From 0424a4f70ec7ba21682b825e67ac5bca85813558 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Dec 09 2016 15:07:57 +0000 Subject: Rebased patches 102, 111, 170 in order to apply cleanly for the new sources. Dropped patches 209, 242, 247 as they are already upstream. Dropped patches 143 and 146 for now. --- diff --git a/00102-lib64.patch b/00102-lib64.patch index 35a442e..8e9ae4e 100644 --- a/00102-lib64.patch +++ b/00102-lib64.patch @@ -1,5 +1,5 @@ diff --git a/Lib/distutils/command/install.py b/Lib/distutils/command/install.py -index 67db007..b16fe0f 100644 +index 9474e9c..c0ce4c6 100644 --- a/Lib/distutils/command/install.py +++ b/Lib/distutils/command/install.py @@ -30,14 +30,14 @@ WINDOWS_SCHEME = { @@ -20,7 +20,7 @@ index 67db007..b16fe0f 100644 'scripts': '$base/bin', 'data' : '$base', diff --git a/Lib/distutils/sysconfig.py b/Lib/distutils/sysconfig.py -index e5c493d..a4846eb 100644 +index 026cca7..6d3e077 100644 --- a/Lib/distutils/sysconfig.py +++ b/Lib/distutils/sysconfig.py @@ -132,8 +132,12 @@ def get_python_lib(plat_specific=0, standard_lib=0, prefix=None): @@ -38,7 +38,7 @@ index e5c493d..a4846eb 100644 return libpython else: diff --git a/Lib/site.py b/Lib/site.py -index 3f78ef5..ad1033e 100644 +index a84e3bb..ba0d3ea 100644 --- a/Lib/site.py +++ b/Lib/site.py @@ -303,11 +303,15 @@ def getsitepackages(prefixes=None): @@ -49,7 +49,7 @@ index 3f78ef5..ad1033e 100644 + "python" + sys.version[:3], + "site-packages")) sitepackages.append(os.path.join(prefix, "lib", - "python" + sys.version[:3], + "python%d.%d" % sys.version_info[:2], "site-packages")) else: sitepackages.append(prefix) @@ -58,7 +58,7 @@ index 3f78ef5..ad1033e 100644 if sys.platform == "darwin": # for framework builds *only* we add the standard Apple diff --git a/Lib/sysconfig.py b/Lib/sysconfig.py -index 61451b2..b021cce 100644 +index b9bbfe5..2a5f29c 100644 --- a/Lib/sysconfig.py +++ b/Lib/sysconfig.py @@ -20,10 +20,10 @@ __all__ = [ @@ -90,7 +90,7 @@ index 61451b2..b021cce 100644 'scripts': '{userbase}/bin', 'data': '{userbase}', diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py -index da20a3d..f38ce06 100644 +index f698927..bc977b5 100644 --- a/Lib/test/test_site.py +++ b/Lib/test/test_site.py @@ -248,8 +248,8 @@ class HelperFunctionsTests(unittest.TestCase): @@ -98,17 +98,17 @@ index da20a3d..f38ce06 100644 elif os.sep == '/': # OS X non-framwework builds, Linux, FreeBSD, etc - self.assertEqual(len(dirs), 1) -- wanted = os.path.join('xoxo', 'lib', 'python' + sys.version[:3], +- wanted = os.path.join('xoxo', 'lib', + self.assertEqual(len(dirs), 2) -+ wanted = os.path.join('xoxo', 'lib64', 'python' + sys.version[:3], ++ wanted = os.path.join('xoxo', 'lib64', + 'python%d.%d' % sys.version_info[:2], 'site-packages') self.assertEqual(dirs[0], wanted) - else: diff --git a/Makefile.pre.in b/Makefile.pre.in -index 58d4258..e8364f0 100644 +index 8fa7934..a693917 100644 --- a/Makefile.pre.in +++ b/Makefile.pre.in -@@ -125,7 +125,7 @@ LIBDIR= @libdir@ +@@ -126,7 +126,7 @@ LIBDIR= @libdir@ MANDIR= @mandir@ INCLUDEDIR= @includedir@ CONFINCLUDEDIR= $(exec_prefix)/include @@ -118,7 +118,7 @@ index 58d4258..e8364f0 100644 # Detailed destination directories diff --git a/Modules/getpath.c b/Modules/getpath.c -index 18deb60..27ca814 100644 +index 65b47a3..eaa756c 100644 --- a/Modules/getpath.c +++ b/Modules/getpath.c @@ -494,7 +494,7 @@ calculate_path(void) @@ -149,7 +149,7 @@ index 18deb60..27ca814 100644 /* If we found EXEC_PREFIX do *not* reduce it! (Yet.) */ diff --git a/setup.py b/setup.py -index be33c46..f2779cc 100644 +index 0f2dfc4..da37896 100644 --- a/setup.py +++ b/setup.py @@ -492,7 +492,7 @@ class PyBuildExt(build_ext): diff --git a/00111-no-static-lib.patch b/00111-no-static-lib.patch index 006bb90..6929fda 100644 --- a/00111-no-static-lib.patch +++ b/00111-no-static-lib.patch @@ -1,19 +1,20 @@ -diff -up cpython-59223da36dec/Makefile.pre.in.no-static-lib cpython-59223da36dec/Makefile.pre.in ---- cpython-59223da36dec/Makefile.pre.in.no-static-lib 2012-08-07 16:43:43.296466422 -0400 -+++ cpython-59223da36dec/Makefile.pre.in 2012-08-07 16:44:13.299464371 -0400 -@@ -550,7 +550,7 @@ clinic: $(BUILDPYTHON) +diff --git a/Makefile.pre.in b/Makefile.pre.in +index 70e5927..04c8e3d 100644 +--- a/Makefile.pre.in ++++ b/Makefile.pre.in +@@ -556,7 +556,7 @@ clinic: $(BUILDPYTHON) $(srcdir)/Modules/_blake2/blake2s_impl.c $(RUNSHARED) $(PYTHON_FOR_BUILD) ./Tools/clinic/clinic.py --make # Build the interpreter -$(BUILDPYTHON): Programs/python.o $(LIBRARY) $(LDLIBRARY) $(PY3LIBRARY) -+$(BUILDPYTHON): Programs/python.o $(LDLIBRARY) $(PY3LIBRARY) ++$(BUILDPYTHON): Programs/python.o $(LDLIBRARY) $(PY3LIBRARY) $(LINKCC) $(PY_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/python.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) platform: $(BUILDPYTHON) pybuilddir.txt -@@ -480,18 +480,6 @@ sharedmods: $(BUILDPYTHON) $(SYSCONFIGDA - _TCLTK_INCLUDES='$(TCLTK_INCLUDES)' _TCLTK_LIBS='$(TCLTK_LIBS)' \ +@@ -601,18 +601,6 @@ sharedmods: $(BUILDPYTHON) pybuilddir.txt Modules/_math.o $(PYTHON_FOR_BUILD) $(srcdir)/setup.py $$quiet build + -# Build static library -# avoid long command lines, same as LIBRARY_OBJS -$(LIBRARY): $(LIBRARY_OBJS) @@ -22,14 +23,14 @@ diff -up cpython-59223da36dec/Makefile.pre.in.no-static-lib cpython-59223da36dec - $(AR) $(ARFLAGS) $@ $(PARSER_OBJS) - $(AR) $(ARFLAGS) $@ $(OBJECT_OBJS) - $(AR) $(ARFLAGS) $@ $(PYTHON_OBJS) Python/frozen.o -- $(AR) $(ARFLAGS) $@ $(MODULE_OBJS) $(SIGNAL_OBJS) +- $(AR) $(ARFLAGS) $@ $(MODULE_OBJS) - $(AR) $(ARFLAGS) $@ $(MODOBJS) - $(RANLIB) $@ - libpython$(LDVERSION).so: $(LIBRARY_OBJS) if test $(INSTSONAME) != $(LDLIBRARY); then \ $(BLDSHARED) -Wl,-h$(INSTSONAME) -o $(INSTSONAME) $(LIBRARY_OBJS) $(MODLIBS) $(SHLIBS) $(LIBC) $(LIBM) $(LDLAST); \ -@@ -674,7 +674,7 @@ Modules/Setup: $(srcdir)/Modules/Setup.d +@@ -702,7 +690,7 @@ Modules/Setup: $(srcdir)/Modules/Setup.dist echo "-----------------------------------------------"; \ fi @@ -38,7 +39,7 @@ diff -up cpython-59223da36dec/Makefile.pre.in.no-static-lib cpython-59223da36dec $(LINKCC) $(PY_LDFLAGS) $(LINKFORSHARED) -o $@ Programs/_testembed.o $(BLDLIBRARY) $(LIBS) $(MODLIBS) $(SYSLIBS) $(LDLAST) ############################################################################ -@@ -1354,18 +1354,6 @@ libainstall: all python-config +@@ -1382,18 +1370,6 @@ libainstall: all python-config else true; \ fi; \ done diff --git a/00170-gc-assertions.patch b/00170-gc-assertions.patch index 9e34c21..f491733 100644 --- a/00170-gc-assertions.patch +++ b/00170-gc-assertions.patch @@ -1,8 +1,8 @@ -Index: Include/object.h -=================================================================== ---- Include/object.h (revision 87911) -+++ Include/object.h (working copy) -@@ -914,6 +914,49 @@ +diff --git a/Include/object.h b/Include/object.h +index 0c88603..e3413e8 100644 +--- a/Include/object.h ++++ b/Include/object.h +@@ -1059,6 +1059,49 @@ PyAPI_FUNC(void) _PyObject_DebugTypeStats(FILE *out); #endif /* ifndef Py_LIMITED_API */ @@ -52,63 +52,38 @@ Index: Include/object.h #ifdef __cplusplus } #endif -Index: Objects/object.c -=================================================================== ---- Objects/object.c (revision 87911) -+++ Objects/object.c (working copy) -@@ -1899,6 +1899,35 @@ - } - } - -+PyAPI_FUNC(void) -+_PyObject_AssertFailed(PyObject *obj, const char *msg, const char *expr, -+ const char *file, int line, const char *function) -+{ -+ fprintf(stderr, -+ "%s:%d: %s: Assertion \"%s\" failed.\n", -+ file, line, function, expr); -+ if (msg) { -+ fprintf(stderr, "%s\n", msg); -+ } -+ -+ fflush(stderr); -+ -+ if (obj) { -+ /* This might succeed or fail, but we're about to abort, so at least -+ try to provide any extra info we can: */ -+ _PyObject_Dump(obj); -+ } -+ else { -+ fprintf(stderr, "NULL object\n"); -+ } -+ -+ fflush(stdout); -+ fflush(stderr); -+ -+ /* Terminate the process: */ -+ abort(); -+} -+ - #ifndef Py_TRACE_REFS - /* For Py_LIMITED_API, we need an out-of-line version of _Py_Dealloc. - Define this here, so we can undefine the macro. */ -Index: Lib/test/test_gc.py -=================================================================== ---- Lib/test/test_gc.py (revision 87911) -+++ Lib/test/test_gc.py (working copy) -@@ -1,7 +1,7 @@ +diff --git a/Lib/test/test_gc.py b/Lib/test/test_gc.py +index e727499..6efcafb 100644 +--- a/Lib/test/test_gc.py ++++ b/Lib/test/test_gc.py +@@ -1,10 +1,11 @@ import unittest from test.support import (verbose, refcount_test, run_unittest, - strip_python_stderr, cpython_only, start_threads, -- temp_dir) -+ temp_dir, import_module) + strip_python_stderr, cpython_only, start_threads, +- temp_dir, requires_type_collecting) ++ temp_dir, import_module, requires_type_collecting) from test.support.script_helper import assert_python_ok, make_script import sys -@@ -512,6 +512,48 @@ ++import sysconfig + import time + import gc + import weakref +@@ -50,6 +51,8 @@ class GC_Detector(object): + # gc collects it. + self.wr = weakref.ref(C1055820(666), it_happened) + ++BUILD_WITH_NDEBUG = ('-DNDEBUG' in sysconfig.get_config_vars()['PY_CFLAGS']) ++ + @with_tp_del + class Uncollectable(object): + """Create a reference cycle with multiple __del__ methods. +@@ -862,6 +865,50 @@ class GCCallbackTests(unittest.TestCase): self.assertEqual(len(gc.garbage), 0) ++ @unittest.skipIf(BUILD_WITH_NDEBUG, ++ 'built with -NDEBUG') + def test_refcount_errors(self): + self.preclean() + # Verify the "handling" of objects with broken refcounts @@ -154,9 +129,10 @@ Index: Lib/test/test_gc.py class GCTogglingTests(unittest.TestCase): def setUp(self): gc.enable() -diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c ---- Modules/gcmodule.c.orig2 2014-12-08 10:54:14.251742911 +0100 -+++ Modules/gcmodule.c 2014-12-08 10:52:45.674771917 +0100 +diff --git a/Modules/gcmodule.c b/Modules/gcmodule.c +index 0c6f444..87edd5a 100644 +--- a/Modules/gcmodule.c ++++ b/Modules/gcmodule.c @@ -341,7 +341,8 @@ update_refs(PyGC_Head *containers) { PyGC_Head *gc = containers->gc.gc_next; @@ -188,7 +164,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c if (_PyGCHead_REFS(gc) > 0) _PyGCHead_DECREF(gc); } -@@ -436,9 +440,10 @@ visit_reachable(PyObject *op, PyGC_Head +@@ -436,9 +440,10 @@ visit_reachable(PyObject *op, PyGC_Head *reachable) * If gc_refs == GC_UNTRACKED, it must be ignored. */ else { @@ -202,7 +178,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c } } return 0; -@@ -480,7 +485,7 @@ move_unreachable(PyGC_Head *young, PyGC_ +@@ -480,7 +485,7 @@ move_unreachable(PyGC_Head *young, PyGC_Head *unreachable) */ PyObject *op = FROM_GC(gc); traverseproc traverse = Py_TYPE(op)->tp_traverse; @@ -211,7 +187,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c _PyGCHead_SET_REFS(gc, GC_REACHABLE); (void) traverse(op, (visitproc)visit_reachable, -@@ -543,7 +548,7 @@ move_legacy_finalizers(PyGC_Head *unreac +@@ -543,7 +548,7 @@ move_legacy_finalizers(PyGC_Head *unreachable, PyGC_Head *finalizers) for (gc = unreachable->gc.gc_next; gc != unreachable; gc = next) { PyObject *op = FROM_GC(gc); @@ -220,7 +196,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c next = gc->gc.gc_next; if (has_legacy_finalizer(op)) { -@@ -619,7 +624,7 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -619,7 +624,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) PyWeakReference **wrlist; op = FROM_GC(gc); @@ -229,7 +205,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c next = gc->gc.gc_next; if (! PyType_SUPPORTS_WEAKREFS(Py_TYPE(op))) -@@ -640,9 +645,9 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -640,9 +645,9 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) * the callback pointer intact. Obscure: it also * changes *wrlist. */ @@ -241,7 +217,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c if (wr->wr_callback == NULL) continue; /* no callback */ -@@ -676,7 +681,7 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -676,7 +681,7 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) */ if (IS_TENTATIVELY_UNREACHABLE(wr)) continue; @@ -250,7 +226,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c /* Create a new reference so that wr can't go away * before we can process it again. -@@ -685,7 +690,8 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -685,7 +690,8 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) /* Move wr to wrcb_to_call, for the next pass. */ wrasgc = AS_GC(wr); @@ -260,7 +236,7 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c next isn't, so they can't be the same */ gc_list_move(wrasgc, &wrcb_to_call); -@@ -701,11 +707,11 @@ handle_weakrefs(PyGC_Head *unreachable, +@@ -701,11 +707,11 @@ handle_weakrefs(PyGC_Head *unreachable, PyGC_Head *old) gc = wrcb_to_call.gc.gc_next; op = FROM_GC(gc); @@ -292,35 +268,43 @@ diff -up Modules/gcmodule.c.orig2 Modules/gcmodule.c if (_PyGCHead_REFS(gc) != 0) return -1; } -diff -up Lib/test/test_gc.py.old Lib/test/test_gc.py ---- Lib/test/test_gc.py.old 2014-12-10 11:19:33.503982288 +0100 -+++ Lib/test/test_gc.py 2014-12-10 11:21:13.220021364 +0100 -@@ -49,6 +49,8 @@ class GC_Detector(object): - # gc collects it. - self.wr = weakref.ref(C1055820(666), it_happened) +diff --git a/Objects/object.c b/Objects/object.c +index 559794f..a47d47f 100644 +--- a/Objects/object.c ++++ b/Objects/object.c +@@ -2022,6 +2022,35 @@ _PyTrash_thread_destroy_chain(void) + } + } -+BUILD_WITH_NDEBUG = ('-DNDEBUG' in sysconfig.get_config_vars()['PY_CFLAGS']) ++PyAPI_FUNC(void) ++_PyObject_AssertFailed(PyObject *obj, const char *msg, const char *expr, ++ const char *file, int line, const char *function) ++{ ++ fprintf(stderr, ++ "%s:%d: %s: Assertion \"%s\" failed.\n", ++ file, line, function, expr); ++ if (msg) { ++ fprintf(stderr, "%s\n", msg); ++ } + - @with_tp_del - class Uncollectable(object): - """Create a reference cycle with multiple __del__ methods. -@@ -854,6 +856,8 @@ class GCCallbackTests(unittest.TestCase) - self.assertEqual(len(gc.garbage), 0) - - -+ @unittest.skipIf(BUILD_WITH_NDEBUG, -+ 'built with -NDEBUG') - def test_refcount_errors(self): - self.preclean() - # Verify the "handling" of objects with broken refcounts -diff -up Lib/test/test_gc.py.old Lib/test/test_gc.py ---- Lib/test/test_gc.py.old 2014-12-10 12:50:58.252121318 +0100 -+++ Lib/test/test_gc.py 2014-12-10 12:51:08.594266653 +0100 -@@ -4,6 +4,7 @@ from test.support import (verbose, refco - from test.support.script_helper import assert_python_ok, make_script - - import sys -+import sysconfig - import time - import gc - import weakref ++ fflush(stderr); ++ ++ if (obj) { ++ /* This might succeed or fail, but we're about to abort, so at least ++ try to provide any extra info we can: */ ++ _PyObject_Dump(obj); ++ } ++ else { ++ fprintf(stderr, "NULL object\n"); ++ } ++ ++ fflush(stdout); ++ fflush(stderr); ++ ++ /* Terminate the process: */ ++ abort(); ++} ++ + #ifndef Py_TRACE_REFS + /* For Py_LIMITED_API, we need an out-of-line version of _Py_Dealloc. + Define this here, so we can undefine the macro. */ diff --git a/00209-fix-test-pyexpat-failure.patch b/00209-fix-test-pyexpat-failure.patch deleted file mode 100644 index 7b40280..0000000 --- a/00209-fix-test-pyexpat-failure.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -r 682a8e36dd18 Lib/test/test_pyexpat.py ---- a/Lib/test/test_pyexpat.py Tue Jul 05 17:08:52 2016 +0300 -+++ b/Lib/test/test_pyexpat.py Thu Jul 07 17:04:35 2016 +0800 -@@ -656,11 +656,9 @@ - # \xc2\x85 is UTF-8 encoded U+0085 (NEXT LINE) - xml = b"\r\n" - parser = expat.ParserCreate() -- try: -+ err_pattern = r'XML declaration not well-formed: line 1, column \d+' -+ with self.assertRaisesRegex(expat.ExpatError, err_pattern): - parser.Parse(xml, True) -- self.fail() -- except expat.ExpatError as e: -- self.assertEqual(str(e), 'XML declaration not well-formed: line 1, column 14') - - class ErrorMessageTest(unittest.TestCase): - def test_codes(self): diff --git a/00242-CVE-2016-1000110-httpoxy.patch b/00242-CVE-2016-1000110-httpoxy.patch deleted file mode 100644 index 244ebec..0000000 --- a/00242-CVE-2016-1000110-httpoxy.patch +++ /dev/null @@ -1,89 +0,0 @@ -diff --git a/Doc/howto/urllib2.rst b/Doc/howto/urllib2.rst -index 24a4156..d2c7991 100644 ---- a/Doc/howto/urllib2.rst -+++ b/Doc/howto/urllib2.rst -@@ -538,6 +538,11 @@ setting up a `Basic Authentication`_ handler: :: - through a proxy. However, this can be enabled by extending urllib.request as - shown in the recipe [#]_. - -+.. note:: -+ -+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; see -+ the documentation on :func:`~urllib.request.getproxies`. -+ - - Sockets and Layers - ================== -diff --git a/Doc/library/urllib.request.rst b/Doc/library/urllib.request.rst -index 6c1bfb8..1291aeb 100644 ---- a/Doc/library/urllib.request.rst -+++ b/Doc/library/urllib.request.rst -@@ -173,6 +173,16 @@ The :mod:`urllib.request` module defines the following functions: - If both lowercase and uppercase environment variables exist (and disagree), - lowercase is preferred. - -+ .. note:: -+ -+ If the environment variable ``REQUEST_METHOD`` is set, which usually -+ indicates your script is running in a CGI environment, the environment -+ variable ``HTTP_PROXY`` (uppercase ``_PROXY``) will be ignored. This is -+ because that variable can be injected by a client using the "Proxy:" HTTP -+ header. If you need to use an HTTP proxy in a CGI environment, either use -+ ``ProxyHandler`` explicitly, or make sure the variable name is in -+ lowercase (or at least the ``_proxy`` suffix). -+ - - The following classes are provided: - -@@ -280,6 +290,11 @@ The following classes are provided: - list of hostname suffixes, optionally with ``:port`` appended, for example - ``cern.ch,ncsa.uiuc.edu,some.host:8080``. - -+ .. note:: -+ -+ ``HTTP_PROXY`` will be ignored if a variable ``REQUEST_METHOD`` is set; -+ see the documentation on :func:`~urllib.request.getproxies`. -+ - - .. class:: HTTPPasswordMgr() - -diff --git a/Lib/test/test_urllib.py b/Lib/test/test_urllib.py -index 5d05f8d..c26c52a 100644 ---- a/Lib/test/test_urllib.py -+++ b/Lib/test/test_urllib.py -@@ -232,6 +232,18 @@ class ProxyTests(unittest.TestCase): - self.assertTrue(urllib.request.proxy_bypass_environment('anotherdomain.com:8888')) - self.assertTrue(urllib.request.proxy_bypass_environment('newdomain.com:1234')) - -+ def test_proxy_cgi_ignore(self): -+ try: -+ self.env.set('HTTP_PROXY', 'http://somewhere:3128') -+ proxies = urllib.request.getproxies_environment() -+ self.assertEqual('http://somewhere:3128', proxies['http']) -+ self.env.set('REQUEST_METHOD', 'GET') -+ proxies = urllib.request.getproxies_environment() -+ self.assertNotIn('http', proxies) -+ finally: -+ self.env.unset('REQUEST_METHOD') -+ self.env.unset('HTTP_PROXY') -+ - def test_proxy_bypass_environment_host_match(self): - bypass = urllib.request.proxy_bypass_environment - self.env.set('NO_PROXY', -diff --git a/Lib/urllib/request.py b/Lib/urllib/request.py -index 1731fe3..3be327d 100644 ---- a/Lib/urllib/request.py -+++ b/Lib/urllib/request.py -@@ -2412,6 +2412,12 @@ def getproxies_environment(): - name = name.lower() - if value and name[-6:] == '_proxy': - proxies[name[:-6]] = value -+ # CVE-2016-1000110 - If we are running as CGI script, forget HTTP_PROXY -+ # (non-all-lowercase) as it may be set from the web server by a "Proxy:" -+ # header from the client -+ # If "proxy" is lowercase, it will still be used thanks to the next block -+ if 'REQUEST_METHOD' in os.environ: -+ proxies.pop('http', None) - for name, value in os.environ.items(): - if name[-6:] == '_proxy': - name = name.lower() diff --git a/00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch b/00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch deleted file mode 100644 index 5760d67..0000000 --- a/00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch +++ /dev/null @@ -1,1314 +0,0 @@ - -# HG changeset patch -# User Christian Heimes -# Date 1473110345 -7200 -# Node ID 5c75b315152b714f7c84258ea511b461e2c06154 -# Parent 82467d0dbaea31a7971d1429ca5f4a251a995f33 -Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0. - -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst ---- a/Doc/library/ssl.rst -+++ b/Doc/library/ssl.rst -@@ -178,7 +178,7 @@ instead. - use. Typically, the server chooses a particular protocol version, and the - client must adapt to the server's choice. Most of the versions are not - interoperable with the other versions. If not specified, the default is -- :data:`PROTOCOL_SSLv23`; it provides the most compatibility with other -+ :data:`PROTOCOL_TLS`; it provides the most compatibility with other - versions. - - Here's a table showing which versions in a client (down the side) can connect -@@ -187,11 +187,11 @@ instead. - .. table:: - - ======================== ========= ========= ========== ========= =========== =========== -- *client* / **server** **SSLv2** **SSLv3** **SSLv23** **TLSv1** **TLSv1.1** **TLSv1.2** -+ *client* / **server** **SSLv2** **SSLv3** **TLS** **TLSv1** **TLSv1.1** **TLSv1.2** - ------------------------ --------- --------- ---------- --------- ----------- ----------- - *SSLv2* yes no yes no no no - *SSLv3* no yes yes no no no -- *SSLv23* no yes yes yes yes yes -+ *TLS* (*SSLv23*) no yes yes yes yes yes - *TLSv1* no no yes yes no no - *TLSv1.1* no no yes no yes no - *TLSv1.2* no no yes no no yes -@@ -244,7 +244,7 @@ purposes. - :const:`None`, this function can choose to trust the system's default - CA certificates instead. - -- The settings are: :data:`PROTOCOL_SSLv23`, :data:`OP_NO_SSLv2`, and -+ The settings are: :data:`PROTOCOL_TLS`, :data:`OP_NO_SSLv2`, and - :data:`OP_NO_SSLv3` with high encryption cipher suites without RC4 and - without unauthenticated cipher suites. Passing :data:`~Purpose.SERVER_AUTH` - as *purpose* sets :data:`~SSLContext.verify_mode` to :data:`CERT_REQUIRED` -@@ -316,6 +316,11 @@ Random generation - - .. versionadded:: 3.3 - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated :func:`ssl.RAND_pseudo_bytes`, use -+ :func:`ssl.RAND_bytes` instead. -+ - .. function:: RAND_status() - - Return ``True`` if the SSL pseudo-random number generator has been seeded -@@ -334,7 +339,7 @@ Random generation - See http://egd.sourceforge.net/ or http://prngd.sourceforge.net/ for sources - of entropy-gathering daemons. - -- Availability: not available with LibreSSL. -+ Availability: not available with LibreSSL and OpenSSL > 1.1.0 - - .. function:: RAND_add(bytes, entropy) - -@@ -409,7 +414,7 @@ Certificate handling - previously. Return an integer (no fractions of a second in the - input format) - --.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None) -+.. function:: get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None) - - Given the address ``addr`` of an SSL-protected server, as a (*hostname*, - *port-number*) pair, fetches the server's certificate, and returns it as a -@@ -425,7 +430,7 @@ Certificate handling - - .. versionchanged:: 3.5 - The default *ssl_version* is changed from :data:`PROTOCOL_SSLv3` to -- :data:`PROTOCOL_SSLv23` for maximum compatibility with modern servers. -+ :data:`PROTOCOL_TLS` for maximum compatibility with modern servers. - - .. function:: DER_cert_to_PEM_cert(DER_cert_bytes) - -@@ -451,6 +456,9 @@ Certificate handling - * :attr:`openssl_capath_env` - OpenSSL's environment key that points to a capath, - * :attr:`openssl_capath` - hard coded path to a capath directory - -+ Availability: LibreSSL ignores the environment vars -+ :attr:`openssl_cafile_env` and :attr:`openssl_capath_env` -+ - .. versionadded:: 3.4 - - .. function:: enum_certificates(store_name) -@@ -568,11 +576,21 @@ Constants - - .. versionadded:: 3.4.4 - --.. data:: PROTOCOL_SSLv23 -+.. data:: PROTOCOL_TLS - - Selects the highest protocol version that both the client and server support. - Despite the name, this option can select "TLS" protocols as well as "SSL". - -+ .. versionadded:: 3.5.3 -+ -+.. data:: PROTOCOL_SSLv23 -+ -+ Alias for data:`PROTOCOL_TLS`. -+ -+ .. deprecated:: 3.5.3 -+ -+ Use data:`PROTOCOL_TLS` instead. -+ - .. data:: PROTOCOL_SSLv2 - - Selects SSL version 2 as the channel encryption protocol. -@@ -584,6 +602,10 @@ Constants - - SSL version 2 is insecure. Its use is highly discouraged. - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has removed support for SSLv2. -+ - .. data:: PROTOCOL_SSLv3 - - Selects SSL version 3 as the channel encryption protocol. -@@ -595,10 +617,20 @@ Constants - - SSL version 3 is insecure. Its use is highly discouraged. - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: PROTOCOL_TLSv1 - - Selects TLS version 1.0 as the channel encryption protocol. - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: PROTOCOL_TLSv1_1 - - Selects TLS version 1.1 as the channel encryption protocol. -@@ -606,6 +638,11 @@ Constants - - .. versionadded:: 3.4 - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: PROTOCOL_TLSv1_2 - - Selects TLS version 1.2 as the channel encryption protocol. This is the -@@ -614,6 +651,11 @@ Constants - - .. versionadded:: 3.4 - -+ .. deprecated:: 3.5.3 -+ -+ OpenSSL has deprecated all version specific protocols. Use the default -+ protocol data:`PROTOCOL_TLS` with flags like data:`OP_NO_SSLv3` instead. -+ - .. data:: OP_ALL - - Enables workarounds for various bugs present in other SSL implementations. -@@ -625,23 +667,32 @@ Constants - .. data:: OP_NO_SSLv2 - - Prevents an SSLv2 connection. This option is only applicable in -- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from -+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from - choosing SSLv2 as the protocol version. - - .. versionadded:: 3.2 - -+ .. deprecated:: 3.5.3 -+ -+ SSLv2 is deprecated -+ -+ - .. data:: OP_NO_SSLv3 - - Prevents an SSLv3 connection. This option is only applicable in -- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from -+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from - choosing SSLv3 as the protocol version. - - .. versionadded:: 3.2 - -+ .. deprecated:: 3.5.3 -+ -+ SSLv3 is deprecated -+ - .. data:: OP_NO_TLSv1 - - Prevents a TLSv1 connection. This option is only applicable in -- conjunction with :const:`PROTOCOL_SSLv23`. It prevents the peers from -+ conjunction with :const:`PROTOCOL_TLS`. It prevents the peers from - choosing TLSv1 as the protocol version. - - .. versionadded:: 3.2 -@@ -649,7 +700,7 @@ Constants - .. data:: OP_NO_TLSv1_1 - - Prevents a TLSv1.1 connection. This option is only applicable in conjunction -- with :const:`PROTOCOL_SSLv23`. It prevents the peers from choosing TLSv1.1 as -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.1 as - the protocol version. Available only with openssl version 1.0.1+. - - .. versionadded:: 3.4 -@@ -657,7 +708,7 @@ Constants - .. data:: OP_NO_TLSv1_2 - - Prevents a TLSv1.2 connection. This option is only applicable in conjunction -- with :const:`PROTOCOL_SSLv23`. It prevents the peers from choosing TLSv1.2 as -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.2 as - the protocol version. Available only with openssl version 1.0.1+. - - .. versionadded:: 3.4 -@@ -1081,17 +1132,21 @@ such as SSL configuration options, certi - It also manages a cache of SSL sessions for server-side sockets, in order - to speed up repeated connections from the same clients. - --.. class:: SSLContext(protocol) -- -- Create a new SSL context. You must pass *protocol* which must be one -+.. class:: SSLContext(protocol=PROTOCOL_TLS) -+ -+ Create a new SSL context. You may pass *protocol* which must be one - of the ``PROTOCOL_*`` constants defined in this module. -- :data:`PROTOCOL_SSLv23` is currently recommended for maximum -- interoperability. -+ :data:`PROTOCOL_TLS` is currently recommended for maximum -+ interoperability and default value. - - .. seealso:: - :func:`create_default_context` lets the :mod:`ssl` module choose - security settings for a given purpose. - -+ .. versionchanged:: 3.5.3 -+ -+ :data:`PROTOCOL_TLS` is the default value. -+ - - :class:`SSLContext` objects have the following methods and attributes: - -@@ -1232,6 +1287,9 @@ to speed up repeated connections from th - This method will raise :exc:`NotImplementedError` if :data:`HAS_ALPN` is - False. - -+ OpenSSL 1.1.0+ will abort the handshake and raise :exc:`SSLError` when -+ both sides support ALPN but cannot agree on a protocol. -+ - .. versionadded:: 3.5 - - .. method:: SSLContext.set_npn_protocols(protocols) -@@ -1598,7 +1656,7 @@ If you prefer to tune security settings - a context from scratch (but beware that you might not get the settings - right):: - -- >>> context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ >>> context = ssl.SSLContext(ssl.PROTOCOL_TLS) - >>> context.verify_mode = ssl.CERT_REQUIRED - >>> context.check_hostname = True - >>> context.load_verify_locations("/etc/ssl/certs/ca-bundle.crt") -@@ -1999,15 +2057,17 @@ Protocol versions - - SSL versions 2 and 3 are considered insecure and are therefore dangerous to - use. If you want maximum compatibility between clients and servers, it is --recommended to use :const:`PROTOCOL_SSLv23` as the protocol version and then -+recommended to use :const:`PROTOCOL_TLS` as the protocol version and then - disable SSLv2 and SSLv3 explicitly using the :data:`SSLContext.options` - attribute:: - -- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) - context.options |= ssl.OP_NO_SSLv2 - context.options |= ssl.OP_NO_SSLv3 -- --The SSL context created above will only allow TLSv1 and later (if -+ context.options |= ssl.OP_NO_TLSv1 -+ context.options |= ssl.OP_NO_TLSv1_1 -+ -+The SSL context created above will only allow TLSv1.2 and later (if - supported by your system) connections. - - Cipher selection -diff --git a/Lib/ssl.py b/Lib/ssl.py ---- a/Lib/ssl.py -+++ b/Lib/ssl.py -@@ -51,6 +51,7 @@ The following constants identify various - PROTOCOL_SSLv2 - PROTOCOL_SSLv3 - PROTOCOL_SSLv23 -+PROTOCOL_TLS - PROTOCOL_TLSv1 - PROTOCOL_TLSv1_1 - PROTOCOL_TLSv1_2 -@@ -128,9 +129,10 @@ from _ssl import _OPENSSL_API_VERSION - - _IntEnum._convert( - '_SSLMethod', __name__, -- lambda name: name.startswith('PROTOCOL_'), -+ lambda name: name.startswith('PROTOCOL_') and name != 'PROTOCOL_SSLv23', - source=_ssl) - -+PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_SSLv23 = _SSLMethod.PROTOCOL_TLS - _PROTOCOL_NAMES = {value: name for name, value in _SSLMethod.__members__.items()} - - try: -@@ -357,13 +359,13 @@ class SSLContext(_SSLContext): - __slots__ = ('protocol', '__weakref__') - _windows_cert_stores = ("CA", "ROOT") - -- def __new__(cls, protocol, *args, **kwargs): -+ def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs): - self = _SSLContext.__new__(cls, protocol) - if protocol != _SSLv2_IF_EXISTS: - self.set_ciphers(_DEFAULT_CIPHERS) - return self - -- def __init__(self, protocol): -+ def __init__(self, protocol=PROTOCOL_TLS): - self.protocol = protocol - - def wrap_socket(self, sock, server_side=False, -@@ -438,7 +440,7 @@ def create_default_context(purpose=Purpo - if not isinstance(purpose, _ASN1Object): - raise TypeError(purpose) - -- context = SSLContext(PROTOCOL_SSLv23) -+ context = SSLContext(PROTOCOL_TLS) - - # SSLv2 considered harmful. - context.options |= OP_NO_SSLv2 -@@ -475,7 +477,7 @@ def create_default_context(purpose=Purpo - context.load_default_certs(purpose) - return context - --def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None, -+def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None, - check_hostname=False, purpose=Purpose.SERVER_AUTH, - certfile=None, keyfile=None, - cafile=None, capath=None, cadata=None): -@@ -666,7 +668,7 @@ class SSLSocket(socket): - - def __init__(self, sock=None, keyfile=None, certfile=None, - server_side=False, cert_reqs=CERT_NONE, -- ssl_version=PROTOCOL_SSLv23, ca_certs=None, -+ ssl_version=PROTOCOL_TLS, ca_certs=None, - do_handshake_on_connect=True, - family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None, - suppress_ragged_eofs=True, npn_protocols=None, ciphers=None, -@@ -1056,7 +1058,7 @@ class SSLSocket(socket): - - def wrap_socket(sock, keyfile=None, certfile=None, - server_side=False, cert_reqs=CERT_NONE, -- ssl_version=PROTOCOL_SSLv23, ca_certs=None, -+ ssl_version=PROTOCOL_TLS, ca_certs=None, - do_handshake_on_connect=True, - suppress_ragged_eofs=True, - ciphers=None): -@@ -1125,7 +1127,7 @@ def PEM_cert_to_DER_cert(pem_cert_string - d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)] - return base64.decodebytes(d.encode('ASCII', 'strict')) - --def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None): -+def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None): - """Retrieve the certificate from the server at the specified address, - and return it as a PEM-encoded string. - If 'ca_certs' is specified, validate the server cert against it. -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -23,6 +23,9 @@ ssl = support.import_module("ssl") - - PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) - HOST = support.HOST -+IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') -+IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0) -+ - - def data_file(*name): - return os.path.join(os.path.dirname(__file__), *name) -@@ -143,8 +146,8 @@ class BasicSocketTests(unittest.TestCase - def test_str_for_enums(self): - # Make sure that the PROTOCOL_* constants have enum-like string - # reprs. -- proto = ssl.PROTOCOL_SSLv23 -- self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_SSLv23') -+ proto = ssl.PROTOCOL_TLS -+ self.assertEqual(str(proto), '_SSLMethod.PROTOCOL_TLS') - ctx = ssl.SSLContext(proto) - self.assertIs(ctx.protocol, proto) - -@@ -312,8 +315,8 @@ class BasicSocketTests(unittest.TestCase - self.assertGreaterEqual(status, 0) - self.assertLessEqual(status, 15) - # Version string as returned by {Open,Libre}SSL, the format might change -- if "LibreSSL" in s: -- self.assertTrue(s.startswith("LibreSSL {:d}.{:d}".format(major, minor)), -+ if IS_LIBRESSL: -+ self.assertTrue(s.startswith("LibreSSL {:d}".format(major)), - (s, t, hex(n))) - else: - self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)), -@@ -790,7 +793,8 @@ class ContextTests(unittest.TestCase): - def test_constructor(self): - for protocol in PROTOCOLS: - ssl.SSLContext(protocol) -- self.assertRaises(TypeError, ssl.SSLContext) -+ ctx = ssl.SSLContext() -+ self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS) - self.assertRaises(ValueError, ssl.SSLContext, -1) - self.assertRaises(ValueError, ssl.SSLContext, 42) - -@@ -811,15 +815,15 @@ class ContextTests(unittest.TestCase): - def test_options(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3, -- ctx.options) -+ default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3) -+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0): -+ default |= ssl.OP_NO_COMPRESSION -+ self.assertEqual(default, ctx.options) - ctx.options |= ssl.OP_NO_TLSv1 -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1, -- ctx.options) -+ self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) - if can_clear_options(): -- ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1 -- self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3, -- ctx.options) -+ ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1) -+ self.assertEqual(default, ctx.options) - ctx.options = 0 - # Ubuntu has OP_NO_SSLv3 forced on by default - self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3) -@@ -1155,6 +1159,7 @@ class ContextTests(unittest.TestCase): - self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH') - - @unittest.skipIf(sys.platform == "win32", "not-Windows specific") -+ @unittest.skipIf(IS_LIBRESSL, "LibreSSL doesn't support env vars") - def test_load_default_certs_env(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - with support.EnvironmentVarGuard() as env: -@@ -1750,13 +1755,13 @@ class NetworkedBIOTests(unittest.TestCas - sslobj = ctx.wrap_bio(incoming, outgoing, False, REMOTE_HOST) - self.assertIs(sslobj._sslobj.owner, sslobj) - self.assertIsNone(sslobj.cipher()) -- self.assertIsNone(sslobj.shared_ciphers()) -+ self.assertIsNotNone(sslobj.shared_ciphers()) - self.assertRaises(ValueError, sslobj.getpeercert) - if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: - self.assertIsNone(sslobj.get_channel_binding('tls-unique')) - self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake) - self.assertTrue(sslobj.cipher()) -- self.assertIsNone(sslobj.shared_ciphers()) -+ self.assertIsNotNone(sslobj.shared_ciphers()) - self.assertTrue(sslobj.getpeercert()) - if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: - self.assertTrue(sslobj.get_channel_binding('tls-unique')) -@@ -2993,7 +2998,7 @@ else: - with context.wrap_socket(socket.socket()) as s: - self.assertIs(s.version(), None) - s.connect((HOST, server.port)) -- self.assertEqual(s.version(), "TLSv1") -+ self.assertEqual(s.version(), 'TLSv1') - self.assertIs(s.version(), None) - - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") -@@ -3135,24 +3140,36 @@ else: - (['http/3.0', 'http/4.0'], None) - ] - for client_protocols, expected in protocol_tests: -- server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ server_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) - server_context.load_cert_chain(CERTFILE) - server_context.set_alpn_protocols(server_protocols) -- client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) -+ client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) - client_context.load_cert_chain(CERTFILE) - client_context.set_alpn_protocols(client_protocols) -- stats = server_params_test(client_context, server_context, -- chatty=True, connectionchatty=True) -- -- msg = "failed trying %s (s) and %s (c).\n" \ -- "was expecting %s, but got %%s from the %%s" \ -- % (str(server_protocols), str(client_protocols), -- str(expected)) -- client_result = stats['client_alpn_protocol'] -- self.assertEqual(client_result, expected, msg % (client_result, "client")) -- server_result = stats['server_alpn_protocols'][-1] \ -- if len(stats['server_alpn_protocols']) else 'nothing' -- self.assertEqual(server_result, expected, msg % (server_result, "server")) -+ -+ try: -+ stats = server_params_test(client_context, -+ server_context, -+ chatty=True, -+ connectionchatty=True) -+ except ssl.SSLError as e: -+ stats = e -+ -+ if expected is None and IS_OPENSSL_1_1: -+ # OpenSSL 1.1.0 raises handshake error -+ self.assertIsInstance(stats, ssl.SSLError) -+ else: -+ msg = "failed trying %s (s) and %s (c).\n" \ -+ "was expecting %s, but got %%s from the %%s" \ -+ % (str(server_protocols), str(client_protocols), -+ str(expected)) -+ client_result = stats['client_alpn_protocol'] -+ self.assertEqual(client_result, expected, -+ msg % (client_result, "client")) -+ server_result = stats['server_alpn_protocols'][-1] \ -+ if len(stats['server_alpn_protocols']) else 'nothing' -+ self.assertEqual(server_result, expected, -+ msg % (server_result, "server")) - - def test_selected_npn_protocol(self): - # selected_npn_protocol() is None unless NPN is used -@@ -3300,13 +3317,23 @@ else: - client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) - client_context.verify_mode = ssl.CERT_REQUIRED - client_context.load_verify_locations(SIGNING_CA) -- client_context.set_ciphers("RC4") -- server_context.set_ciphers("AES:RC4") -+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2): -+ client_context.set_ciphers("AES128:AES256") -+ server_context.set_ciphers("AES256") -+ alg1 = "AES256" -+ alg2 = "AES-256" -+ else: -+ client_context.set_ciphers("AES:3DES") -+ server_context.set_ciphers("3DES") -+ alg1 = "3DES" -+ alg2 = "DES-CBC3" -+ - stats = server_params_test(client_context, server_context) - ciphers = stats['server_shared_ciphers'][0] - self.assertGreater(len(ciphers), 0) - for name, tls_version, bits in ciphers: -- self.assertIn("RC4", name.split("-")) -+ if not alg1 in name.split("-") and alg2 not in name: -+ self.fail(name) - - def test_read_write_after_close_raises_valuerror(self): - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - -diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c ---- a/Modules/_hashopenssl.c -+++ b/Modules/_hashopenssl.c -@@ -21,7 +21,6 @@ - - /* EVP is the preferred interface to hashing in OpenSSL */ - #include --#include - /* We use the object interface to discover what hashes OpenSSL supports. */ - #include - #include "openssl/err.h" -@@ -32,11 +31,22 @@ - #define HASH_OBJ_CONSTRUCTOR 0 - #endif - -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) -+/* OpenSSL < 1.1.0 */ -+#define EVP_MD_CTX_new EVP_MD_CTX_create -+#define EVP_MD_CTX_free EVP_MD_CTX_destroy -+#define HAS_FAST_PKCS5_PBKDF2_HMAC 0 -+#include -+#else -+/* OpenSSL >= 1.1.0 */ -+#define HAS_FAST_PKCS5_PBKDF2_HMAC 1 -+#endif -+ - - typedef struct { - PyObject_HEAD - PyObject *name; /* name of this hash algorithm */ -- EVP_MD_CTX ctx; /* OpenSSL message digest context */ -+ EVP_MD_CTX *ctx; /* OpenSSL message digest context */ - #ifdef WITH_THREAD - PyThread_type_lock lock; /* OpenSSL context lock */ - #endif -@@ -48,7 +58,6 @@ static PyTypeObject EVPtype; - - #define DEFINE_CONSTS_FOR_NEW(Name) \ - static PyObject *CONST_ ## Name ## _name_obj = NULL; \ -- static EVP_MD_CTX CONST_new_ ## Name ## _ctx; \ - static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL; - - DEFINE_CONSTS_FOR_NEW(md5) -@@ -59,19 +68,57 @@ DEFINE_CONSTS_FOR_NEW(sha384) - DEFINE_CONSTS_FOR_NEW(sha512) - - -+/* LCOV_EXCL_START */ -+static PyObject * -+_setException(PyObject *exc) -+{ -+ unsigned long errcode; -+ const char *lib, *func, *reason; -+ -+ errcode = ERR_peek_last_error(); -+ if (!errcode) { -+ PyErr_SetString(exc, "unknown reasons"); -+ return NULL; -+ } -+ ERR_clear_error(); -+ -+ lib = ERR_lib_error_string(errcode); -+ func = ERR_func_error_string(errcode); -+ reason = ERR_reason_error_string(errcode); -+ -+ if (lib && func) { -+ PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); -+ } -+ else if (lib) { -+ PyErr_Format(exc, "[%s] %s", lib, reason); -+ } -+ else { -+ PyErr_SetString(exc, reason); -+ } -+ return NULL; -+} -+/* LCOV_EXCL_STOP */ -+ - static EVPobject * - newEVPobject(PyObject *name) - { - EVPobject *retval = (EVPobject *)PyObject_New(EVPobject, &EVPtype); -+ if (retval == NULL) { -+ return NULL; -+ } -+ -+ retval->ctx = EVP_MD_CTX_new(); -+ if (retval->ctx == NULL) { -+ PyErr_NoMemory(); -+ return NULL; -+ } - - /* save the name for .name to return */ -- if (retval != NULL) { -- Py_INCREF(name); -- retval->name = name; -+ Py_INCREF(name); -+ retval->name = name; - #ifdef WITH_THREAD -- retval->lock = NULL; -+ retval->lock = NULL; - #endif -- } - - return retval; - } -@@ -86,7 +133,7 @@ EVP_hash(EVPobject *self, const void *vp - process = MUNCH_SIZE; - else - process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int); -- EVP_DigestUpdate(&self->ctx, (const void*)cp, process); -+ EVP_DigestUpdate(self->ctx, (const void*)cp, process); - len -= process; - cp += process; - } -@@ -101,16 +148,19 @@ EVP_dealloc(EVPobject *self) - if (self->lock != NULL) - PyThread_free_lock(self->lock); - #endif -- EVP_MD_CTX_cleanup(&self->ctx); -+ EVP_MD_CTX_free(self->ctx); - Py_XDECREF(self->name); - PyObject_Del(self); - } - --static void locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self) -+static int -+locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self) - { -+ int result; - ENTER_HASHLIB(self); -- EVP_MD_CTX_copy(new_ctx_p, &self->ctx); -+ result = EVP_MD_CTX_copy(new_ctx_p, self->ctx); - LEAVE_HASHLIB(self); -+ return result; - } - - /* External methods for a hash object */ -@@ -126,7 +176,9 @@ EVP_copy(EVPobject *self, PyObject *unus - if ( (newobj = newEVPobject(self->name))==NULL) - return NULL; - -- locked_EVP_MD_CTX_copy(&newobj->ctx, self); -+ if (!locked_EVP_MD_CTX_copy(newobj->ctx, self)) { -+ return _setException(PyExc_ValueError); -+ } - return (PyObject *)newobj; - } - -@@ -137,16 +189,24 @@ static PyObject * - EVP_digest(EVPobject *self, PyObject *unused) - { - unsigned char digest[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX temp_ctx; -+ EVP_MD_CTX *temp_ctx; - PyObject *retval; - unsigned int digest_size; - -- locked_EVP_MD_CTX_copy(&temp_ctx, self); -- digest_size = EVP_MD_CTX_size(&temp_ctx); -- EVP_DigestFinal(&temp_ctx, digest, NULL); -+ temp_ctx = EVP_MD_CTX_new(); -+ if (temp_ctx == NULL) { -+ PyErr_NoMemory(); -+ return NULL; -+ } -+ -+ if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) { -+ return _setException(PyExc_ValueError); -+ } -+ digest_size = EVP_MD_CTX_size(temp_ctx); -+ EVP_DigestFinal(temp_ctx, digest, NULL); - - retval = PyBytes_FromStringAndSize((const char *)digest, digest_size); -- EVP_MD_CTX_cleanup(&temp_ctx); -+ EVP_MD_CTX_free(temp_ctx); - return retval; - } - -@@ -157,15 +217,23 @@ static PyObject * - EVP_hexdigest(EVPobject *self, PyObject *unused) - { - unsigned char digest[EVP_MAX_MD_SIZE]; -- EVP_MD_CTX temp_ctx; -+ EVP_MD_CTX *temp_ctx; - unsigned int digest_size; - -+ temp_ctx = EVP_MD_CTX_new(); -+ if (temp_ctx == NULL) { -+ PyErr_NoMemory(); -+ return NULL; -+ } -+ - /* Get the raw (binary) digest value */ -- locked_EVP_MD_CTX_copy(&temp_ctx, self); -- digest_size = EVP_MD_CTX_size(&temp_ctx); -- EVP_DigestFinal(&temp_ctx, digest, NULL); -+ if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) { -+ return _setException(PyExc_ValueError); -+ } -+ digest_size = EVP_MD_CTX_size(temp_ctx); -+ EVP_DigestFinal(temp_ctx, digest, NULL); - -- EVP_MD_CTX_cleanup(&temp_ctx); -+ EVP_MD_CTX_free(temp_ctx); - - return _Py_strhex((const char *)digest, digest_size); - } -@@ -219,7 +287,7 @@ static PyObject * - EVP_get_block_size(EVPobject *self, void *closure) - { - long block_size; -- block_size = EVP_MD_CTX_block_size(&self->ctx); -+ block_size = EVP_MD_CTX_block_size(self->ctx); - return PyLong_FromLong(block_size); - } - -@@ -227,7 +295,7 @@ static PyObject * - EVP_get_digest_size(EVPobject *self, void *closure) - { - long size; -- size = EVP_MD_CTX_size(&self->ctx); -+ size = EVP_MD_CTX_size(self->ctx); - return PyLong_FromLong(size); - } - -@@ -288,7 +356,7 @@ EVP_tp_init(EVPobject *self, PyObject *a - PyBuffer_Release(&view); - return -1; - } -- EVP_DigestInit(&self->ctx, digest); -+ EVP_DigestInit(self->ctx, digest); - - self->name = name_obj; - Py_INCREF(self->name); -@@ -385,9 +453,9 @@ EVPnew(PyObject *name_obj, - return NULL; - - if (initial_ctx) { -- EVP_MD_CTX_copy(&self->ctx, initial_ctx); -+ EVP_MD_CTX_copy(self->ctx, initial_ctx); - } else { -- EVP_DigestInit(&self->ctx, digest); -+ EVP_DigestInit(self->ctx, digest); - } - - if (cp && len) { -@@ -453,6 +521,7 @@ EVP_new(PyObject *self, PyObject *args, - - #define PY_PBKDF2_HMAC 1 - -+#if !HAS_FAST_PKCS5_PBKDF2_HMAC - /* Improved implementation of PKCS5_PBKDF2_HMAC() - * - * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of -@@ -534,37 +603,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass, - HMAC_CTX_cleanup(&hctx_tpl); - return 1; - } -+#endif - --/* LCOV_EXCL_START */ --static PyObject * --_setException(PyObject *exc) --{ -- unsigned long errcode; -- const char *lib, *func, *reason; -- -- errcode = ERR_peek_last_error(); -- if (!errcode) { -- PyErr_SetString(exc, "unknown reasons"); -- return NULL; -- } -- ERR_clear_error(); -- -- lib = ERR_lib_error_string(errcode); -- func = ERR_func_error_string(errcode); -- reason = ERR_reason_error_string(errcode); -- -- if (lib && func) { -- PyErr_Format(exc, "[%s: %s] %s", lib, func, reason); -- } -- else if (lib) { -- PyErr_Format(exc, "[%s] %s", lib, reason); -- } -- else { -- PyErr_SetString(exc, reason); -- } -- return NULL; --} --/* LCOV_EXCL_STOP */ - - PyDoc_STRVAR(pbkdf2_hmac__doc__, - "pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\ -@@ -646,10 +686,17 @@ pbkdf2_hmac(PyObject *self, PyObject *ar - key = PyBytes_AS_STRING(key_obj); - - Py_BEGIN_ALLOW_THREADS -+#if HAS_FAST_PKCS5_PBKDF2_HMAC -+ retval = PKCS5_PBKDF2_HMAC((char*)password.buf, (int)password.len, -+ (unsigned char *)salt.buf, (int)salt.len, -+ iterations, digest, dklen, -+ (unsigned char *)key); -+#else - retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len, - (unsigned char *)salt.buf, (int)salt.len, - iterations, digest, dklen, - (unsigned char *)key); -+#endif - Py_END_ALLOW_THREADS - - if (!retval) { -@@ -768,7 +815,7 @@ generate_hash_name_list(void) - if (CONST_ ## NAME ## _name_obj == NULL) { \ - CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \ - if (EVP_get_digestbyname(#NAME)) { \ -- CONST_new_ ## NAME ## _ctx_p = &CONST_new_ ## NAME ## _ctx; \ -+ CONST_new_ ## NAME ## _ctx_p = EVP_MD_CTX_new(); \ - EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \ - } \ - } \ -diff --git a/Modules/_ssl.c b/Modules/_ssl.c ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -55,6 +55,14 @@ static PySocketModule_APIObject PySocket - #include - #endif - -+/* Don't warn about deprecated functions */ -+#ifdef __GNUC__ -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -+#endif -+#ifdef __clang__ -+#pragma clang diagnostic ignored "-Wdeprecated-declarations" -+#endif -+ - /* Include OpenSSL header files */ - #include "openssl/rsa.h" - #include "openssl/crypto.h" -@@ -91,6 +99,10 @@ struct py_ssl_library_code { - /* Include generated data (error codes) */ - #include "_ssl_data.h" - -+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) -+# define OPENSSL_VERSION_1_1 1 -+#endif -+ - /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1 - http://www.openssl.org/news/changelog.html - */ -@@ -117,6 +129,72 @@ struct py_ssl_library_code { - # define HAVE_ALPN - #endif - -+#ifdef OPENSSL_VERSION_1_1 -+/* OpenSSL 1.1.0+ */ -+#ifndef OPENSSL_NO_SSL2 -+#define OPENSSL_NO_SSL2 -+#endif -+#else /* OpenSSL < 1.1.0 */ -+#if defined(WITH_THREAD) -+#define HAVE_OPENSSL_CRYPTO_LOCK -+#endif -+ -+#define TLS_method SSLv23_method -+ -+static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) -+{ -+ return ne->set; -+} -+ -+#ifndef OPENSSL_NO_COMP -+static int COMP_get_type(const COMP_METHOD *meth) -+{ -+ return meth->type; -+} -+ -+static const char *COMP_get_name(const COMP_METHOD *meth) -+{ -+ return meth->name; -+} -+#endif -+ -+static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) -+{ -+ return ctx->default_passwd_callback; -+} -+ -+static void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) -+{ -+ return ctx->default_passwd_callback_userdata; -+} -+ -+static int X509_OBJECT_get_type(X509_OBJECT *x) -+{ -+ return x->type; -+} -+ -+static X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) -+{ -+ return x->data.x509; -+} -+ -+static int BIO_up_ref(BIO *b) -+{ -+ CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO); -+ return 1; -+} -+ -+static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) { -+ return store->objs; -+} -+ -+static X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store) -+{ -+ return store->param; -+} -+#endif /* OpenSSL < 1.1.0 or LibreSSL */ -+ -+ - enum py_ssl_error { - /* these mirror ssl.h */ - PY_SSL_ERROR_NONE, -@@ -147,7 +225,7 @@ enum py_ssl_cert_requirements { - enum py_ssl_version { - PY_SSL_VERSION_SSL2, - PY_SSL_VERSION_SSL3=1, -- PY_SSL_VERSION_SSL23, -+ PY_SSL_VERSION_TLS, - #if HAVE_TLSv1_2 - PY_SSL_VERSION_TLS1, - PY_SSL_VERSION_TLS1_1, -@@ -527,8 +605,8 @@ newPySSLSocket(PySSLContext *sslctx, PyS - /* BIOs are reference counted and SSL_set_bio borrows our reference. - * To prevent a double free in memory_bio_dealloc() we need to take an - * extra reference here. */ -- CRYPTO_add(&inbio->bio->references, 1, CRYPTO_LOCK_BIO); -- CRYPTO_add(&outbio->bio->references, 1, CRYPTO_LOCK_BIO); -+ BIO_up_ref(inbio->bio); -+ BIO_up_ref(outbio->bio); - SSL_set_bio(self->ssl, inbio->bio, outbio->bio); - } - mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER; -@@ -738,7 +816,7 @@ static PyObject * - - /* check to see if we've gotten to a new RDN */ - if (rdn_level >= 0) { -- if (rdn_level != entry->set) { -+ if (rdn_level != X509_NAME_ENTRY_set(entry)) { - /* yes, new RDN */ - /* add old RDN to DN */ - rdnt = PyList_AsTuple(rdn); -@@ -755,7 +833,7 @@ static PyObject * - goto fail0; - } - } -- rdn_level = entry->set; -+ rdn_level = X509_NAME_ENTRY_set(entry); - - /* now add this attribute to the current RDN */ - name = X509_NAME_ENTRY_get_object(entry); -@@ -853,18 +931,18 @@ static PyObject * - goto fail; - } - -- p = ext->value->data; -+ p = X509_EXTENSION_get_data(ext)->data; - if (method->it) - names = (GENERAL_NAMES*) - (ASN1_item_d2i(NULL, - &p, -- ext->value->length, -+ X509_EXTENSION_get_data(ext)->length, - ASN1_ITEM_ptr(method->it))); - else - names = (GENERAL_NAMES*) - (method->d2i(NULL, - &p, -- ext->value->length)); -+ X509_EXTENSION_get_data(ext)->length)); - - for(j = 0; j < sk_GENERAL_NAME_num(names); j++) { - /* get a rendering of each name in the set of names */ -@@ -1075,13 +1153,11 @@ static PyObject * - int i, j; - PyObject *lst, *res = NULL; - --#if OPENSSL_VERSION_NUMBER < 0x10001000L -- dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL); --#else -+#if OPENSSL_VERSION_NUMBER >= 0x10001000L - /* Calls x509v3_cache_extensions and sets up crldp */ - X509_check_ca(certificate); -- dps = certificate->crldp; - #endif -+ dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL); - - if (dps == NULL) - return Py_None; -@@ -1451,14 +1527,13 @@ static PyObject * - _ssl__SSLSocket_shared_ciphers_impl(PySSLSocket *self) - /*[clinic end generated code: output=3d174ead2e42c4fd input=0bfe149da8fe6306]*/ - { -- SSL_SESSION *sess = SSL_get_session(self->ssl); - STACK_OF(SSL_CIPHER) *ciphers; - int i; - PyObject *res; - -- if (!sess || !sess->ciphers) -+ ciphers = SSL_get_ciphers(self->ssl); -+ if (!ciphers) - Py_RETURN_NONE; -- ciphers = sess->ciphers; - res = PyList_New(sk_SSL_CIPHER_num(ciphers)); - if (!res) - return NULL; -@@ -1567,9 +1642,9 @@ static PyObject * - if (self->ssl == NULL) - Py_RETURN_NONE; - comp_method = SSL_get_current_compression(self->ssl); -- if (comp_method == NULL || comp_method->type == NID_undef) -+ if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef) - Py_RETURN_NONE; -- short_name = OBJ_nid2sn(comp_method->type); -+ short_name = COMP_get_name(comp_method); - if (short_name == NULL) - Py_RETURN_NONE; - return PyUnicode_DecodeFSDefault(short_name); -@@ -2255,8 +2330,8 @@ static PyObject * - else if (proto_version == PY_SSL_VERSION_SSL2) - ctx = SSL_CTX_new(SSLv2_method()); - #endif -- else if (proto_version == PY_SSL_VERSION_SSL23) -- ctx = SSL_CTX_new(SSLv23_method()); -+ else if (proto_version == PY_SSL_VERSION_TLS) -+ ctx = SSL_CTX_new(TLS_method()); - else - proto_version = -1; - PySSL_END_ALLOW_THREADS -@@ -2318,8 +2393,9 @@ static PyObject * - #ifndef OPENSSL_NO_ECDH - /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use - prime256v1 by default. This is Apache mod_ssl's initialization -- policy, so we should be safe. */ --#if defined(SSL_CTX_set_ecdh_auto) -+ policy, so we should be safe. OpenSSL 1.1 has it enabled by default. -+ */ -+#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1) - SSL_CTX_set_ecdh_auto(self->ctx, 1); - #else - { -@@ -2586,10 +2662,12 @@ static PyObject * - get_verify_flags(PySSLContext *self, void *c) - { - X509_STORE *store; -+ X509_VERIFY_PARAM *param; - unsigned long flags; - - store = SSL_CTX_get_cert_store(self->ctx); -- flags = X509_VERIFY_PARAM_get_flags(store->param); -+ param = X509_STORE_get0_param(store); -+ flags = X509_VERIFY_PARAM_get_flags(param); - return PyLong_FromUnsignedLong(flags); - } - -@@ -2597,22 +2675,24 @@ static int - set_verify_flags(PySSLContext *self, PyObject *arg, void *c) - { - X509_STORE *store; -+ X509_VERIFY_PARAM *param; - unsigned long new_flags, flags, set, clear; - - if (!PyArg_Parse(arg, "k", &new_flags)) - return -1; - store = SSL_CTX_get_cert_store(self->ctx); -- flags = X509_VERIFY_PARAM_get_flags(store->param); -+ param = X509_STORE_get0_param(store); -+ flags = X509_VERIFY_PARAM_get_flags(param); - clear = flags & ~new_flags; - set = ~flags & new_flags; - if (clear) { -- if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) { -+ if (!X509_VERIFY_PARAM_clear_flags(param, clear)) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - return -1; - } - } - if (set) { -- if (!X509_VERIFY_PARAM_set_flags(store->param, set)) { -+ if (!X509_VERIFY_PARAM_set_flags(param, set)) { - _setSSLError(NULL, 0, __FILE__, __LINE__); - return -1; - } -@@ -2789,8 +2869,8 @@ static PyObject * - /*[clinic end generated code: output=9480bc1c380e2095 input=7cf9ac673cbee6fc]*/ - { - PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL; -- pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback; -- void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata; -+ pem_password_cb *orig_passwd_cb = SSL_CTX_get_default_passwd_cb(self->ctx); -+ void *orig_passwd_userdata = SSL_CTX_get_default_passwd_cb_userdata(self->ctx); - _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 }; - int r; - -@@ -2917,8 +2997,9 @@ static int - cert = d2i_X509_bio(biobuf, NULL); - } else { - cert = PEM_read_bio_X509(biobuf, NULL, -- self->ctx->default_passwd_callback, -- self->ctx->default_passwd_callback_userdata); -+ SSL_CTX_get_default_passwd_cb(self->ctx), -+ SSL_CTX_get_default_passwd_cb_userdata(self->ctx) -+ ); - } - if (cert == NULL) { - break; -@@ -3444,25 +3525,24 @@ static PyObject * - /*[clinic end generated code: output=5f356f4d9cca874d input=eb40dd0f6d0e40cf]*/ - { - X509_STORE *store; -+ STACK_OF(X509_OBJECT) *objs; - X509_OBJECT *obj; -- int x509 = 0, crl = 0, pkey = 0, ca = 0, i; -+ int x509 = 0, crl = 0, ca = 0, i; - - store = SSL_CTX_get_cert_store(self->ctx); -- for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { -- obj = sk_X509_OBJECT_value(store->objs, i); -- switch (obj->type) { -+ objs = X509_STORE_get0_objects(store); -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { -+ obj = sk_X509_OBJECT_value(objs, i); -+ switch (X509_OBJECT_get_type(obj)) { - case X509_LU_X509: - x509++; -- if (X509_check_ca(obj->data.x509)) { -+ if (X509_check_ca(X509_OBJECT_get0_X509(obj))) { - ca++; - } - break; - case X509_LU_CRL: - crl++; - break; -- case X509_LU_PKEY: -- pkey++; -- break; - default: - /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY. - * As far as I can tell they are internal states and never -@@ -3492,6 +3572,7 @@ static PyObject * - /*[clinic end generated code: output=0d58f148f37e2938 input=6887b5a09b7f9076]*/ - { - X509_STORE *store; -+ STACK_OF(X509_OBJECT) *objs; - PyObject *ci = NULL, *rlist = NULL; - int i; - -@@ -3500,17 +3581,18 @@ static PyObject * - } - - store = SSL_CTX_get_cert_store(self->ctx); -- for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { -+ objs = X509_STORE_get0_objects(store); -+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { - X509_OBJECT *obj; - X509 *cert; - -- obj = sk_X509_OBJECT_value(store->objs, i); -- if (obj->type != X509_LU_X509) { -+ obj = sk_X509_OBJECT_value(objs, i); -+ if (X509_OBJECT_get_type(obj) != X509_LU_X509) { - /* not a x509 cert */ - continue; - } - /* CA for any purpose */ -- cert = obj->data.x509; -+ cert = X509_OBJECT_get0_X509(obj); - if (!X509_check_ca(cert)) { - continue; - } -@@ -4374,10 +4456,12 @@ static PyMethodDef PySSL_methods[] = { - }; - - --#ifdef WITH_THREAD -+#ifdef HAVE_OPENSSL_CRYPTO_LOCK - - /* an implementation of OpenSSL threading operations in terms -- of the Python C thread library */ -+ * of the Python C thread library -+ * Only used up to 1.0.2. OpenSSL 1.1.0+ has its own locking code. -+ */ - - static PyThread_type_lock *_ssl_locks = NULL; - -@@ -4458,7 +4542,7 @@ static int _setup_ssl_threads(void) { - return 1; - } - --#endif /* def HAVE_THREAD */ -+#endif /* HAVE_OPENSSL_CRYPTO_LOCK for WITH_THREAD && OpenSSL < 1.1.0 */ - - PyDoc_STRVAR(module_doc, - "Implementation module for SSL socket operations. See the socket module\n\ -@@ -4527,11 +4611,16 @@ PyInit__ssl(void) - SSL_load_error_strings(); - SSL_library_init(); - #ifdef WITH_THREAD -+#ifdef HAVE_OPENSSL_CRYPTO_LOCK - /* note that this will start threading if not already started */ - if (!_setup_ssl_threads()) { - return NULL; - } -+#elif OPENSSL_VERSION_1_1 && defined(OPENSSL_THREADS) -+ /* OpenSSL 1.1.0 builtin thread support is enabled */ -+ _ssl_locks_count++; - #endif -+#endif /* WITH_THREAD */ - OpenSSL_add_all_algorithms(); - - /* Add symbols to module dict */ -@@ -4678,7 +4767,9 @@ PyInit__ssl(void) - PY_SSL_VERSION_SSL3); - #endif - PyModule_AddIntConstant(m, "PROTOCOL_SSLv23", -- PY_SSL_VERSION_SSL23); -+ PY_SSL_VERSION_TLS); -+ PyModule_AddIntConstant(m, "PROTOCOL_TLS", -+ PY_SSL_VERSION_TLS); - PyModule_AddIntConstant(m, "PROTOCOL_TLSv1", - PY_SSL_VERSION_TLS1); - #if HAVE_TLSv1_2 - -diff --git a/Modules/_ssl.c b/Modules/_ssl.c ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -151,11 +151,6 @@ static int COMP_get_type(const COMP_METH - { - return meth->type; - } -- --static const char *COMP_get_name(const COMP_METHOD *meth) --{ -- return meth->name; --} - #endif - - static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) -@@ -1644,7 +1639,7 @@ static PyObject * - comp_method = SSL_get_current_compression(self->ssl); - if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef) - Py_RETURN_NONE; -- short_name = COMP_get_name(comp_method); -+ short_name = OBJ_nid2sn(COMP_get_type(comp_method)); - if (short_name == NULL) - Py_RETURN_NONE; - return PyUnicode_DecodeFSDefault(short_name); diff --git a/python3.spec b/python3.spec index 6f2a462..b0d8d7a 100644 --- a/python3.spec +++ b/python3.spec @@ -395,20 +395,6 @@ Patch205: 00205-make-libpl-respect-lib64.patch # by debian but fedora infra uses only eabi without hf Patch206: 00206-remove-hf-from-arm-triplet.patch -# 00209 # -# Fix test breakage with version 2.2.0 of Expat -# rhbz#1353918: https://bugzilla.redhat.com/show_bug.cgi?id=1353918 -# FIXED UPSTREAM: http://bugs.python.org/issue27369 -Patch209: 00209-fix-test-pyexpat-failure.patch - -# 00242 # -# HTTPoxy attack (CVE-2016-1000110) -# https://httpoxy.org/ -# FIXED UPSTREAM: http://bugs.python.org/issue27568 -# Based on a patch by RĂ©mi Rampin -# Resolves: rhbz#1359177 -Patch242: 00242-CVE-2016-1000110-httpoxy.patch - # 00243 # # Fix the triplet used on 64-bit MIPS # rhbz#1322526: https://bugzilla.redhat.com/show_bug.cgi?id=1322526 @@ -416,13 +402,6 @@ Patch242: 00242-CVE-2016-1000110-httpoxy.patch # Fedora needs the default mips64-linux-gnu Patch243: 00243-fix-mips64-triplet.patch -# 00247 # -# Port ssl and hashlib modules to OpenSSL 1.1.0. -# As of F26, OpenSSL is rebased to 1.1.0, so in order for python -# to not FTBFS we need to backport this patch from 3.5.3 -# FIXED UPSTREAM: https://bugs.python.org/issue26470 -Patch247: 00247-port-ssl-and-hashlib-to-OpenSSL-1.1.0.patch - # (New patches go here ^^^) # # When adding new patches to "python" and "python3" in Fedora, EL, etc., @@ -641,13 +620,13 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch111 -p1 %patch132 -p1 %patch137 -p1 -%patch143 -p1 -b .tsc-on-ppc +#patch143 -p1 -b .tsc-on-ppc #patch146 -p1 %patch155 -p1 %patch157 -p1 %patch160 -p1 %patch163 -p1 -%patch170 -p0 +%patch170 -p1 %patch178 -p1 %patch180 -p1 %patch184 -p1 @@ -660,10 +639,7 @@ sed -r -i s/'_PIP_VERSION = "[0-9.]+"'/'_PIP_VERSION = "%{pip_version}"'/ Lib/en %patch205 -p1 %patch206 -p1 -%patch209 -p1 -%patch242 -p1 %patch243 -p1 -%patch247 -p1 # Currently (2010-01-15), http://docs.python.org/library is for 2.6, and there # are many differences between 2.6 and the Python 3 library.