python3{,-native}: backport openssl 1.1.1 compatibility changes

Backport changes from 3.7/3.6 to fix failing python3 ssl test suite. Fixes [YOCTO #12919] (From OE-Core rev: 6c123468b546931de005cf136d98bca6b893b37b) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Anuj Mittal <anuj.mittal@intel.com> 2018-09-12 18:16:04 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-09-13 07:42:28 +0100
commit: 3c32b1525ad5ce3ec82542846369547efc62f25a (patch)
tree: 1665ff7eea6638f7da98ef803f1c4f4e03150e82 /meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
parent: 55f36a4045b44e644887bc4316d6d3aae5d12e22 (diff)
download: poky-3c32b1525ad5ce3ec82542846369547efc62f25a.tar.gz
1 files changed, 110 insertions, 0 deletions
diff --git a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
new file mode 100644
index 0000000000..b97d5501e1
--- /dev/null
+++ b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
@@ -0,0 +1,110 @@
+From 0c9354362bfa5f90fbea8ff8237a1f1f5dba686f Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Wed, 12 Sep 2018 15:20:31 +0800
+Subject: [PATCH] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
+default.
+Also update multissltests and Travis config to test with latest OpenSSL.
+Signed-off-by: Christian Heimes <christian@python.org>
+(cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3)
+Co-authored-by: Christian Heimes <christian@python.org
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71]
+Tweaked patch to not take changes for multissltests and Travis config.
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Lib/test/test_ssl.py | 51 ++++++++++++++++++++++----------------------
+ 1 file changed, 26 insertions(+), 25 deletions(-)
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index a2e1d32a62..c484ead5ff 100644
+--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
+@@ -3024,17 +3024,21 @@ else:
+                     sock.do_handshake()
+                 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
+ 
+-        def test_default_ciphers(self):
+-            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+-            try:
+-                # Force a set of weak ciphers on our client context
+-                context.set_ciphers("DES")
+-            except ssl.SSLError:
+-                self.skipTest("no DES cipher available")
+-            with ThreadedEchoServer(CERTFILE,
+-                                    ssl_version=ssl.PROTOCOL_SSLv23,
+-                                    chatty=False) as server:
+-                with context.wrap_socket(socket.socket()) as s:
+        def test_no_shared_ciphers(self):
+            server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            server_context.load_cert_chain(SIGNED_CERTFILE)
+            client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+            client_context.verify_mode = ssl.CERT_REQUIRED
+            client_context.check_hostname = True
+
+            client_context.set_ciphers("AES128")
+            server_context.set_ciphers("AES256")
+            # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
+            client_context.options |= ssl.OP_NO_TLSv1_3
+            with ThreadedEchoServer(context=server_context) as server:
+                with client_context.wrap_socket(
+                        socket.socket(),
+                        server_hostname="localhost") as s:
+                     with self.assertRaises(OSError):
+                         s.connect((HOST, server.port))
+             self.assertIn("no shared cipher", str(server.conn_errors[0]))
+@@ -3067,9 +3071,9 @@ else:
+                 with context.wrap_socket(socket.socket()) as s:
+                     s.connect((HOST, server.port))
+                     self.assertIn(s.cipher()[0], [
+-                        'TLS13-AES-256-GCM-SHA384',
+-                        'TLS13-CHACHA20-POLY1305-SHA256',
+-                        'TLS13-AES-128-GCM-SHA256',
+                        'TLS_AES_256_GCM_SHA384',
+                        'TLS_CHACHA20_POLY1305_SHA256',
+                        'TLS_AES_128_GCM_SHA256',
+                     ])
+ 
+         @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+@@ -3391,22 +3395,19 @@ else:
+             client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+             client_context.verify_mode = ssl.CERT_REQUIRED
+             client_context.load_verify_locations(SIGNING_CA)
+-            if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
+-                client_context.set_ciphers("AES128:AES256")
+-                server_context.set_ciphers("AES256")
+-                alg1 = "AES256"
+-                alg2 = "AES-256"
+-            else:
+-                client_context.set_ciphers("AES:3DES")
+-                server_context.set_ciphers("3DES")
+-                alg1 = "3DES"
+-                alg2 = "DES-CBC3"
+            client_context.set_ciphers("AES128:AES256")
+            server_context.set_ciphers("AES256")
+            expected_algs = [
+                "AES256", "AES-256",
+                 # TLS 1.3 ciphers are always enabled
+                 "TLS_CHACHA20", "TLS_AES",
+            ]
+ 
+             stats = server_params_test(client_context, server_context)
+             ciphers = stats['server_shared_ciphers'][0]
+             self.assertGreater(len(ciphers), 0)
+             for name, tls_version, bits in ciphers:
+-                if not alg1 in name.split("-") and alg2 not in name:
+                if not any (alg in name for alg in expected_algs):
+                     self.fail(name)
+ 
+         def test_read_write_after_close_raises_valuerror(self):
+-- 
+2.17.1
author	Anuj Mittal <anuj.mittal@intel.com>	2018-09-12 18:16:04 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-09-13 07:42:28 +0100
commit	3c32b1525ad5ce3ec82542846369547efc62f25a (patch)
tree	1665ff7eea6638f7da98ef803f1c4f4e03150e82 /meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
parent	55f36a4045b44e644887bc4316d6d3aae5d12e22 (diff)
download	poky-3c32b1525ad5ce3ec82542846369547efc62f25a.tar.gz

diff --git a/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch new file mode 100644 index 0000000000..b97d5501e1 --- /dev/null +++ b/meta/recipes-devtools/python/python3/0004-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976.patch
@@ -0,0 +1,110 @@
	1	From 0c9354362bfa5f90fbea8ff8237a1f1f5dba686f Mon Sep 17 00:00:00 2001
	2	From: Christian Heimes <christian@python.org>
	3	Date: Wed, 12 Sep 2018 15:20:31 +0800
	4	Subject: [PATCH] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
	5
	6	Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
	7	1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
	8	default.
	9
	10	Also update multissltests and Travis config to test with latest OpenSSL.
	11
	12	Signed-off-by: Christian Heimes <christian@python.org>
	13	(cherry picked from commit e8eb6cb7920ded66abc5d284319a8539bdc2bae3)
	14
	15	Co-authored-by: Christian Heimes <christian@python.org
	16
	17	Upstream-Status: Backport
	18	[https://github.com/python/cpython/commit/3e630c541b35c96bfe5619165255e559f577ee71]
	19
	20	Tweaked patch to not take changes for multissltests and Travis config.
	21
	22	Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
	23	---
	24	Lib/test/test_ssl.py \| 51 ++++++++++++++++++++++----------------------
	25	1 file changed, 26 insertions(+), 25 deletions(-)
	26
	27	diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
	28	index a2e1d32a62..c484ead5ff 100644
	29	--- a/Lib/test/test_ssl.py
	30	+++ b/Lib/test/test_ssl.py
	31	@@ -3024,17 +3024,21 @@ else:
	32	sock.do_handshake()
	33	self.assertEqual(cm.exception.errno, errno.ENOTCONN)
	34
	35	- def test_default_ciphers(self):
	36	- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	37	- try:
	38	- # Force a set of weak ciphers on our client context
	39	- context.set_ciphers("DES")
	40	- except ssl.SSLError:
	41	- self.skipTest("no DES cipher available")
	42	- with ThreadedEchoServer(CERTFILE,
	43	- ssl_version=ssl.PROTOCOL_SSLv23,
	44	- chatty=False) as server:
	45	- with context.wrap_socket(socket.socket()) as s:
	46	+ def test_no_shared_ciphers(self):
	47	+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	48	+ server_context.load_cert_chain(SIGNED_CERTFILE)
	49	+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	50	+ client_context.verify_mode = ssl.CERT_REQUIRED
	51	+ client_context.check_hostname = True
	52	+
	53	+ client_context.set_ciphers("AES128")
	54	+ server_context.set_ciphers("AES256")
	55	+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
	56	+ client_context.options \|= ssl.OP_NO_TLSv1_3
	57	+ with ThreadedEchoServer(context=server_context) as server:
	58	+ with client_context.wrap_socket(
	59	+ socket.socket(),
	60	+ server_hostname="localhost") as s:
	61	with self.assertRaises(OSError):
	62	s.connect((HOST, server.port))
	63	self.assertIn("no shared cipher", str(server.conn_errors[0]))
	64	@@ -3067,9 +3071,9 @@ else:
	65	with context.wrap_socket(socket.socket()) as s:
	66	s.connect((HOST, server.port))
	67	self.assertIn(s.cipher()[0], [
	68	- 'TLS13-AES-256-GCM-SHA384',
	69	- 'TLS13-CHACHA20-POLY1305-SHA256',
	70	- 'TLS13-AES-128-GCM-SHA256',
	71	+ 'TLS_AES_256_GCM_SHA384',
	72	+ 'TLS_CHACHA20_POLY1305_SHA256',
	73	+ 'TLS_AES_128_GCM_SHA256',
	74	])
	75
	76	@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
	77	@@ -3391,22 +3395,19 @@ else:
	78	client_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
	79	client_context.verify_mode = ssl.CERT_REQUIRED
	80	client_context.load_verify_locations(SIGNING_CA)
	81	- if ssl.OPENSSL_VERSION_INFO >= (1, 0, 2):
	82	- client_context.set_ciphers("AES128:AES256")
	83	- server_context.set_ciphers("AES256")
	84	- alg1 = "AES256"
	85	- alg2 = "AES-256"
	86	- else:
	87	- client_context.set_ciphers("AES:3DES")
	88	- server_context.set_ciphers("3DES")
	89	- alg1 = "3DES"
	90	- alg2 = "DES-CBC3"
	91	+ client_context.set_ciphers("AES128:AES256")
	92	+ server_context.set_ciphers("AES256")
	93	+ expected_algs = [
	94	+ "AES256", "AES-256",
	95	+ # TLS 1.3 ciphers are always enabled
	96	+ "TLS_CHACHA20", "TLS_AES",
	97	+ ]
	98
	99	stats = server_params_test(client_context, server_context)
	100	ciphers = stats['server_shared_ciphers'][0]
	101	self.assertGreater(len(ciphers), 0)
	102	for name, tls_version, bits in ciphers:
	103	- if not alg1 in name.split("-") and alg2 not in name:
	104	+ if not any (alg in name for alg in expected_algs):
	105	self.fail(name)
	106
	107	def test_read_write_after_close_raises_valuerror(self):
	108	--
	109	2.17.1
	110