diff options
author | Alexander Kanavin <alex.kanavin@gmail.com> | 2019-02-06 17:26:34 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-02-08 10:57:19 +0000 |
commit | e2c3247c233876ab090c9ce3d5325a6d46ab350f (patch) | |
tree | cf38957a3510be612cde924f6184a5251b968a43 /meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch | |
parent | cd6c61a26177296e24b442e2eda1514b5f931c0a (diff) | |
download | poky-e2c3247c233876ab090c9ce3d5325a6d46ab350f.tar.gz |
python3: upgrade to 3.7.2
I took the same approach as the recent perl upgrade: write recipe from scratch,
taking the pieces from the old recipe only when they were proven to be necessary.
The pgo, manifest and ptest features are all preserved.
New features:
- native and target recipes are now unified into one recipe
- check_build_completeness.py runs right after do_compile() and verifies that
all optional modules have been built (a notorious source of regressions)
- a new approach to sysconfig.py and distutils/sysconfig.py returning values
appropriate for native or target builds: we copy the configuration file to a
separate folder, add that folder to sys.path (through environment variable
that differs between native and target builds), and point python to the file
through another environment variable.
There were a few other patches where it was difficult to decide if the patch
is still relevant, and how to test that it works correctly; please add those
as-needed by testing the new python.
(From OE-Core rev: 02714c105426b0d687620913c1a7401b386428b6)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch')
-rw-r--r-- | meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch | 227 |
1 files changed, 0 insertions, 227 deletions
diff --git a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch b/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch deleted file mode 100644 index d48cad7586..0000000000 --- a/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch +++ /dev/null | |||
@@ -1,227 +0,0 @@ | |||
1 | From e950ea68dab006944af194c9910b8f2341d1437d Mon Sep 17 00:00:00 2001 | ||
2 | From: Christian Heimes <christian@python.org> | ||
3 | Date: Thu, 7 Sep 2017 20:23:52 -0700 | ||
4 | Subject: [PATCH] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 | ||
5 | (GH-1363) (#3444) | ||
6 | |||
7 | * bpo-29136: Add TLS 1.3 support | ||
8 | |||
9 | TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 | ||
10 | cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. | ||
11 | Since Python sets its own set of permitted ciphers, TLS 1.3 handshake | ||
12 | will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common | ||
13 | AES-GCM and ChaCha20 suites. | ||
14 | |||
15 | Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with | ||
16 | OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 | ||
17 | now. | ||
18 | |||
19 | Signed-off-by: Christian Heimes <christian@python.org>. | ||
20 | (cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3) | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | [https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3] | ||
24 | |||
25 | Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> | ||
26 | --- | ||
27 | Doc/library/ssl.rst | 21 ++++++++++++++ | ||
28 | Lib/ssl.py | 7 +++++ | ||
29 | Lib/test/test_ssl.py | 29 ++++++++++++++++++- | ||
30 | .../2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | 1 + | ||
31 | Modules/_ssl.c | 13 +++++++++ | ||
32 | 5 files changed, 70 insertions(+), 1 deletion(-) | ||
33 | create mode 100644 Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | ||
34 | |||
35 | diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst | ||
36 | index 14f2d68217..29c5e94cf6 100644 | ||
37 | --- a/Doc/library/ssl.rst | ||
38 | +++ b/Doc/library/ssl.rst | ||
39 | @@ -285,6 +285,11 @@ purposes. | ||
40 | |||
41 | 3DES was dropped from the default cipher string. | ||
42 | |||
43 | + .. versionchanged:: 3.7 | ||
44 | + | ||
45 | + TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, | ||
46 | + and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. | ||
47 | + | ||
48 | |||
49 | Random generation | ||
50 | ^^^^^^^^^^^^^^^^^ | ||
51 | @@ -719,6 +724,16 @@ Constants | ||
52 | |||
53 | .. versionadded:: 3.4 | ||
54 | |||
55 | +.. data:: OP_NO_TLSv1_3 | ||
56 | + | ||
57 | + Prevents a TLSv1.3 connection. This option is only applicable in conjunction | ||
58 | + with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as | ||
59 | + the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later. | ||
60 | + When Python has been compiled against an older version of OpenSSL, the | ||
61 | + flag defaults to *0*. | ||
62 | + | ||
63 | + .. versionadded:: 3.7 | ||
64 | + | ||
65 | .. data:: OP_CIPHER_SERVER_PREFERENCE | ||
66 | |||
67 | Use the server's cipher ordering preference, rather than the client's. | ||
68 | @@ -783,6 +798,12 @@ Constants | ||
69 | |||
70 | .. versionadded:: 3.3 | ||
71 | |||
72 | +.. data:: HAS_TLSv1_3 | ||
73 | + | ||
74 | + Whether the OpenSSL library has built-in support for the TLS 1.3 protocol. | ||
75 | + | ||
76 | + .. versionadded:: 3.7 | ||
77 | + | ||
78 | .. data:: CHANNEL_BINDING_TYPES | ||
79 | |||
80 | List of supported TLS channel binding types. Strings in this list | ||
81 | diff --git a/Lib/ssl.py b/Lib/ssl.py | ||
82 | index 4d302a78fa..f233e72e1f 100644 | ||
83 | --- a/Lib/ssl.py | ||
84 | +++ b/Lib/ssl.py | ||
85 | @@ -122,6 +122,7 @@ _import_symbols('OP_') | ||
86 | _import_symbols('ALERT_DESCRIPTION_') | ||
87 | _import_symbols('SSL_ERROR_') | ||
88 | _import_symbols('VERIFY_') | ||
89 | +from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3 | ||
90 | |||
91 | from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN | ||
92 | |||
93 | @@ -162,6 +163,7 @@ else: | ||
94 | # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') | ||
95 | # Enable a better set of ciphers by default | ||
96 | # This list has been explicitly chosen to: | ||
97 | +# * TLS 1.3 ChaCha20 and AES-GCM cipher suites | ||
98 | # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) | ||
99 | # * Prefer ECDHE over DHE for better performance | ||
100 | # * Prefer AEAD over CBC for better performance and security | ||
101 | @@ -173,6 +175,8 @@ else: | ||
102 | # * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs | ||
103 | # for security reasons | ||
104 | _DEFAULT_CIPHERS = ( | ||
105 | + 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' | ||
106 | + 'TLS13-AES-128-GCM-SHA256:' | ||
107 | 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:' | ||
108 | 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:' | ||
109 | '!aNULL:!eNULL:!MD5:!3DES' | ||
110 | @@ -180,6 +184,7 @@ _DEFAULT_CIPHERS = ( | ||
111 | |||
112 | # Restricted and more secure ciphers for the server side | ||
113 | # This list has been explicitly chosen to: | ||
114 | +# * TLS 1.3 ChaCha20 and AES-GCM cipher suites | ||
115 | # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) | ||
116 | # * Prefer ECDHE over DHE for better performance | ||
117 | # * Prefer AEAD over CBC for better performance and security | ||
118 | @@ -190,6 +195,8 @@ _DEFAULT_CIPHERS = ( | ||
119 | # * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, and | ||
120 | # 3DES for security reasons | ||
121 | _RESTRICTED_SERVER_CIPHERS = ( | ||
122 | + 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' | ||
123 | + 'TLS13-AES-128-GCM-SHA256:' | ||
124 | 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:' | ||
125 | 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:' | ||
126 | '!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES' | ||
127 | diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py | ||
128 | index f91af7bd05..1acc12ec2d 100644 | ||
129 | --- a/Lib/test/test_ssl.py | ||
130 | +++ b/Lib/test/test_ssl.py | ||
131 | @@ -150,6 +150,13 @@ class BasicSocketTests(unittest.TestCase): | ||
132 | ssl.OP_NO_COMPRESSION | ||
133 | self.assertIn(ssl.HAS_SNI, {True, False}) | ||
134 | self.assertIn(ssl.HAS_ECDH, {True, False}) | ||
135 | + ssl.OP_NO_SSLv2 | ||
136 | + ssl.OP_NO_SSLv3 | ||
137 | + ssl.OP_NO_TLSv1 | ||
138 | + ssl.OP_NO_TLSv1_3 | ||
139 | + if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1): | ||
140 | + ssl.OP_NO_TLSv1_1 | ||
141 | + ssl.OP_NO_TLSv1_2 | ||
142 | |||
143 | def test_str_for_enums(self): | ||
144 | # Make sure that the PROTOCOL_* constants have enum-like string | ||
145 | @@ -3028,12 +3035,33 @@ else: | ||
146 | self.assertEqual(s.version(), 'TLSv1') | ||
147 | self.assertIs(s.version(), None) | ||
148 | |||
149 | + @unittest.skipUnless(ssl.HAS_TLSv1_3, | ||
150 | + "test requires TLSv1.3 enabled OpenSSL") | ||
151 | + def test_tls1_3(self): | ||
152 | + context = ssl.SSLContext(ssl.PROTOCOL_TLS) | ||
153 | + context.load_cert_chain(CERTFILE) | ||
154 | + # disable all but TLS 1.3 | ||
155 | + context.options |= ( | ||
156 | + ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 | ||
157 | + ) | ||
158 | + with ThreadedEchoServer(context=context) as server: | ||
159 | + with context.wrap_socket(socket.socket()) as s: | ||
160 | + s.connect((HOST, server.port)) | ||
161 | + self.assertIn(s.cipher()[0], [ | ||
162 | + 'TLS13-AES-256-GCM-SHA384', | ||
163 | + 'TLS13-CHACHA20-POLY1305-SHA256', | ||
164 | + 'TLS13-AES-128-GCM-SHA256', | ||
165 | + ]) | ||
166 | + | ||
167 | @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") | ||
168 | def test_default_ecdh_curve(self): | ||
169 | # Issue #21015: elliptic curve-based Diffie Hellman key exchange | ||
170 | # should be enabled by default on SSL contexts. | ||
171 | context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) | ||
172 | context.load_cert_chain(CERTFILE) | ||
173 | + # TLSv1.3 defaults to PFS key agreement and no longer has KEA in | ||
174 | + # cipher name. | ||
175 | + context.options |= ssl.OP_NO_TLSv1_3 | ||
176 | # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled | ||
177 | # explicitly using the 'ECCdraft' cipher alias. Otherwise, | ||
178 | # our default cipher list should prefer ECDH-based ciphers | ||
179 | @@ -3394,7 +3422,6 @@ else: | ||
180 | s.sendfile(file) | ||
181 | self.assertEqual(s.recv(1024), TEST_DATA) | ||
182 | |||
183 | - | ||
184 | def test_main(verbose=False): | ||
185 | if support.verbose: | ||
186 | import warnings | ||
187 | diff --git a/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | ||
188 | new file mode 100644 | ||
189 | index 0000000000..e76997ef83 | ||
190 | --- /dev/null | ||
191 | +++ b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | ||
192 | @@ -0,0 +1 @@ | ||
193 | +Add TLS 1.3 cipher suites and OP_NO_TLSv1_3. | ||
194 | diff --git a/Modules/_ssl.c b/Modules/_ssl.c | ||
195 | index 0d5c121d2c..c71d89607c 100644 | ||
196 | --- a/Modules/_ssl.c | ||
197 | +++ b/Modules/_ssl.c | ||
198 | @@ -4842,6 +4842,11 @@ PyInit__ssl(void) | ||
199 | #if HAVE_TLSv1_2 | ||
200 | PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1); | ||
201 | PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2); | ||
202 | +#endif | ||
203 | +#ifdef SSL_OP_NO_TLSv1_3 | ||
204 | + PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3); | ||
205 | +#else | ||
206 | + PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0); | ||
207 | #endif | ||
208 | PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE", | ||
209 | SSL_OP_CIPHER_SERVER_PREFERENCE); | ||
210 | @@ -4890,6 +4895,14 @@ PyInit__ssl(void) | ||
211 | Py_INCREF(r); | ||
212 | PyModule_AddObject(m, "HAS_ALPN", r); | ||
213 | |||
214 | +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) | ||
215 | + r = Py_True; | ||
216 | +#else | ||
217 | + r = Py_False; | ||
218 | +#endif | ||
219 | + Py_INCREF(r); | ||
220 | + PyModule_AddObject(m, "HAS_TLSv1_3", r); | ||
221 | + | ||
222 | /* Mappings for error codes */ | ||
223 | err_codes_to_names = PyDict_New(); | ||
224 | err_names_to_codes = PyDict_New(); | ||
225 | -- | ||
226 | 2.17.1 | ||
227 | |||