diff --git a/bpo-43522-fix-SSLContext.hostname_checks_common_name.patch b/bpo-43522-fix-SSLContext.hostname_checks_common_name.patch index 5e3a556..e4a8510 100644 --- a/bpo-43522-fix-SSLContext.hostname_checks_common_name.patch +++ b/bpo-43522-fix-SSLContext.hostname_checks_common_name.patch @@ -25,13 +25,15 @@ Signed-off-by: Christian Heimes Lib/test/test_ssl.py | 26 + Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst | 1 Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst | 2 - Modules/_ssl.c | 41 + - 17 files changed, 878 insertions(+), 539 deletions(-) + Modules/_ssl.c | 40 + + 17 files changed, 877 insertions(+), 539 deletions(-) create mode 100644 Lib/test/nosan.pem create mode 100644 Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst ---- a/Lib/ssl.py -+++ b/Lib/ssl.py +Index: Python-3.6.15/Lib/ssl.py +=================================================================== +--- Python-3.6.15.orig/Lib/ssl.py ++++ Python-3.6.15/Lib/ssl.py @@ -173,6 +173,7 @@ if _ssl.HAS_TLS_UNIQUE: else: CHANNEL_BINDING_TYPES = [] @@ -64,8 +66,10 @@ Signed-off-by: Christian Heimes @property def verify_flags(self): return VerifyFlags(super().verify_flags) ---- a/Lib/test/allsans.pem -+++ b/Lib/test/allsans.pem +Index: Python-3.6.15/Lib/test/allsans.pem +=================================================================== +--- Python-3.6.15.orig/Lib/test/allsans.pem ++++ Python-3.6.15/Lib/test/allsans.pem @@ -1,81 +1,170 @@ -----BEGIN PRIVATE KEY----- -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCg/pM6dP7BTFNc @@ -314,8 +318,10 @@ Signed-off-by: Christian Heimes +hDj7K/vq3YjoncGbZ4c9eXs9fmEfcDy3yEwXpQyjKMerSBEU95h62k77kXaJCqbG +cuCW2fGA6miQN1zGacfXvMfRrlupElnG5GxhqYu6UbMT -----END CERTIFICATE----- ---- a/Lib/test/capath/b1930218.0 -+++ b/Lib/test/capath/b1930218.0 +Index: Python-3.6.15/Lib/test/capath/b1930218.0 +=================================================================== +--- Python-3.6.15.orig/Lib/test/capath/b1930218.0 ++++ Python-3.6.15/Lib/test/capath/b1930218.0 @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV @@ -363,8 +369,10 @@ Signed-off-by: Christian Heimes +Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v +dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf -----END CERTIFICATE----- ---- a/Lib/test/capath/ceff1710.0 -+++ b/Lib/test/capath/ceff1710.0 +Index: Python-3.6.15/Lib/test/capath/ceff1710.0 +=================================================================== +--- Python-3.6.15.orig/Lib/test/capath/ceff1710.0 ++++ Python-3.6.15/Lib/test/capath/ceff1710.0 @@ -1,26 +1,26 @@ -----BEGIN CERTIFICATE----- MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV @@ -412,8 +420,10 @@ Signed-off-by: Christian Heimes +Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v +dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf -----END CERTIFICATE----- ---- a/Lib/test/keycert2.pem -+++ b/Lib/test/keycert2.pem +Index: Python-3.6.15/Lib/test/keycert2.pem +=================================================================== +--- Python-3.6.15.orig/Lib/test/keycert2.pem ++++ Python-3.6.15/Lib/test/keycert2.pem @@ -1,66 +1,66 @@ -----BEGIN PRIVATE KEY----- -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDKjrjWZlfOs1Ch @@ -543,8 +553,10 @@ Signed-off-by: Christian Heimes +GhIglMrgqJflTHAI/PvEsCKM1O0Un2dVGWsUCzPfhj1cKmagyb0Zd+2Tk9xGSRs9 +2ceXMxRCjOJwEHUCFuTYeqowabdlpi0nyPbSn7JIwCpT -----END CERTIFICATE----- ---- a/Lib/test/keycert3.pem -+++ b/Lib/test/keycert3.pem +Index: Python-3.6.15/Lib/test/keycert3.pem +=================================================================== +--- Python-3.6.15.orig/Lib/test/keycert3.pem ++++ Python-3.6.15/Lib/test/keycert3.pem @@ -1,84 +1,84 @@ -----BEGIN PRIVATE KEY----- -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCfKC83Qe9/ZGMW @@ -812,8 +824,10 @@ Signed-off-by: Christian Heimes +P7iAIQdqcRVtBetRs1mN1BVGfgKoEwEWmb0DzHBxKiMWeK/R1QGdBLRjk5oEOpIu +5n5zk6X+UJu9DupUhm985RR3/sIoWkoO1y2M6e1hKbJT/2wEvA== -----END CERTIFICATE----- ---- a/Lib/test/keycert4.pem -+++ b/Lib/test/keycert4.pem +Index: Python-3.6.15/Lib/test/keycert4.pem +=================================================================== +--- Python-3.6.15.orig/Lib/test/keycert4.pem ++++ Python-3.6.15/Lib/test/keycert4.pem @@ -1,84 +1,84 @@ -----BEGIN PRIVATE KEY----- -MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDGjpiHzq7ghxhM @@ -1081,8 +1095,10 @@ Signed-off-by: Christian Heimes +Xi4szXouKq62dWpfoBqbtmctsKUcVLyMcH4VK8BQ4wO7pKX8RQHJP6e4GNw+CAeh +m/W9lb1J6BB8kX0txMKYtrdRadcKaEC1D4WgqWd3xmjLDlg0s1jnyHwJZw== -----END CERTIFICATE----- ---- a/Lib/test/make_ssl_certs.py -+++ b/Lib/test/make_ssl_certs.py +Index: Python-3.6.15/Lib/test/make_ssl_certs.py +=================================================================== +--- Python-3.6.15.orig/Lib/test/make_ssl_certs.py ++++ Python-3.6.15/Lib/test/make_ssl_certs.py @@ -7,6 +7,9 @@ import shutil import tempfile from subprocess import * @@ -1220,8 +1236,10 @@ Signed-off-by: Christian Heimes unmake_ca() print("update Lib/test/test_ssl.py and Lib/test/test_asyncio/util.py") print_cert('keycert.pem') +Index: Python-3.6.15/Lib/test/nosan.pem +=================================================================== --- /dev/null -+++ b/Lib/test/nosan.pem ++++ Python-3.6.15/Lib/test/nosan.pem @@ -0,0 +1,130 @@ +-----BEGIN PRIVATE KEY----- +MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCv3sUoOE4F7Pye @@ -1353,8 +1371,10 @@ Signed-off-by: Christian Heimes +qvWVb/bK1QaPG3mT44a6jf6oEI+VPhQJv8qIWeKTtuwDqX7dH18T0ymzpvNq3zBT +RMjN5YJXvJw= +-----END CERTIFICATE----- ---- a/Lib/test/pycacert.pem -+++ b/Lib/test/pycacert.pem +Index: Python-3.6.15/Lib/test/pycacert.pem +=================================================================== +--- Python-3.6.15.orig/Lib/test/pycacert.pem ++++ Python-3.6.15/Lib/test/pycacert.pem @@ -3,97 +3,97 @@ Certificate: Version: 3 (0x2) Serial Number: @@ -1526,8 +1546,10 @@ Signed-off-by: Christian Heimes +Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v +dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf -----END CERTIFICATE----- ---- a/Lib/test/pycakey.pem -+++ b/Lib/test/pycakey.pem +Index: Python-3.6.15/Lib/test/pycakey.pem +=================================================================== +--- Python-3.6.15.orig/Lib/test/pycakey.pem ++++ Python-3.6.15/Lib/test/pycakey.pem @@ -1,40 +1,40 @@ -----BEGIN PRIVATE KEY----- -MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCX7VVBujYXldtx @@ -1607,8 +1629,10 @@ Signed-off-by: Christian Heimes +6eTeMLcsIJ+Fp7gG0ve2EdQwhVSVMFEu4Q4C2FcJeU++L4kYpY7sTnAjUtiLvtHn +yp3jllEn3CBD8Uhs4B+sL/6p -----END PRIVATE KEY----- ---- a/Lib/test/revocation.crl -+++ b/Lib/test/revocation.crl +Index: Python-3.6.15/Lib/test/revocation.crl +=================================================================== +--- Python-3.6.15.orig/Lib/test/revocation.crl ++++ Python-3.6.15/Lib/test/revocation.crl @@ -1,14 +1,14 @@ -----BEGIN X509 CRL----- MIICJjCBjwIBATANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJYWTEmMCQGA1UE @@ -1634,8 +1658,10 @@ Signed-off-by: Christian Heimes +BLJOSOSu2vVUH5GUIrpvK9FTySKYa+MGryoPasuqZNfwpaXK+ON2G6QsmcXPWZY0 +Dry6t0w2geW6UYVGmb831i8ZP3JVVVwcwi0= -----END X509 CRL----- ---- a/Lib/test/test_asyncio/test_events.py -+++ b/Lib/test/test_asyncio/test_events.py +Index: Python-3.6.15/Lib/test/test_asyncio/test_events.py +=================================================================== +--- Python-3.6.15.orig/Lib/test/test_asyncio/test_events.py ++++ Python-3.6.15/Lib/test/test_asyncio/test_events.py @@ -72,7 +72,7 @@ PEERCERT = { 'issuer': ((('countryName', 'XY'),), (('organizationName', 'Python Software Foundation CA'),), @@ -1654,8 +1680,10 @@ Signed-off-by: Christian Heimes def check_terminated(self, returncode): if sys.platform == 'win32': self.assertIsInstance(returncode, int) ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py +Index: Python-3.6.15/Lib/test/test_ssl.py +=================================================================== +--- Python-3.6.15.orig/Lib/test/test_ssl.py ++++ Python-3.6.15/Lib/test/test_ssl.py @@ -75,6 +75,8 @@ SIGNED_CERTFILE2 = data_file("keycert4.p SIGNING_CA = data_file("capath", "ceff1710.0") # cert with all kinds of subject alt names @@ -1696,23 +1724,28 @@ Signed-off-by: Christian Heimes def test_wrong_cert(self): """Connecting when the server rejects the client's certificate +Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst +=================================================================== --- /dev/null -+++ b/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst ++++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst @@ -0,0 +1 @@ +Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*. +Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst +=================================================================== --- /dev/null -+++ b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst ++++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst @@ -0,0 +1,2 @@ +OpenSSL 3.0.0: Don't call the password callback function a second time when +first call has signaled an error condition. ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -690,6 +690,15 @@ newPySSLSocket(PySSLContext *sslctx, PyS +Index: Python-3.6.15/Modules/_ssl.c +=================================================================== +--- Python-3.6.15.orig/Modules/_ssl.c ++++ Python-3.6.15/Modules/_ssl.c +@@ -690,6 +690,14 @@ newPySSLSocket(PySSLContext *sslctx, PyS _setSSLError(NULL, 0, __FILE__, __LINE__); return NULL; } + /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */ -+ int OpenSSL_ver = OPENSSL_VERSION; +#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf + X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl); + X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx); @@ -1723,7 +1756,7 @@ Signed-off-by: Christian Heimes SSL_set_app_data(self->ssl, self); if (sock) { SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int)); -@@ -3411,6 +3420,13 @@ _password_callback(char *buf, int size, +@@ -3411,6 +3419,13 @@ _password_callback(char *buf, int size, PySSL_END_ALLOW_THREADS_S(pw_info->thread_state); @@ -1737,7 +1770,7 @@ Signed-off-by: Christian Heimes if (pw_info->callable) { fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL); if (!fn_ret) { -@@ -5605,6 +5621,31 @@ PyInit__ssl(void) +@@ -5605,6 +5620,31 @@ PyInit__ssl(void) SSL_OP_ENABLE_MIDDLEBOX_COMPAT); #endif diff --git a/bpo43920-fix-load_verify_locations-errmsgs.patch b/bpo43920-fix-load_verify_locations-errmsgs.patch new file mode 100644 index 0000000..5569560 --- /dev/null +++ b/bpo43920-fix-load_verify_locations-errmsgs.patch @@ -0,0 +1,100 @@ +From be6a5a3494dcf5c2f309acf959dd4d32ab846afb Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 23 Apr 2021 11:56:31 +0200 +Subject: [PATCH] bpo-43920: Make load_verify_locations(cadata) error message + consistent + +Signed-off-by: Christian Heimes +--- + Lib/test/test_ssl.py | 10 +++- + Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2 + Lib/test/test_ssl.py | 10 ++- + Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2 + Lib/test/test_ssl.py | 10 +++- + Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2 + Modules/_ssl.c | 25 ++++++---- + 3 files changed, 27 insertions(+), 10 deletions(-) + create mode 100644 Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst + +Index: Python-3.6.15/Lib/test/test_ssl.py +=================================================================== +--- Python-3.6.15.orig/Lib/test/test_ssl.py ++++ Python-3.6.15/Lib/test/test_ssl.py +@@ -1199,9 +1199,15 @@ class ContextTests(unittest.TestCase): + ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object) + +- with self.assertRaisesRegex(ssl.SSLError, "no start line"): ++ with self.assertRaisesRegex( ++ ssl.SSLError, ++ "no start line: cadata does not contain a certificate" ++ ): + ctx.load_verify_locations(cadata="broken") +- with self.assertRaisesRegex(ssl.SSLError, "not enough data"): ++ with self.assertRaisesRegex( ++ ssl.SSLError, ++ "not enough data: cadata does not contain a certificate" ++ ): + ctx.load_verify_locations(cadata=b"broken") + + +Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst +=================================================================== +--- /dev/null ++++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst +@@ -0,0 +1,2 @@ ++OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a ++consistent error message when cadata contains no valid certificate. +Index: Python-3.6.15/Modules/_ssl.c +=================================================================== +--- Python-3.6.15.orig/Modules/_ssl.c ++++ Python-3.6.15/Modules/_ssl.c +@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void * + { + BIO *biobuf = NULL; + X509_STORE *store; +- int retval = 0, err, loaded = 0; ++ int retval = -1, err, loaded = 0; + + assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM); + +@@ -3633,23 +3633,32 @@ _add_ca_certs(PySSLContext *self, void * + } + + err = ERR_peek_last_error(); +- if ((filetype == SSL_FILETYPE_ASN1) && +- (loaded > 0) && +- (ERR_GET_LIB(err) == ERR_LIB_ASN1) && +- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) { ++ if (loaded == 0) { ++ const char *msg = NULL; ++ if (filetype == SSL_FILETYPE_PEM) { ++ msg = "no start line: cadata does not contain a certificate"; ++ } else { ++ msg = "not enough data: cadata does not contain a certificate"; ++ } ++ _setSSLError(msg, 0, __FILE__, __LINE__); ++ retval = -1; ++ } else if ((filetype == SSL_FILETYPE_ASN1) && ++ (ERR_GET_LIB(err) == ERR_LIB_ASN1) && ++ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) { + /* EOF ASN1 file, not an error */ + ERR_clear_error(); + retval = 0; + } else if ((filetype == SSL_FILETYPE_PEM) && +- (loaded > 0) && + (ERR_GET_LIB(err) == ERR_LIB_PEM) && + (ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) { + /* EOF PEM file, not an error */ + ERR_clear_error(); + retval = 0; +- } else { +- _setSSLError(NULL, 0, __FILE__, __LINE__); ++ } else if (err != 0) { ++ _setSSLError(NULL, 0, __FILE__, __LINE__); + retval = -1; ++ } else { ++ retval = 0; + } + + BIO_free(biobuf); diff --git a/python36.changes b/python36.changes index c803084..af36a8f 100644 --- a/python36.changes +++ b/python36.changes @@ -19,6 +19,9 @@ Thu Jan 11 15:14:09 UTC 2024 - Matej Cepl - Add crash-PyCFuncPtr_new-ctypes.patch (from gh#python/cpython#89863 and bpo#27987). - Fix CVE-2020-10735-DoS-no-limit-int-size.patch corrupted by quilt +- Add bpo43920-fix-load_verify_locations-errmsgs.patch (from + gh#python/cpython!25554) to make load_verify_locations(cadata) + error message consistent. ------------------------------------------------------------------- Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia diff --git a/python36.spec b/python36.spec index dce0820..6a904bf 100644 --- a/python36.spec +++ b/python36.spec @@ -251,6 +251,9 @@ Patch61: bpo4379-skipTLS10-11-OpenSSL3.patch # PATCH-FIX-UPSTREAM crash-PyCFuncPtr_new-ctypes.patch gh#python/cpython#89863 mcepl@suse.com # fix SEGV in PyCFuncPtr_new in ctypes (fix from bpo#27987) Patch62: crash-PyCFuncPtr_new-ctypes.patch +# PATCH-FIX-UPSTREAM bpo43920-fix-load_verify_locations-errmsgs.patch bsc#1217782 mcepl@suse.com +# Make load_verify_locations(cadata) error message consistent (from gh#python/cpython!25554) +Patch63: bpo43920-fix-load_verify_locations-errmsgs.patch BuildRequires: automake BuildRequires: fdupes BuildRequires: gmp-devel @@ -552,6 +555,7 @@ other applications. %patch -P 60 -p1 %patch -P 61 -p1 %patch -P 62 -p1 +%patch -P 63 -p1 # drop Autoconf version requirement sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac