summaryrefslogtreecommitdiffstats
path: root/meta/recipes-devtools/python
diff options
context:
space:
mode:
authorAnuj Mittal <anuj.mittal@intel.com>2018-10-04 13:09:16 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-10-08 14:13:54 +0100
commit2b4dce4925627c81ee2f27a0eeb2422e15029c3e (patch)
tree48e0333d2e1a1f5f5de14c3a0972de326c82418e /meta/recipes-devtools/python
parent4b8fd52f6d3682be287cc63d73bd06cb751751f4 (diff)
downloadpoky-2b4dce4925627c81ee2f27a0eeb2422e15029c3e.tar.gz
python: fix failing ssl tests
Backport two and pick some other in-review patches from Ubuntu to fix ssl test failures because of OpenSSL 1.1.x changes. Fixes [YOCTO #12788] (From OE-Core rev: 4f4bbb936231dd30c3745ef573993f1062937ffd) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/python')
-rw-r--r--meta/recipes-devtools/python/python.inc8
-rw-r--r--meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch57
-rw-r--r--meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch120
-rw-r--r--meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch37
-rw-r--r--meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch37
-rw-r--r--meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch34
6 files changed, 292 insertions, 1 deletions
diff --git a/meta/recipes-devtools/python/python.inc b/meta/recipes-devtools/python/python.inc
index 901acd0219..66923678b1 100644
--- a/meta/recipes-devtools/python/python.inc
+++ b/meta/recipes-devtools/python/python.inc
@@ -7,7 +7,13 @@ INC_PR = "r1"
7 7
8LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754" 8LIC_FILES_CHKSUM = "file://LICENSE;md5=f257cc14f81685691652a3d3e1b5d754"
9 9
10SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz" 10SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \
11 file://0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch \
12 file://0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch \
13 file://0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch \
14 file://0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch \
15 file://0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch \
16 "
11 17
12SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d" 18SRC_URI[md5sum] = "a80ae3cc478460b922242f43a1b4094d"
13SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574" 19SRC_URI[sha256sum] = "22d9b1ac5b26135ad2b8c2901a9413537e08749a753356ee913c84dbd2df5574"
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
new file mode 100644
index 0000000000..776bbdcf7a
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-bpo-33354-Fix-test_ssl-when-a-filename-cannot-be-enc.patch
@@ -0,0 +1,57 @@
1From 19f6bd06af3c7fc0db5f96878aaa68f5589ff13e Mon Sep 17 00:00:00 2001
2From: Pablo Galindo <Pablogsal@gmail.com>
3Date: Thu, 24 May 2018 23:20:44 +0100
4Subject: [PATCH] bpo-33354: Fix test_ssl when a filename cannot be encoded
5 (GH-6613)
6
7Skip test_load_dh_params() of test_ssl when Python filesystem encoding
8cannot encode the provided path.
9
10Upstream-Status:
11Backport[https://github.com/python/cpython/commit/19f6bd06af3c7fc0db5f96878aaa68f5589ff13e]
12
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 Lib/test/test_ssl.py | 9 ++++++++-
16 .../next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst | 2 ++
17 2 files changed, 10 insertions(+), 1 deletion(-)
18 create mode 100644 Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
19
20diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
21index b59fe73f04..7ced90fdf6 100644
22--- a/Lib/test/test_ssl.py
23+++ b/Lib/test/test_ssl.py
24@@ -989,6 +989,13 @@ class ContextTests(unittest.TestCase):
25
26
27 def test_load_dh_params(self):
28+ filename = u'dhpäräm.pem'
29+ fs_encoding = sys.getfilesystemencoding()
30+ try:
31+ filename.encode(fs_encoding)
32+ except UnicodeEncodeError:
33+ self.skipTest("filename %r cannot be encoded to the filesystem encoding %r" % (filename, fs_encoding))
34+
35 ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
36 ctx.load_dh_params(DHFILE)
37 if os.name != 'nt':
38@@ -1001,7 +1008,7 @@ class ContextTests(unittest.TestCase):
39 with self.assertRaises(ssl.SSLError) as cm:
40 ctx.load_dh_params(CERTFILE)
41 with support.temp_dir() as d:
42- fname = os.path.join(d, u'dhpäräm.pem')
43+ fname = os.path.join(d, filename)
44 shutil.copy(DHFILE, fname)
45 ctx.load_dh_params(fname)
46
47diff --git a/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
48new file mode 100644
49index 0000000000..c66cecac32
50--- /dev/null
51+++ b/Misc/NEWS.d/next/Tests/2018-04-26-22-39-17.bpo-33354.g35-44.rst
52@@ -0,0 +1,2 @@
53+Skip ``test_ssl.test_load_dh_params`` when Python filesystem encoding cannot encode the
54+provided path.
55--
562.17.1
57
diff --git a/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
new file mode 100644
index 0000000000..1f70562fc0
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
@@ -0,0 +1,120 @@
1From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
2From: Christian Heimes <christian@python.org>
3Date: Wed, 15 Aug 2018 09:07:28 +0200
4Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
5 (GH-8760)
6
7Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
81.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
9default.
10
11Also update multissltests to test with latest OpenSSL.
12
13Signed-off-by: Christian Heimes <christian@python.org>.
14(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
15
16Co-authored-by: Christian Heimes <christian@python.org>
17
18Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]
19
20Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
21---
22 Doc/library/ssl.rst | 8 ++--
23 Lib/test/test_ssl.py | 37 +++++++++++--------
24 .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++
25 3 files changed, 27 insertions(+), 21 deletions(-)
26 create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
27
28diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
29index 0421031772..7c7c85b833 100644
30--- a/Doc/library/ssl.rst
31+++ b/Doc/library/ssl.rst
32@@ -294,11 +294,6 @@ purposes.
33
34 3DES was dropped from the default cipher string.
35
36- .. versionchanged:: 2.7.15
37-
38- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
39- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
40-
41 .. function:: _https_verify_certificates(enable=True)
42
43 Specifies whether or not server certificates are verified when creating
44@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
45 when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
46 give the currently selected cipher.
47
48+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
49+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
50+
51 .. method:: SSLContext.set_alpn_protocols(protocols)
52
53 Specify which protocols the socket should advertise during the SSL/TLS
54diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
55index dc14e22ad1..f51572e319 100644
56--- a/Lib/test/test_ssl.py
57+++ b/Lib/test/test_ssl.py
58@@ -2772,19 +2772,24 @@ else:
59 sock.do_handshake()
60 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
61
62- def test_default_ciphers(self):
63- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
64- try:
65- # Force a set of weak ciphers on our client context
66- context.set_ciphers("DES")
67- except ssl.SSLError:
68- self.skipTest("no DES cipher available")
69- with ThreadedEchoServer(CERTFILE,
70- ssl_version=ssl.PROTOCOL_SSLv23,
71- chatty=False) as server:
72- with closing(context.wrap_socket(socket.socket())) as s:
73- with self.assertRaises(ssl.SSLError):
74- s.connect((HOST, server.port))
75+ def test_no_shared_ciphers(self):
76+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
77+ server_context.load_cert_chain(SIGNED_CERTFILE)
78+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
79+ client_context.verify_mode = ssl.CERT_REQUIRED
80+ client_context.check_hostname = True
81+
82+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
83+ client_context.options |= ssl.OP_NO_TLSv1_3
84+ # Force different suites on client and master
85+ client_context.set_ciphers("AES128")
86+ server_context.set_ciphers("AES256")
87+ with ThreadedEchoServer(context=server_context) as server:
88+ s = client_context.wrap_socket(
89+ socket.socket(),
90+ server_hostname="localhost")
91+ with self.assertRaises(ssl.SSLError):
92+ s.connect((HOST, server.port))
93 self.assertIn("no shared cipher", str(server.conn_errors[0]))
94
95 def test_version_basic(self):
96@@ -2815,9 +2820,9 @@ else:
97 with context.wrap_socket(socket.socket()) as s:
98 s.connect((HOST, server.port))
99 self.assertIn(s.cipher()[0], [
100- 'TLS13-AES-256-GCM-SHA384',
101- 'TLS13-CHACHA20-POLY1305-SHA256',
102- 'TLS13-AES-128-GCM-SHA256',
103+ 'TLS_AES_256_GCM_SHA384',
104+ 'TLS_CHACHA20_POLY1305_SHA256',
105+ 'TLS_AES_128_GCM_SHA256',
106 ])
107
108 @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
109diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
110new file mode 100644
111index 0000000000..bd719a47e8
112--- /dev/null
113+++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
114@@ -0,0 +1,3 @@
115+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
116+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
117+default.
118--
1192.17.1
120
diff --git a/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
new file mode 100644
index 0000000000..96882712e9
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0002-bpo-34818-Add-missing-closing-wrapper-in-test_tls1_3.patch
@@ -0,0 +1,37 @@
1From 0e1f3856a7e1511fb64d99646c54ddf3897cd444 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Fri, 28 Sep 2018 14:15:52 +0100
4Subject: [PATCH 2/4] bpo-34818: Add missing closing() wrapper in test_tls1_3.
5
6Python 2.7 socket classes do not implement context manager protocol,
7hence closing() is required around it. Resolves testcase error
8traceback.
9
10Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
11
12https://bugs.python.org/issue34818
13
14Patch taken from Ubuntu.
15
16Upstream-Status: Submitted [https://github.com/python/cpython/pull/9622]
17Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
18---
19 Lib/test/test_ssl.py | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
23index f51572e319..7a14053cee 100644
24--- a/Lib/test/test_ssl.py
25+++ b/Lib/test/test_ssl.py
26@@ -2817,7 +2817,7 @@ else:
27 ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
28 )
29 with ThreadedEchoServer(context=context) as server:
30- with context.wrap_socket(socket.socket()) as s:
31+ with closing(context.wrap_socket(socket.socket())) as s:
32 s.connect((HOST, server.port))
33 self.assertIn(s.cipher()[0], [
34 'TLS_AES_256_GCM_SHA384',
35--
362.17.1
37
diff --git a/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
new file mode 100644
index 0000000000..77016cb430
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0003-bpo-34834-Fix-test_ssl.test_options-to-account-for-O.patch
@@ -0,0 +1,37 @@
1From 8b06d56d26eee289fec22b9b72ab4c7cc3d6c482 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Fri, 28 Sep 2018 16:34:16 +0100
4Subject: [PATCH 3/4] bpo-34834: Fix test_ssl.test_options to account for
5 OP_ENABLE_MIDDLEBOX_COMPAT.
6
7Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
8
9https://bugs.python.org/issue34834
10
11Patch taken from Ubuntu.
12Upstream-Status: Submitted [https://github.com/python/cpython/pull/9624]
13
14Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
15---
16 Lib/test/test_ssl.py | 5 +++++
17 1 file changed, 5 insertions(+)
18
19diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
20index 7a14053cee..efc906a5ba 100644
21--- a/Lib/test/test_ssl.py
22+++ b/Lib/test/test_ssl.py
23@@ -777,6 +777,11 @@ class ContextTests(unittest.TestCase):
24 default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
25 if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
26 default |= ssl.OP_NO_COMPRESSION
27+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
28+ # define MIDDLEBOX constant, as python2.7 does not know about it
29+ # but it is used by default.
30+ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
31+ default |= OP_ENABLE_MIDDLEBOX_COMPAT
32 self.assertEqual(default, ctx.options)
33 ctx.options |= ssl.OP_NO_TLSv1
34 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
35--
362.17.1
37
diff --git a/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
new file mode 100644
index 0000000000..39e1bcfc86
--- /dev/null
+++ b/meta/recipes-devtools/python/python/0004-bpo-34836-fix-test_default_ecdh_curve-needs-no-tlsv1.patch
@@ -0,0 +1,34 @@
1From 946a7969345c6697697effd226ec396d3fea05b7 Mon Sep 17 00:00:00 2001
2From: Dimitri John Ledkov <xnox@ubuntu.com>
3Date: Fri, 28 Sep 2018 17:30:19 +0100
4Subject: [PATCH 4/4] bpo-34836: fix test_default_ecdh_curve, needs no tlsv1.3.
5
6Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
7
8https://bugs.python.org/issue34836
9
10Patch taken from Ubuntu.
11Upstream-Status: Submitted [https://github.com/python/cpython/pull/9626]
12
13Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
14---
15 Lib/test/test_ssl.py | 3 +++
16 1 file changed, 3 insertions(+)
17
18diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
19index efc906a5ba..4a3286cd5f 100644
20--- a/Lib/test/test_ssl.py
21+++ b/Lib/test/test_ssl.py
22@@ -2836,6 +2836,9 @@ else:
23 # should be enabled by default on SSL contexts.
24 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
25 context.load_cert_chain(CERTFILE)
26+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in
27+ # cipher name.
28+ context.options |= ssl.OP_NO_TLSv1_3
29 # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
30 # explicitly using the 'ECCdraft' cipher alias. Otherwise,
31 # our default cipher list should prefer ECDH-based ciphers
32--
332.17.1
34