_ctx, digest, NULL); > >- EVP_MD_CTX_cleanup(&temp_ctx); >+ EVP_MD_CTX_free(temp_ctx); > > /* Allocate a new buffer */ > hex_digest = PyMem_Malloc(digest_size * 2 + 1); >@@ -241,7 +310,7 @@ > EVP_get_block_size(EVPobject *self, void *closure) > { > long block_size; >- block_size = EVP_MD_CTX_block_size(&self->ctx); >+ block_size = EVP_MD_CTX_block_size(self->ctx); > return PyLong_FromLong(block_size); > } > >@@ -249,7 +318,7 @@ > EVP_get_digest_size(EVPobject *self, void *closure) > { > long size; >- size = EVP_MD_CTX_size(&self->ctx); >+ size = EVP_MD_CTX_size(self->ctx); > return PyLong_FromLong(size); > } > >@@ -310,7 +379,7 @@ > PyBuffer_Release(&view); > return -1; > } >- EVP_DigestInit(&self->ctx, digest); >+ EVP_DigestInit(self->ctx, digest); > > self->name = name_obj; > Py_INCREF(self->name); >@@ -407,9 +476,9 @@ > return NULL; > > if (initial_ctx) { >- EVP_MD_CTX_copy(&self->ctx, initial_ctx); >+ EVP_MD_CTX_copy(self->ctx, initial_ctx); > } else { >- EVP_DigestInit(&self->ctx, digest); >+ EVP_DigestInit(self->ctx, digest); > } > > if (cp && len) { >@@ -475,6 +544,7 @@ > > #define PY_PBKDF2_HMAC 1 > >+#if !HAS_FAST_PKCS5_PBKDF2_HMAC > /* Improved implementation of PKCS5_PBKDF2_HMAC() > * > * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of >@@ -556,37 +626,8 @@ > HMAC_CTX_cleanup(&hctx_tpl); > return 1; > } >+#endif > >-/* LCOV_EXCL_START */ >-static PyObject * >-_setException(PyObject *exc) >-{ >- unsigned long errcode; >- const char *lib, *func, *reason; >- >- errcode = ERR_peek_last_error(); >- if (!errcode) { >- PyErr_SetString(exc, "unknown reasons"); >- return NULL; >- } >- ERR_clear_error(); >- >- lib = ERR_lib_error_string(errcode); >- func = ERR_func_error_string(errcode); >- reason = ERR_reason_error_string(errcode); >- >- if (lib && func) { >- PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); >- } >- else if (lib) { >- PyErr_Format(exc, "[%s] %s", lib, reason); >- } >- else { >- PyErr_SetString(exc, reason); >- } >- return NULL; >-} >-/* LCOV_EXCL_STOP */ > > PyDoc_STRVAR(pbkdf2_hmac__doc__, > "pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\ >@@ -668,10 +709,17 @@ > key = PyBytes_AS_STRING(key_obj); > > Py_BEGIN_ALLOW_THREADS >+#if HAS_FAST_PKCS5_PBKDF2_HMAC >+ retval = PKCS5_PBKDF2_HMAC((char*)password.buf, (int)password.len, >+ (unsigned char *)salt.buf, (int)salt.len, >+ iterations, digest, dklen, >+ (unsigned char *)key); >+#else > retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len, > (unsigned char *)salt.buf, (int)salt.len, > iterations, digest, dklen, > (unsigned char *)key); >+#endif > Py_END_ALLOW_THREADS > > if (!retval) { >@@ -790,7 +838,7 @@ > if (CONST_ ## NAME ## _name_obj == NULL) { \ > CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \ > if (EVP_get_digestbyname(#NAME)) { \ >- CONST_new_ ## NAME ## _ctx_p = &CONST_new_ ## NAME ## _ctx; \ >+ CONST_new_ ## NAME ## _ctx_p = EVP_MD_CTX_new(); \ > EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \ > } \ > } \ >--- Python-3.4.6-orig/Modules/_ssl.c 2017-01-17 18:57:45.000000000 +1100 >+++ Python-3.4.6/Modules/_ssl.c 2017-10-12 16:32:53.000000000 +1100 >@@ -55,6 +55,14 @@ > #include <sys/poll.h> > #endif > >+/* Don't warn about deprecated functions */ >+#ifdef __GNUC__ >+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" >+#endif >+#ifdef __clang__ >+#pragma clang diagnostic ignored "-Wdeprecated-declarations" >+#endif >+ > /* Include OpenSSL header files */ > #include "openssl/rsa.h" > #include "openssl/crypto.h" >@@ -90,6 +98,10 @@ > /* Include generated data (error codes) */ > #include "_ssl_data.h" > >+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) >+# define OPENSSL_VERSION_1_1 1 >+#endif >+ > /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 > http://www.openssl.org/news/changelog.html > */ >@@ -108,6 +120,72 @@ > # define HAVE_SNI 0 > #endif > >+#ifdef OPENSSL_VERSION_1_1 >+/* OpenSSL 1.1.0+ */ >+#ifndef OPENSSL_NO_SSL2 >+#define OPENSSL_NO_SSL2 >+#endif >+#else /* OpenSSL < 1.1.0 */ >+#if defined(WITH_THREAD) >+#define HAVE_OPENSSL_CRYPTO_LOCK >+#endif >+ >+#define TLS_method SSLv23_method >+ >+static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) >+{ >+ return ne->set; >+} >+ >+#ifndef OPENSSL_NO_COMP >+static int COMP_get_type(const COMP_METHOD *meth) >+{ >+ return meth->type; >+} >+ >+static const char *COMP_get_name(const COMP_METHOD *meth) >+{ >+ return meth->name; >+} >+#endif >+ >+static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) >+{ >+ return ctx->default_passwd_callback; >+} >+ >+static void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) >+{ >+ return ctx->default_passwd_callback_userdata; >+} >+ >+static int X509_OBJECT_get_type(X509_OBJECT *x) >+{ >+ return x->type; >+} >+ >+static X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) >+{ >+ return x->data.x509; >+} >+ >+static int BIO_up_ref(BIO *b) >+{ >+ CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO); >+ return 1; >+} >+ >+static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) { >+ return store->objs; >+} >+ >+static X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) >+{ >+ return store->param; >+} >+#endif /* OpenSSL < 1.1.0 or LibreSSL */ >+ >+ > enum py_ssl_error { > /* these mirror ssl.h */ > PY_SSL_ERROR_NONE, >@@ -138,7 +216,7 @@ > enum py_ssl_version { > PY_SSL_VERSION_SSL2, > PY_SSL_VERSION_SSL3=1, >- PY_SSL_VERSION_SSL23, >+ PY_SSL_VERSION_TLS, > #if HAVE_TLSv1_2 > PY_SSL_VERSION_TLS1, > PY_SSL_VERSION_TLS1_1, >@@ -691,7 +769,7 @@ > > /* check to see if we've gotten to a new RDN */ > if (rdn_level >= 0) { >- if (rdn_level != entry->set) { >+ if (rdn_level != X509_NAME_ENTRY_set(entry)) { > /* yes, new RDN */ > /* add old RDN to DN */ > rdnt = PyList_AsTuple(rdn); >@@ -708,7 +786,7 @@ > goto fail0; > } > } >- rdn_level = entry->set; >+ rdn_level = X509_NAME_ENTRY_set(entry); > > /* now add this attribute to the current RDN */ > name = X509_NAME_ENTRY_get_object(entry); >@@ -811,18 +889,18 @@ > goto fail; > } > >- p = ext->value->data; >+ p = X509_EXTENSION_get_data(ext)->data; > if (method->it) > names = (GENERAL_NAMES*) > (ASN1_item_d2i(NULL, > &p, >- ext->value->length, >+ X509_EXTENSION_get_data(ext)->length, > ASN1_ITEM_ptr(method->it))); > else > names = (GENERAL_NAMES*) > (method->d2i(NULL, > &p, >- ext->value->length)); >+ X509_EXTENSION_get_data(ext)->length)); > > for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { > /* get a rendering of each name in the set of names */ >@@ -1033,13 +1111,11 @@ > int i, j; > PyObject *lst, *res = NULL; > >-#if OPENSSL_VERSION_NUMBER < 0x10001000L >- dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL); >-#else >+#if OPENSSL_VERSION_NUMBER >= 0x10001000L > /* Calls x509v3_cache_extensions and sets up crldp */ > X509_check_ca(certificate); >- dps = certificate->crldp; > #endif >+ dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL); > > if (dps == NULL) > return Py_None; >@@ -1427,9 +1503,9 @@ > if (self->ssl == NULL) > Py_RETURN_NONE; > comp_method = SSL_get_current_compression(self->ssl); >- if (comp_method == NULL || comp_method->type == NID_undef) >+ if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef) > Py_RETURN_NONE; >- short_name = OBJ_nid2sn(comp_method->type); >+ short_name = COMP_get_name(comp_method); > if (short_name == NULL) > Py_RETURN_NONE; > return PyUnicode_DecodeFSDefault(short_name); >@@ -2003,8 +2079,8 @@ > else if (proto_version == PY_SSL_VERSION_SSL2) > ctx = SSL_CTX_new(SSLv2_method()); > #endif >- else if (proto_version == PY_SSL_VERSION_SSL23) >- ctx = SSL_CTX_new(SSLv23_method()); >+ else if (proto_version == PY_SSL_VERSION_TLS) >+ ctx = SSL_CTX_new(TLS_method()); > else > proto_version = -1; > PySSL_END_ALLOW_THREADS >@@ -2047,8 +2123,9 @@ > #ifndef OPENSSL_NO_ECDH > /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use > prime256v1 by default. This is Apache mod_ssl's initialization >- policy, so we should be safe. */ >-#if defined(SSL_CTX_set_ecdh_auto) >+ policy, so we should be safe. OpenSSL 1.1 has it enabled by default. >+ */ >+#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) > SSL_CTX_set_ecdh_auto(self->ctx, 1); > #else > { >@@ -2259,10 +2336,12 @@ > get_verify_flags(PySSLContext *self, void *c) > { > X509_STORE *store; >+ X509_VERIFY_PARAM *param; > unsigned long flags; > > store = SSL_CTX_get_cert_store(self->ctx); >- flags = X509_VERIFY_PARAM_get_flags(store->param); >+ param = X509_STORE_get0_param(store); >+ flags = X509_VERIFY_PARAM_get_flags(param); > return PyLong_FromUnsignedLong(flags); > } > >@@ -2270,22 +2349,24 @@ > set_verify_flags(PySSLContext *self, PyObject *arg, void *c) > { > X509_STORE *store; >+ X509_VERIFY_PARAM *param; > unsigned long new_flags, flags, set, clear; > > if (!PyArg_Parse(arg, "k", &new_flags)) > return -1; > store = SSL_CTX_get_cert_store(self->ctx); >- flags = X509_VERIFY_PARAM_get_flags(store->param); >+ param = X509_STORE_get0_param(store); >+ flags = X509_VERIFY_PARAM_get_flags(param); > clear = flags & ~new_flags; > set = ~flags & new_flags; > if (clear) { >- if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) { >+ if (!X509_VERIFY_PARAM_clear_flags(param, clear)) { > _setSSLError(NULL, 0, __FILE__, __LINE__); > return -1; > } > } > if (set) { >- if (!X509_VERIFY_PARAM_set_flags(store->param, set)) { >+ if (!X509_VERIFY_PARAM_set_flags(param, set)) { > _setSSLError(NULL, 0, __FILE__, __LINE__); > return -1; > } >@@ -2455,8 +2536,8 @@ > char *kwlist[] = {"certfile", "keyfile", "password", NULL}; > PyObject *certfile, *keyfile = NULL, *password = NULL; > PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL; >- pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback; >- void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata; >+ pem_password_cb *orig_passwd_cb = SSL_CTX_get_default_passwd_cb(self->ctx); >+ void *orig_passwd_userdata = SSL_CTX_get_default_passwd_cb_userdata(self->ctx); > _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 }; > int r; > >@@ -2587,8 +2668,9 @@ > cert = d2i_X509_bio(biobuf, NULL); > } else { > cert = PEM_read_bio_X509(biobuf, NULL, >- self->ctx->default_passwd_callback, >- self->ctx->default_passwd_callback_userdata); >+ SSL_CTX_get_default_passwd_cb(self->ctx), >+ SSL_CTX_get_default_passwd_cb_userdata(self->ctx) >+ ); > } > if (cert == NULL) { > break; >@@ -3036,25 +3118,24 @@ > cert_store_stats(PySSLContext *self) > { > X509_STORE *store; >+ STACK_OF(X509_OBJECT) *objs; > X509_OBJECT *obj; >- int x509 = 0, crl = 0, pkey = 0, ca = 0, i; >+ int x509 = 0, crl = 0, ca = 0, i; > > store = SSL_CTX_get_cert_store(self->ctx); >- for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { >- obj = sk_X509_OBJECT_value(store->objs, i); >- switch (obj->type) { >+ objs = X509_STORE_get0_objects(store); >+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { >+ obj = sk_X509_OBJECT_value(objs, i); >+ switch (X509_OBJECT_get_type(obj)) { > case X509_LU_X509: > x509++; >- if (X509_check_ca(obj->data.x509)) { >+ if (X509_check_ca(X509_OBJECT_get0_X509(obj))) { > ca++; > } > break; > case X509_LU_CRL: > crl++; > break; >- case X509_LU_PKEY: >- pkey++; >- break; > default: > /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY. > * As far as I can tell they are internal states and never >@@ -3079,6 +3160,7 @@ > { > char *kwlist[] = {"binary_form", NULL}; > X509_STORE *store; >+ STACK_OF(X509_OBJECT) *objs; > PyObject *ci = NULL, *rlist = NULL; > int i; > int binary_mode = 0; >@@ -3093,17 +3175,18 @@ > } > > store = SSL_CTX_get_cert_store(self->ctx); >- for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { >+ objs = X509_STORE_get0_objects(store); >+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { > X509_OBJECT *obj; > X509 *cert; > >- obj = sk_X509_OBJECT_value(store->objs, i); >- if (obj->type != X509_LU_X509) { >+ obj = sk_X509_OBJECT_value(objs, i); >+ if (X509_OBJECT_get_type(obj) != X509_LU_X509) { > /* not a x509 cert */ > continue; > } > /* CA for any purpose */ >- cert = obj->data.x509; >+ cert = X509_OBJECT_get0_X509(obj); > if (!X509_check_ca(cert)) { > continue; > } >@@ -3776,10 +3859,12 @@ > }; > > >-#ifdef WITH_THREAD >+#ifdef HAVE_OPENSSL_CRYPTO_LOCK > > /* an implementation of OpenSSL threading operations in terms >- of the Python C thread library */ >+ * of the Python C thread library >+ * Only used up to 1.0.2. OpenSSL 1.1.0+ has its own locking code. >+ */ > > static PyThread_type_lock *_ssl_locks = NULL; > >@@ -3860,7 +3945,7 @@ > return 1; > } > >-#endif /* def HAVE_THREAD */ >+#endif /* HAVE_OPENSSL_CRYPTO_LOCK for WITH_THREAD && OpenSSL < 1.1.0 */ > > PyDoc_STRVAR(module_doc, > "Implementation module for SSL socket operations. See the socket module\n\ >@@ -3927,11 +4012,16 @@ > SSL_load_error_strings(); > SSL_library_init(); > #ifdef WITH_THREAD >+#ifdef HAVE_OPENSSL_CRYPTO_LOCK > /* note that this will start threading if not already started */ > if (!_setup_ssl_threads()) { > return NULL; > } >+#elif OPENSSL_VERSION_1_1 && defined(OPENSSL_THREADS) >+ /* OpenSSL 1.1.0 builtin thread support is enabled */ >+ _ssl_locks_count++; > #endif >+#endif /* WITH_THREAD */ > OpenSSL_add_all_algorithms(); > > /* Add symbols to module dict */ >@@ -4075,7 +4165,9 @@ > PY_SSL_VERSION_SSL3); > #endif > PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", >- PY_SSL_VERSION_SSL23); >+ PY_SSL_VERSION_TLS); >+ PyModule_AddIntConstant(m, "PROTOCOL_TLS", >+ PY_SSL_VERSION_TLS); > PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", > PY_SSL_VERSION_TLS1); > #if HAVE_TLSv1_2
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 592480
:
444486
|
498216
|
498218
|
498220
|
498224
|
498594
|
498596
| 498600 |
498602
|
498604
|
498606
|
498608
|
498610
|
498612
|
562840