From 4aa9ebcc0385f0475d3d8ad1593fb1d5806a9cea Mon Sep 17 00:00:00 2001
From: Miro Hrončok <miro@hroncok.cz>
Date: Aug 17 2018 13:40:30 +0000
Subject: Backport TLS 1.3 related fixes to fix FTBFS


Resolves https://bugzilla.redhat.com/show_bug.cgi?id=1609291

---

diff --git a/00308-tls-1.3.patch b/00308-tls-1.3.patch
new file mode 100644
index 0000000..7cd9e59
--- /dev/null
+++ b/00308-tls-1.3.patch
@@ -0,0 +1,182 @@
+diff --git a/Lib/test/dh1024.pem b/Lib/test/dh1024.pem
+deleted file mode 100644
+index a391176..0000000
+--- a/Lib/test/dh1024.pem
++++ /dev/null
+@@ -1,7 +0,0 @@
+------BEGIN DH PARAMETERS-----
+-MIGHAoGBAIbzw1s9CT8SV5yv6L7esdAdZYZjPi3qWFs61CYTFFQnf2s/d09NYaJt
+-rrvJhIzWavqnue71qXCf83/J3nz3FEwUU/L0mGyheVbsSHiI64wUo3u50wK5Igo0
+-RNs/LD0irs7m0icZ//hijafTU+JOBiuA8zMI+oZfU7BGuc9XrUprAgEC
+------END DH PARAMETERS-----
+-
+-Generated with: openssl dhparam -out dh1024.pem  1024
+diff --git a/Lib/test/ffdh3072.pem b/Lib/test/ffdh3072.pem
+new file mode 100644
+index 0000000..ad69bac
+--- /dev/null
++++ b/Lib/test/ffdh3072.pem
+@@ -0,0 +1,41 @@
++    DH Parameters: (3072 bit)
++        prime:
++            00:ff:ff:ff:ff:ff:ff:ff:ff:ad:f8:54:58:a2:bb:
++            4a:9a:af:dc:56:20:27:3d:3c:f1:d8:b9:c5:83:ce:
++            2d:36:95:a9:e1:36:41:14:64:33:fb:cc:93:9d:ce:
++            24:9b:3e:f9:7d:2f:e3:63:63:0c:75:d8:f6:81:b2:
++            02:ae:c4:61:7a:d3:df:1e:d5:d5:fd:65:61:24:33:
++            f5:1f:5f:06:6e:d0:85:63:65:55:3d:ed:1a:f3:b5:
++            57:13:5e:7f:57:c9:35:98:4f:0c:70:e0:e6:8b:77:
++            e2:a6:89:da:f3:ef:e8:72:1d:f1:58:a1:36:ad:e7:
++            35:30:ac:ca:4f:48:3a:79:7a:bc:0a:b1:82:b3:24:
++            fb:61:d1:08:a9:4b:b2:c8:e3:fb:b9:6a:da:b7:60:
++            d7:f4:68:1d:4f:42:a3:de:39:4d:f4:ae:56:ed:e7:
++            63:72:bb:19:0b:07:a7:c8:ee:0a:6d:70:9e:02:fc:
++            e1:cd:f7:e2:ec:c0:34:04:cd:28:34:2f:61:91:72:
++            fe:9c:e9:85:83:ff:8e:4f:12:32:ee:f2:81:83:c3:
++            fe:3b:1b:4c:6f:ad:73:3b:b5:fc:bc:2e:c2:20:05:
++            c5:8e:f1:83:7d:16:83:b2:c6:f3:4a:26:c1:b2:ef:
++            fa:88:6b:42:38:61:1f:cf:dc:de:35:5b:3b:65:19:
++            03:5b:bc:34:f4:de:f9:9c:02:38:61:b4:6f:c9:d6:
++            e6:c9:07:7a:d9:1d:26:91:f7:f7:ee:59:8c:b0:fa:
++            c1:86:d9:1c:ae:fe:13:09:85:13:92:70:b4:13:0c:
++            93:bc:43:79:44:f4:fd:44:52:e2:d7:4d:d3:64:f2:
++            e2:1e:71:f5:4b:ff:5c:ae:82:ab:9c:9d:f6:9e:e8:
++            6d:2b:c5:22:36:3a:0d:ab:c5:21:97:9b:0d:ea:da:
++            1d:bf:9a:42:d5:c4:48:4e:0a:bc:d0:6b:fa:53:dd:
++            ef:3c:1b:20:ee:3f:d5:9d:7c:25:e4:1d:2b:66:c6:
++            2e:37:ff:ff:ff:ff:ff:ff:ff:ff
++        generator: 2 (0x2)
++        recommended-private-length: 276 bits
++-----BEGIN DH PARAMETERS-----
++MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
++87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
++YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
++7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
++ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
++7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
++nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu
++N///////////AgECAgIBFA==
++-----END DH PARAMETERS-----
+diff --git a/Lib/test/test_ftplib.py b/Lib/test/test_ftplib.py
+index f9488a9..da8ba32 100644
+--- a/Lib/test/test_ftplib.py
++++ b/Lib/test/test_ftplib.py
+@@ -880,18 +880,23 @@ class TestTLS_FTPClass(TestCase):
+         # clear text
+         with self.client.transfercmd('list') as sock:
+             self.assertNotIsInstance(sock, ssl.SSLSocket)
++            self.assertEqual(sock.recv(1024), LIST_DATA.encode('ascii'))
+         self.assertEqual(self.client.voidresp(), "226 transfer complete")
+ 
+         # secured, after PROT P
+         self.client.prot_p()
+         with self.client.transfercmd('list') as sock:
+             self.assertIsInstance(sock, ssl.SSLSocket)
++            # consume from SSL socket to finalize handshake and avoid
++            # "SSLError [SSL] shutdown while in init"
++            self.assertEqual(sock.recv(1024), LIST_DATA.encode('ascii'))
+         self.assertEqual(self.client.voidresp(), "226 transfer complete")
+ 
+         # PROT C is issued, the connection must be in cleartext again
+         self.client.prot_c()
+         with self.client.transfercmd('list') as sock:
+             self.assertNotIsInstance(sock, ssl.SSLSocket)
++            self.assertEqual(sock.recv(1024), LIST_DATA.encode('ascii'))
+         self.assertEqual(self.client.voidresp(), "226 transfer complete")
+ 
+     def test_login(self):
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 7bbaa9f..ea528b5 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -55,7 +55,6 @@ CAPATH = data_file("capath")
+ BYTES_CAPATH = os.fsencode(CAPATH)
+ CAFILE_NEURONIO = data_file("capath", "4e1295a3.0")
+ CAFILE_CACERT = data_file("capath", "5ed36f99.0")
+-WRONG_CERT = data_file("wrongcert.pem")
+ 
+ CERTFILE_INFO = {
+     'issuer': ((('countryName', 'XY'),),
+@@ -118,7 +117,7 @@ BADKEY = data_file("badkey.pem")
+ NOKIACERT = data_file("nokia.pem")
+ NULLBYTECERT = data_file("nullbytecert.pem")
+ 
+-DHFILE = data_file("dh1024.pem")
++DHFILE = data_file("ffdh3072.pem")
+ BYTES_DHFILE = os.fsencode(DHFILE)
+ 
+ # Not defined in all versions of OpenSSL
+@@ -2846,8 +2845,8 @@ class ThreadedTests(unittest.TestCase):
+         connect to it with a wrong client certificate fails.
+         """
+         client_context, server_context, hostname = testing_context()
+-        # load client cert
+-        client_context.load_cert_chain(WRONG_CERT)
++        # load client cert that is not signed by trusted CA
++        client_context.load_cert_chain(CERTFILE)
+         # require TLS client authentication
+         server_context.verify_mode = ssl.CERT_REQUIRED
+         # TLS 1.3 has different handshake
+@@ -2879,7 +2878,8 @@ class ThreadedTests(unittest.TestCase):
+     @unittest.skipUnless(ssl.HAS_TLSv1_3, "Test needs TLS 1.3")
+     def test_wrong_cert_tls13(self):
+         client_context, server_context, hostname = testing_context()
+-        client_context.load_cert_chain(WRONG_CERT)
++        # load client cert that is not signed by trusted CA
++        client_context.load_cert_chain(CERTFILE)
+         server_context.verify_mode = ssl.CERT_REQUIRED
+         server_context.minimum_version = ssl.TLSVersion.TLSv1_3
+         client_context.minimum_version = ssl.TLSVersion.TLSv1_3
+diff --git a/Lib/test/wrongcert.pem b/Lib/test/wrongcert.pem
+deleted file mode 100644
+index 5f92f9b..0000000
+--- a/Lib/test/wrongcert.pem
++++ /dev/null
+@@ -1,32 +0,0 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXAIBAAKBgQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnH
+-FlbsVUg2Xtk6+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6T
+-f9lnNTwpSoeK24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQAB
+-AoGAQFko4uyCgzfxr4Ezb4Mp5pN3Npqny5+Jey3r8EjSAX9Ogn+CNYgoBcdtFgbq
+-1yif/0sK7ohGBJU9FUCAwrqNBI9ZHB6rcy7dx+gULOmRBGckln1o5S1+smVdmOsW
+-7zUVLBVByKuNWqTYFlzfVd6s4iiXtAE2iHn3GCyYdlICwrECQQDhMQVxHd3EFbzg
+-SFmJBTARlZ2GKA3c1g/h9/XbkEPQ9/RwI3vnjJ2RaSnjlfoLl8TOcf0uOGbOEyFe
+-19RvCLXjAkEA1s+UE5ziF+YVkW3WolDCQ2kQ5WG9+ccfNebfh6b67B7Ln5iG0Sbg
+-ky9cjsO3jbMJQtlzAQnH1850oRD5Gi51dQJAIbHCDLDZU9Ok1TI+I2BhVuA6F666
+-lEZ7TeZaJSYq34OaUYUdrwG9OdqwZ9sy9LUav4ESzu2lhEQchCJrKMn23QJAReqs
+-ZLHUeTjfXkVk7dHhWPWSlUZ6AhmIlA/AQ7Payg2/8wM/JkZEJEPvGVykms9iPUrv
+-frADRr+hAGe43IewnQJBAJWKZllPgKuEBPwoEldHNS8nRu61D7HzxEzQ2xnfj+Nk
+-2fgf1MAzzTRsikfGENhVsVWeqOcijWb6g5gsyCmlRpc=
+------END RSA PRIVATE KEY-----
+------BEGIN CERTIFICATE-----
+-MIICsDCCAhmgAwIBAgIJAOqYOYFJfEEoMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
+-BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+-aWRnaXRzIFB0eSBMdGQwHhcNMDgwNjI2MTgxNTUyWhcNMDkwNjI2MTgxNTUyWjBF
+-MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
+-ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
+-gQC89ZNxjTgWgq7Z1g0tJ65w+k7lNAj5IgjLb155UkUrz0XsHDnHFlbsVUg2Xtk6
+-+bo2UEYIzN7cIm5ImpmyW/2z0J1IDVDlvR2xJ659xrE0v5c2cB6Tf9lnNTwpSoeK
+-24Nd7Jwq4j9vk95fLrdqsBq0/KVlsCXeixS/CaqqduXfvwIDAQABo4GnMIGkMB0G
+-A1UdDgQWBBTctMtI3EO9OjLI0x9Zo2ifkwIiNjB1BgNVHSMEbjBsgBTctMtI3EO9
+-OjLI0x9Zo2ifkwIiNqFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt
+-U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAOqYOYFJ
+-fEEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQwa7jya/DfhaDn7E
+-usPkpgIX8WCL2B1SqnRTXEZfBPPVq/cUmFGyEVRVATySRuMwi8PXbVcOhXXuocA+
+-43W+iIsD9pXapCZhhOerCq18TC1dWK98vLUsoK8PMjB6e5H/O8bqojv0EeC+fyCw
+-eSHj5jpC8iZKjCHBn+mAi4cQ514=
+------END CERTIFICATE-----
+diff --git a/Lib/test/test_poplib.py b/Lib/test/test_poplib.py
+index 20d4eeac12..a0c683bbcf 100644
+--- a/Lib/test/test_poplib.py
++++ b/Lib/test/test_poplib.py
+@@ -178,7 +178,8 @@ class DummyPOP3Handler(asynchat.async_chat):
+                     return self.handle_close()
+                 # TODO: SSLError does not expose alert information
+                 elif ("SSLV3_ALERT_BAD_CERTIFICATE" in err.args[1] or
+-                      "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1]):
++                      "SSLV3_ALERT_CERTIFICATE_UNKNOWN" in err.args[1] or
++                      "bad record type" in err.args[1]):
+                     return self.handle_close()
+                 raise
+             except OSError as err:
diff --git a/python3.spec b/python3.spec
index 9caf494..91d0f34 100644
--- a/python3.spec
+++ b/python3.spec
@@ -14,7 +14,7 @@ URL: https://www.python.org/
 #  WARNING  When rebasing to a new Python version,
 #           remember to update the python3-docs package as well
 Version: %{pybasever}.0
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: Python
 
 
@@ -311,6 +311,15 @@ Patch291: 00291-setup-Link-ctypes-against-dl-explicitly.patch
 # and: https://bugs.python.org/issue34008
 Patch307: 00307-allow-to-call-Py_Main-after-Py_Initialize.patch
 
+# 00308 #
+# TLS 1.3 related fixes from upstream:
+# https://github.com/python/cpython/pull/8762
+# https://github.com/python/cpython/pull/8787
+# And a workaround before openssl is 1.1.1-pre9:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1609291#c12
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1609291
+Patch308: 00308-tls-1.3.patch
+
 # (New patches go here ^^^)
 #
 # When adding new patches to "python" and "python3" in Fedora, EL, etc.,
@@ -633,6 +642,7 @@ rm Lib/ensurepip/_bundled/*.whl
 %patch274 -p1
 %patch291 -p1
 %patch307 -p1
+%patch308 -p1
 
 
 # Remove files that should be generated by the build
@@ -1009,6 +1019,12 @@ CheckPython() {
   ConfName=$1
   ConfDir=$(pwd)/build/$ConfName
 
+  # Fedora sets TLSv1 as explicit minimum version.
+  # Python's test suite assumes that the minimum protocol version is set to
+  # a magic marker. We workaround the test problem by setting:
+  export OPENSSL_CONF=/non-existing-file
+  # https://bugzilla.redhat.com/show_bug.cgi?id=1618753
+
   echo STARTING: CHECKING OF PYTHON FOR CONFIGURATION: $ConfName
 
   # Note that we're running the tests using the version of the code in the
@@ -1512,6 +1528,10 @@ CheckPython optimized
 # ======================================================
 
 %changelog
+* Fri Aug 17 2018 Miro Hrončok <mhroncok@redhat.com> - 3.7.0-7
+- Backport TLS 1.3 related fixes to fix FTBFS
+Resolves: rhbz#1609291
+
 * Wed Aug 15 2018 Miro Hrončok <mhroncok@redhat.com> - 3.7.0-6
 - Use RPM built wheels of pip and setuptools in ensurepip instead of our rewheel patch