Add bpo43920-fix-load_verify_locations-errmsgs.patch
(from gh#python/cpython!25554) Making load_verify_locations(cadata) error message consistent.
This commit is contained in:
parent
4812bf97a2
commit
75bc4cb3a1
@ -25,13 +25,15 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
Lib/test/test_ssl.py | 26 +
|
Lib/test/test_ssl.py | 26 +
|
||||||
Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst | 1
|
Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst | 1
|
||||||
Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst | 2
|
Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst | 2
|
||||||
Modules/_ssl.c | 41 +
|
Modules/_ssl.c | 40 +
|
||||||
17 files changed, 878 insertions(+), 539 deletions(-)
|
17 files changed, 877 insertions(+), 539 deletions(-)
|
||||||
create mode 100644 Lib/test/nosan.pem
|
create mode 100644 Lib/test/nosan.pem
|
||||||
create mode 100644 Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
|
create mode 100644 Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
|
||||||
|
|
||||||
--- a/Lib/ssl.py
|
Index: Python-3.6.15/Lib/ssl.py
|
||||||
+++ b/Lib/ssl.py
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/ssl.py
|
||||||
|
+++ Python-3.6.15/Lib/ssl.py
|
||||||
@@ -173,6 +173,7 @@ if _ssl.HAS_TLS_UNIQUE:
|
@@ -173,6 +173,7 @@ if _ssl.HAS_TLS_UNIQUE:
|
||||||
else:
|
else:
|
||||||
CHANNEL_BINDING_TYPES = []
|
CHANNEL_BINDING_TYPES = []
|
||||||
@ -64,8 +66,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
@property
|
@property
|
||||||
def verify_flags(self):
|
def verify_flags(self):
|
||||||
return VerifyFlags(super().verify_flags)
|
return VerifyFlags(super().verify_flags)
|
||||||
--- a/Lib/test/allsans.pem
|
Index: Python-3.6.15/Lib/test/allsans.pem
|
||||||
+++ b/Lib/test/allsans.pem
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/allsans.pem
|
||||||
|
+++ Python-3.6.15/Lib/test/allsans.pem
|
||||||
@@ -1,81 +1,170 @@
|
@@ -1,81 +1,170 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCg/pM6dP7BTFNc
|
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCg/pM6dP7BTFNc
|
||||||
@ -314,8 +318,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+hDj7K/vq3YjoncGbZ4c9eXs9fmEfcDy3yEwXpQyjKMerSBEU95h62k77kXaJCqbG
|
+hDj7K/vq3YjoncGbZ4c9eXs9fmEfcDy3yEwXpQyjKMerSBEU95h62k77kXaJCqbG
|
||||||
+cuCW2fGA6miQN1zGacfXvMfRrlupElnG5GxhqYu6UbMT
|
+cuCW2fGA6miQN1zGacfXvMfRrlupElnG5GxhqYu6UbMT
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/capath/b1930218.0
|
Index: Python-3.6.15/Lib/test/capath/b1930218.0
|
||||||
+++ b/Lib/test/capath/b1930218.0
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/capath/b1930218.0
|
||||||
|
+++ Python-3.6.15/Lib/test/capath/b1930218.0
|
||||||
@@ -1,26 +1,26 @@
|
@@ -1,26 +1,26 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
|
MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
|
||||||
@ -363,8 +369,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
|
+Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
|
||||||
+dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
|
+dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/capath/ceff1710.0
|
Index: Python-3.6.15/Lib/test/capath/ceff1710.0
|
||||||
+++ b/Lib/test/capath/ceff1710.0
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/capath/ceff1710.0
|
||||||
|
+++ Python-3.6.15/Lib/test/capath/ceff1710.0
|
||||||
@@ -1,26 +1,26 @@
|
@@ -1,26 +1,26 @@
|
||||||
-----BEGIN CERTIFICATE-----
|
-----BEGIN CERTIFICATE-----
|
||||||
MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
|
MIIEbTCCAtWgAwIBAgIJAMstgJlaaVJbMA0GCSqGSIb3DQEBCwUAME0xCzAJBgNV
|
||||||
@ -412,8 +420,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
|
+Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
|
||||||
+dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
|
+dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/keycert2.pem
|
Index: Python-3.6.15/Lib/test/keycert2.pem
|
||||||
+++ b/Lib/test/keycert2.pem
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/keycert2.pem
|
||||||
|
+++ Python-3.6.15/Lib/test/keycert2.pem
|
||||||
@@ -1,66 +1,66 @@
|
@@ -1,66 +1,66 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDKjrjWZlfOs1Ch
|
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDKjrjWZlfOs1Ch
|
||||||
@ -543,8 +553,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+GhIglMrgqJflTHAI/PvEsCKM1O0Un2dVGWsUCzPfhj1cKmagyb0Zd+2Tk9xGSRs9
|
+GhIglMrgqJflTHAI/PvEsCKM1O0Un2dVGWsUCzPfhj1cKmagyb0Zd+2Tk9xGSRs9
|
||||||
+2ceXMxRCjOJwEHUCFuTYeqowabdlpi0nyPbSn7JIwCpT
|
+2ceXMxRCjOJwEHUCFuTYeqowabdlpi0nyPbSn7JIwCpT
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/keycert3.pem
|
Index: Python-3.6.15/Lib/test/keycert3.pem
|
||||||
+++ b/Lib/test/keycert3.pem
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/keycert3.pem
|
||||||
|
+++ Python-3.6.15/Lib/test/keycert3.pem
|
||||||
@@ -1,84 +1,84 @@
|
@@ -1,84 +1,84 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCfKC83Qe9/ZGMW
|
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCfKC83Qe9/ZGMW
|
||||||
@ -812,8 +824,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+P7iAIQdqcRVtBetRs1mN1BVGfgKoEwEWmb0DzHBxKiMWeK/R1QGdBLRjk5oEOpIu
|
+P7iAIQdqcRVtBetRs1mN1BVGfgKoEwEWmb0DzHBxKiMWeK/R1QGdBLRjk5oEOpIu
|
||||||
+5n5zk6X+UJu9DupUhm985RR3/sIoWkoO1y2M6e1hKbJT/2wEvA==
|
+5n5zk6X+UJu9DupUhm985RR3/sIoWkoO1y2M6e1hKbJT/2wEvA==
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/keycert4.pem
|
Index: Python-3.6.15/Lib/test/keycert4.pem
|
||||||
+++ b/Lib/test/keycert4.pem
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/keycert4.pem
|
||||||
|
+++ Python-3.6.15/Lib/test/keycert4.pem
|
||||||
@@ -1,84 +1,84 @@
|
@@ -1,84 +1,84 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDGjpiHzq7ghxhM
|
-MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQDGjpiHzq7ghxhM
|
||||||
@ -1081,8 +1095,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+Xi4szXouKq62dWpfoBqbtmctsKUcVLyMcH4VK8BQ4wO7pKX8RQHJP6e4GNw+CAeh
|
+Xi4szXouKq62dWpfoBqbtmctsKUcVLyMcH4VK8BQ4wO7pKX8RQHJP6e4GNw+CAeh
|
||||||
+m/W9lb1J6BB8kX0txMKYtrdRadcKaEC1D4WgqWd3xmjLDlg0s1jnyHwJZw==
|
+m/W9lb1J6BB8kX0txMKYtrdRadcKaEC1D4WgqWd3xmjLDlg0s1jnyHwJZw==
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/make_ssl_certs.py
|
Index: Python-3.6.15/Lib/test/make_ssl_certs.py
|
||||||
+++ b/Lib/test/make_ssl_certs.py
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/make_ssl_certs.py
|
||||||
|
+++ Python-3.6.15/Lib/test/make_ssl_certs.py
|
||||||
@@ -7,6 +7,9 @@ import shutil
|
@@ -7,6 +7,9 @@ import shutil
|
||||||
import tempfile
|
import tempfile
|
||||||
from subprocess import *
|
from subprocess import *
|
||||||
@ -1220,8 +1236,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
unmake_ca()
|
unmake_ca()
|
||||||
print("update Lib/test/test_ssl.py and Lib/test/test_asyncio/util.py")
|
print("update Lib/test/test_ssl.py and Lib/test/test_asyncio/util.py")
|
||||||
print_cert('keycert.pem')
|
print_cert('keycert.pem')
|
||||||
|
Index: Python-3.6.15/Lib/test/nosan.pem
|
||||||
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/Lib/test/nosan.pem
|
+++ Python-3.6.15/Lib/test/nosan.pem
|
||||||
@@ -0,0 +1,130 @@
|
@@ -0,0 +1,130 @@
|
||||||
+-----BEGIN PRIVATE KEY-----
|
+-----BEGIN PRIVATE KEY-----
|
||||||
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCv3sUoOE4F7Pye
|
+MIIG/QIBADANBgkqhkiG9w0BAQEFAASCBucwggbjAgEAAoIBgQCv3sUoOE4F7Pye
|
||||||
@ -1353,8 +1371,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+qvWVb/bK1QaPG3mT44a6jf6oEI+VPhQJv8qIWeKTtuwDqX7dH18T0ymzpvNq3zBT
|
+qvWVb/bK1QaPG3mT44a6jf6oEI+VPhQJv8qIWeKTtuwDqX7dH18T0ymzpvNq3zBT
|
||||||
+RMjN5YJXvJw=
|
+RMjN5YJXvJw=
|
||||||
+-----END CERTIFICATE-----
|
+-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/pycacert.pem
|
Index: Python-3.6.15/Lib/test/pycacert.pem
|
||||||
+++ b/Lib/test/pycacert.pem
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/pycacert.pem
|
||||||
|
+++ Python-3.6.15/Lib/test/pycacert.pem
|
||||||
@@ -3,97 +3,97 @@ Certificate:
|
@@ -3,97 +3,97 @@ Certificate:
|
||||||
Version: 3 (0x2)
|
Version: 3 (0x2)
|
||||||
Serial Number:
|
Serial Number:
|
||||||
@ -1526,8 +1546,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
|
+Dp0K+qtbNfuIkXdMjYydqc/8q8LmWgV7fgRuOc+Tzmc7esuvtjbh+3FkRdSm8M7v
|
||||||
+dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
|
+dQSZaZrliAoQAnSJ7HWERIBI38H36TfOzpKSXIkiCHMf
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
--- a/Lib/test/pycakey.pem
|
Index: Python-3.6.15/Lib/test/pycakey.pem
|
||||||
+++ b/Lib/test/pycakey.pem
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/pycakey.pem
|
||||||
|
+++ Python-3.6.15/Lib/test/pycakey.pem
|
||||||
@@ -1,40 +1,40 @@
|
@@ -1,40 +1,40 @@
|
||||||
-----BEGIN PRIVATE KEY-----
|
-----BEGIN PRIVATE KEY-----
|
||||||
-MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCX7VVBujYXldtx
|
-MIIG/AIBADANBgkqhkiG9w0BAQEFAASCBuYwggbiAgEAAoIBgQCX7VVBujYXldtx
|
||||||
@ -1607,8 +1629,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+6eTeMLcsIJ+Fp7gG0ve2EdQwhVSVMFEu4Q4C2FcJeU++L4kYpY7sTnAjUtiLvtHn
|
+6eTeMLcsIJ+Fp7gG0ve2EdQwhVSVMFEu4Q4C2FcJeU++L4kYpY7sTnAjUtiLvtHn
|
||||||
+yp3jllEn3CBD8Uhs4B+sL/6p
|
+yp3jllEn3CBD8Uhs4B+sL/6p
|
||||||
-----END PRIVATE KEY-----
|
-----END PRIVATE KEY-----
|
||||||
--- a/Lib/test/revocation.crl
|
Index: Python-3.6.15/Lib/test/revocation.crl
|
||||||
+++ b/Lib/test/revocation.crl
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/revocation.crl
|
||||||
|
+++ Python-3.6.15/Lib/test/revocation.crl
|
||||||
@@ -1,14 +1,14 @@
|
@@ -1,14 +1,14 @@
|
||||||
-----BEGIN X509 CRL-----
|
-----BEGIN X509 CRL-----
|
||||||
MIICJjCBjwIBATANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJYWTEmMCQGA1UE
|
MIICJjCBjwIBATANBgkqhkiG9w0BAQsFADBNMQswCQYDVQQGEwJYWTEmMCQGA1UE
|
||||||
@ -1634,8 +1658,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
+BLJOSOSu2vVUH5GUIrpvK9FTySKYa+MGryoPasuqZNfwpaXK+ON2G6QsmcXPWZY0
|
+BLJOSOSu2vVUH5GUIrpvK9FTySKYa+MGryoPasuqZNfwpaXK+ON2G6QsmcXPWZY0
|
||||||
+Dry6t0w2geW6UYVGmb831i8ZP3JVVVwcwi0=
|
+Dry6t0w2geW6UYVGmb831i8ZP3JVVVwcwi0=
|
||||||
-----END X509 CRL-----
|
-----END X509 CRL-----
|
||||||
--- a/Lib/test/test_asyncio/test_events.py
|
Index: Python-3.6.15/Lib/test/test_asyncio/test_events.py
|
||||||
+++ b/Lib/test/test_asyncio/test_events.py
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/test_asyncio/test_events.py
|
||||||
|
+++ Python-3.6.15/Lib/test/test_asyncio/test_events.py
|
||||||
@@ -72,7 +72,7 @@ PEERCERT = {
|
@@ -72,7 +72,7 @@ PEERCERT = {
|
||||||
'issuer': ((('countryName', 'XY'),),
|
'issuer': ((('countryName', 'XY'),),
|
||||||
(('organizationName', 'Python Software Foundation CA'),),
|
(('organizationName', 'Python Software Foundation CA'),),
|
||||||
@ -1654,8 +1680,10 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
def check_terminated(self, returncode):
|
def check_terminated(self, returncode):
|
||||||
if sys.platform == 'win32':
|
if sys.platform == 'win32':
|
||||||
self.assertIsInstance(returncode, int)
|
self.assertIsInstance(returncode, int)
|
||||||
--- a/Lib/test/test_ssl.py
|
Index: Python-3.6.15/Lib/test/test_ssl.py
|
||||||
+++ b/Lib/test/test_ssl.py
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/test_ssl.py
|
||||||
|
+++ Python-3.6.15/Lib/test/test_ssl.py
|
||||||
@@ -75,6 +75,8 @@ SIGNED_CERTFILE2 = data_file("keycert4.p
|
@@ -75,6 +75,8 @@ SIGNED_CERTFILE2 = data_file("keycert4.p
|
||||||
SIGNING_CA = data_file("capath", "ceff1710.0")
|
SIGNING_CA = data_file("capath", "ceff1710.0")
|
||||||
# cert with all kinds of subject alt names
|
# cert with all kinds of subject alt names
|
||||||
@ -1696,23 +1724,28 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
def test_wrong_cert(self):
|
def test_wrong_cert(self):
|
||||||
"""Connecting when the server rejects the client's certificate
|
"""Connecting when the server rejects the client's certificate
|
||||||
|
|
||||||
|
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
|
||||||
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
|
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-03-16-22-37-32.bpo-43522.dhNwOu.rst
|
||||||
@@ -0,0 +1 @@
|
@@ -0,0 +1 @@
|
||||||
+Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*.
|
+Fix problem with :attr:`~ssl.SSLContext.hostname_checks_common_name`. OpenSSL does not copy hostflags from *struct SSL_CTX* to *struct SSL*.
|
||||||
|
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
|
||||||
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
|
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-09-14-08-03.bpo-43789.eaHlAm.rst
|
||||||
@@ -0,0 +1,2 @@
|
@@ -0,0 +1,2 @@
|
||||||
+OpenSSL 3.0.0: Don't call the password callback function a second time when
|
+OpenSSL 3.0.0: Don't call the password callback function a second time when
|
||||||
+first call has signaled an error condition.
|
+first call has signaled an error condition.
|
||||||
--- a/Modules/_ssl.c
|
Index: Python-3.6.15/Modules/_ssl.c
|
||||||
+++ b/Modules/_ssl.c
|
===================================================================
|
||||||
@@ -690,6 +690,15 @@ newPySSLSocket(PySSLContext *sslctx, PyS
|
--- Python-3.6.15.orig/Modules/_ssl.c
|
||||||
|
+++ Python-3.6.15/Modules/_ssl.c
|
||||||
|
@@ -690,6 +690,14 @@ newPySSLSocket(PySSLContext *sslctx, PyS
|
||||||
_setSSLError(NULL, 0, __FILE__, __LINE__);
|
_setSSLError(NULL, 0, __FILE__, __LINE__);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
+ /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
|
+ /* bpo43522 and OpenSSL < 1.1.1l: copy hostflags manually */
|
||||||
+ int OpenSSL_ver = OPENSSL_VERSION;
|
|
||||||
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf
|
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION < 0x101010cf
|
||||||
+ X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
|
+ X509_VERIFY_PARAM *ssl_verification_params = SSL_get0_param(self->ssl);
|
||||||
+ X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
|
+ X509_VERIFY_PARAM *ssl_ctx_verification_params = SSL_CTX_get0_param(ctx);
|
||||||
@ -1723,7 +1756,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
SSL_set_app_data(self->ssl, self);
|
SSL_set_app_data(self->ssl, self);
|
||||||
if (sock) {
|
if (sock) {
|
||||||
SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
|
SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
|
||||||
@@ -3411,6 +3420,13 @@ _password_callback(char *buf, int size,
|
@@ -3411,6 +3419,13 @@ _password_callback(char *buf, int size,
|
||||||
|
|
||||||
PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
|
PySSL_END_ALLOW_THREADS_S(pw_info->thread_state);
|
||||||
|
|
||||||
@ -1737,7 +1770,7 @@ Signed-off-by: Christian Heimes <christian@python.org>
|
|||||||
if (pw_info->callable) {
|
if (pw_info->callable) {
|
||||||
fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL);
|
fn_ret = PyObject_CallFunctionObjArgs(pw_info->callable, NULL);
|
||||||
if (!fn_ret) {
|
if (!fn_ret) {
|
||||||
@@ -5605,6 +5621,31 @@ PyInit__ssl(void)
|
@@ -5605,6 +5620,31 @@ PyInit__ssl(void)
|
||||||
SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
|
SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
100
bpo43920-fix-load_verify_locations-errmsgs.patch
Normal file
100
bpo43920-fix-load_verify_locations-errmsgs.patch
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
From be6a5a3494dcf5c2f309acf959dd4d32ab846afb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <christian@python.org>
|
||||||
|
Date: Fri, 23 Apr 2021 11:56:31 +0200
|
||||||
|
Subject: [PATCH] bpo-43920: Make load_verify_locations(cadata) error message
|
||||||
|
consistent
|
||||||
|
|
||||||
|
Signed-off-by: Christian Heimes <christian@python.org>
|
||||||
|
---
|
||||||
|
Lib/test/test_ssl.py | 10 +++-
|
||||||
|
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2
|
||||||
|
Lib/test/test_ssl.py | 10 ++-
|
||||||
|
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2
|
||||||
|
Lib/test/test_ssl.py | 10 +++-
|
||||||
|
Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst | 2
|
||||||
|
Modules/_ssl.c | 25 ++++++----
|
||||||
|
3 files changed, 27 insertions(+), 10 deletions(-)
|
||||||
|
create mode 100644 Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
|
||||||
|
|
||||||
|
Index: Python-3.6.15/Lib/test/test_ssl.py
|
||||||
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Lib/test/test_ssl.py
|
||||||
|
+++ Python-3.6.15/Lib/test/test_ssl.py
|
||||||
|
@@ -1199,9 +1199,15 @@ class ContextTests(unittest.TestCase):
|
||||||
|
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
|
||||||
|
self.assertRaises(TypeError, ctx.load_verify_locations, cadata=object)
|
||||||
|
|
||||||
|
- with self.assertRaisesRegex(ssl.SSLError, "no start line"):
|
||||||
|
+ with self.assertRaisesRegex(
|
||||||
|
+ ssl.SSLError,
|
||||||
|
+ "no start line: cadata does not contain a certificate"
|
||||||
|
+ ):
|
||||||
|
ctx.load_verify_locations(cadata="broken")
|
||||||
|
- with self.assertRaisesRegex(ssl.SSLError, "not enough data"):
|
||||||
|
+ with self.assertRaisesRegex(
|
||||||
|
+ ssl.SSLError,
|
||||||
|
+ "not enough data: cadata does not contain a certificate"
|
||||||
|
+ ):
|
||||||
|
ctx.load_verify_locations(cadata=b"broken")
|
||||||
|
|
||||||
|
|
||||||
|
Index: Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
|
||||||
|
===================================================================
|
||||||
|
--- /dev/null
|
||||||
|
+++ Python-3.6.15/Misc/NEWS.d/next/Library/2021-04-23-11-54-38.bpo-43920.cJMQ2D.rst
|
||||||
|
@@ -0,0 +1,2 @@
|
||||||
|
+OpenSSL 3.0.0: :meth:`~ssl.SSLContext.load_verify_locations` now returns a
|
||||||
|
+consistent error message when cadata contains no valid certificate.
|
||||||
|
Index: Python-3.6.15/Modules/_ssl.c
|
||||||
|
===================================================================
|
||||||
|
--- Python-3.6.15.orig/Modules/_ssl.c
|
||||||
|
+++ Python-3.6.15/Modules/_ssl.c
|
||||||
|
@@ -3579,7 +3579,7 @@ _add_ca_certs(PySSLContext *self, void *
|
||||||
|
{
|
||||||
|
BIO *biobuf = NULL;
|
||||||
|
X509_STORE *store;
|
||||||
|
- int retval = 0, err, loaded = 0;
|
||||||
|
+ int retval = -1, err, loaded = 0;
|
||||||
|
|
||||||
|
assert(filetype == SSL_FILETYPE_ASN1 || filetype == SSL_FILETYPE_PEM);
|
||||||
|
|
||||||
|
@@ -3633,23 +3633,32 @@ _add_ca_certs(PySSLContext *self, void *
|
||||||
|
}
|
||||||
|
|
||||||
|
err = ERR_peek_last_error();
|
||||||
|
- if ((filetype == SSL_FILETYPE_ASN1) &&
|
||||||
|
- (loaded > 0) &&
|
||||||
|
- (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
|
||||||
|
- (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
|
||||||
|
+ if (loaded == 0) {
|
||||||
|
+ const char *msg = NULL;
|
||||||
|
+ if (filetype == SSL_FILETYPE_PEM) {
|
||||||
|
+ msg = "no start line: cadata does not contain a certificate";
|
||||||
|
+ } else {
|
||||||
|
+ msg = "not enough data: cadata does not contain a certificate";
|
||||||
|
+ }
|
||||||
|
+ _setSSLError(msg, 0, __FILE__, __LINE__);
|
||||||
|
+ retval = -1;
|
||||||
|
+ } else if ((filetype == SSL_FILETYPE_ASN1) &&
|
||||||
|
+ (ERR_GET_LIB(err) == ERR_LIB_ASN1) &&
|
||||||
|
+ (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG)) {
|
||||||
|
/* EOF ASN1 file, not an error */
|
||||||
|
ERR_clear_error();
|
||||||
|
retval = 0;
|
||||||
|
} else if ((filetype == SSL_FILETYPE_PEM) &&
|
||||||
|
- (loaded > 0) &&
|
||||||
|
(ERR_GET_LIB(err) == ERR_LIB_PEM) &&
|
||||||
|
(ERR_GET_REASON(err) == PEM_R_NO_START_LINE)) {
|
||||||
|
/* EOF PEM file, not an error */
|
||||||
|
ERR_clear_error();
|
||||||
|
retval = 0;
|
||||||
|
- } else {
|
||||||
|
- _setSSLError(NULL, 0, __FILE__, __LINE__);
|
||||||
|
+ } else if (err != 0) {
|
||||||
|
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
|
||||||
|
retval = -1;
|
||||||
|
+ } else {
|
||||||
|
+ retval = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
BIO_free(biobuf);
|
@ -19,6 +19,9 @@ Thu Jan 11 15:14:09 UTC 2024 - Matej Cepl <mcepl@cepl.eu>
|
|||||||
- Add crash-PyCFuncPtr_new-ctypes.patch (from
|
- Add crash-PyCFuncPtr_new-ctypes.patch (from
|
||||||
gh#python/cpython#89863 and bpo#27987).
|
gh#python/cpython#89863 and bpo#27987).
|
||||||
- Fix CVE-2020-10735-DoS-no-limit-int-size.patch corrupted by quilt
|
- Fix CVE-2020-10735-DoS-no-limit-int-size.patch corrupted by quilt
|
||||||
|
- Add bpo43920-fix-load_verify_locations-errmsgs.patch (from
|
||||||
|
gh#python/cpython!25554) to make load_verify_locations(cadata)
|
||||||
|
error message consistent.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
Mon Sep 11 06:28:43 UTC 2023 - Daniel Garcia <daniel.garcia@suse.com>
|
||||||
|
@ -251,6 +251,9 @@ Patch61: bpo4379-skipTLS10-11-OpenSSL3.patch
|
|||||||
# PATCH-FIX-UPSTREAM crash-PyCFuncPtr_new-ctypes.patch gh#python/cpython#89863 mcepl@suse.com
|
# PATCH-FIX-UPSTREAM crash-PyCFuncPtr_new-ctypes.patch gh#python/cpython#89863 mcepl@suse.com
|
||||||
# fix SEGV in PyCFuncPtr_new in ctypes (fix from bpo#27987)
|
# fix SEGV in PyCFuncPtr_new in ctypes (fix from bpo#27987)
|
||||||
Patch62: crash-PyCFuncPtr_new-ctypes.patch
|
Patch62: crash-PyCFuncPtr_new-ctypes.patch
|
||||||
|
# PATCH-FIX-UPSTREAM bpo43920-fix-load_verify_locations-errmsgs.patch bsc#1217782 mcepl@suse.com
|
||||||
|
# Make load_verify_locations(cadata) error message consistent (from gh#python/cpython!25554)
|
||||||
|
Patch63: bpo43920-fix-load_verify_locations-errmsgs.patch
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: gmp-devel
|
BuildRequires: gmp-devel
|
||||||
@ -552,6 +555,7 @@ other applications.
|
|||||||
%patch -P 60 -p1
|
%patch -P 60 -p1
|
||||||
%patch -P 61 -p1
|
%patch -P 61 -p1
|
||||||
%patch -P 62 -p1
|
%patch -P 62 -p1
|
||||||
|
%patch -P 63 -p1
|
||||||
|
|
||||||
# drop Autoconf version requirement
|
# drop Autoconf version requirement
|
||||||
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
sed -i 's/^AC_PREREQ/dnl AC_PREREQ/' configure.ac
|
||||||
|
Loading…
Reference in New Issue
Block a user