pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 645305 from devel:languages:python:Factory

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/645305
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=134
This commit is contained in:
Dominique Leuenberger 2018-12-10 11:21:19 +00:00 committed by Git OBS Bridge
commit 1a89e27c82
9 changed files with 236 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
openssl-111-middlebox-compat.patch Normal file
View File

@ -0,0 +1,32 @@
From 4fa35e8b1ebb2a8e88ba7c4c9cd2a17b35638ee6 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Fri, 28 Sep 2018 16:34:16 +0100
Subject: [PATCH] bpo-34834: Fix test_ssl.test_options to account for
OP_ENABLE_MIDDLEBOX_COMPAT.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
https://bugs.python.org/issue34834
---
Lib/test/test_ssl.py | 5 +++++
1 file changed, 5 insertions(+)
Index: Python-2.7.15/Lib/test/test_ssl.py
===================================================================
--- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:32:59.190865648 +0100
+++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100
@@ -777,8 +777,12 @@ class ContextTests(unittest.TestCase):
default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
# SSLContext also enables these by default
default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE |
- ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE |
- ssl.OP_ENABLE_MIDDLEBOX_COMPAT)
+ ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE)
+ if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
+ # define MIDDLEBOX constant, as python2.7 does not know about it
+ # but it is used by default.
+ OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
+ default |= OP_ENABLE_MIDDLEBOX_COMPAT
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)

13
openssl-111-ssl_options.patch Normal file
View File

@ -0,0 +1,13 @@
Index: Python-2.7.15/Lib/test/test_ssl.py
===================================================================
--- Python-2.7.15.orig/Lib/test/test_ssl.py 2018-10-29 13:41:01.857624490 +0100
+++ Python-2.7.15/Lib/test/test_ssl.py 2018-10-29 14:04:59.674004321 +0100
@@ -776,7 +776,7 @@ class ContextTests(unittest.TestCase):
# OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
# SSLContext also enables these by default
- default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE |
+ default |= (ssl.OP_NO_COMPRESSION |
ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE)
if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
# define MIDDLEBOX constant, as python2.7 does not know about it

137
openssl-111.patch Normal file
View File

@ -0,0 +1,137 @@
From 9e32244ea7d2621030f040b0f4e5af89480ecc0f Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Wed, 15 Aug 2018 09:07:28 +0200
Subject: [PATCH] [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
(GH-8760)
Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
default.
Also update multissltests to test with latest OpenSSL.
Signed-off-by: Christian Heimes <christian@python.org>.
(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
Co-authored-by: Christian Heimes <christian@python.org>
---
Doc/library/ssl.rst | 8 ++--
Lib/test/test_ssl.py | 37 +++++++++++--------
.../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst | 3 ++
3 files changed, 27 insertions(+), 21 deletions(-)
create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
Index: Python-2.7.15/Doc/library/ssl.rst
===================================================================
--- Python-2.7.15.orig/Doc/library/ssl.rst
+++ Python-2.7.15/Doc/library/ssl.rst
@@ -291,11 +291,6 @@ purposes.
3DES was dropped from the default cipher string.
- .. versionchanged:: 2.7.15
-
- TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
- and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
-
.. function:: _https_verify_certificates(enable=True)
Specifies whether or not server certificates are verified when creating
@@ -1176,6 +1171,9 @@ to speed up repeated connections from th
when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
give the currently selected cipher.
+ OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
+ cannot be disabled with :meth:`~SSLContext.set_ciphers`.
+
.. method:: SSLContext.set_alpn_protocols(protocols)
Specify which protocols the socket should advertise during the SSL/TLS
Index: Python-2.7.15/Lib/test/test_ssl.py
===================================================================
--- Python-2.7.15.orig/Lib/test/test_ssl.py
+++ Python-2.7.15/Lib/test/test_ssl.py
@@ -775,8 +775,10 @@ class ContextTests(unittest.TestCase):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
# OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
- if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
- default |= ssl.OP_NO_COMPRESSION
+ # SSLContext also enables these by default
+ default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE |
+ ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE |
+ ssl.OP_ENABLE_MIDDLEBOX_COMPAT)
self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
@@ -2765,19 +2767,24 @@ else:
sock.do_handshake()
self.assertEqual(cm.exception.errno, errno.ENOTCONN)
- def test_default_ciphers(self):
- context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
- try:
- # Force a set of weak ciphers on our client context
- context.set_ciphers("DES")
- except ssl.SSLError:
- self.skipTest("no DES cipher available")
- with ThreadedEchoServer(CERTFILE,
- ssl_version=ssl.PROTOCOL_SSLv23,
- chatty=False) as server:
- with closing(context.wrap_socket(socket.socket())) as s:
- with self.assertRaises(ssl.SSLError):
- s.connect((HOST, server.port))
+ def test_no_shared_ciphers(self):
+ server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ server_context.load_cert_chain(SIGNED_CERTFILE)
+ client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+ client_context.verify_mode = ssl.CERT_REQUIRED
+ client_context.check_hostname = True
+
+ # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
+ client_context.options |= ssl.OP_NO_TLSv1_3
+ # Force different suites on client and master
+ client_context.set_ciphers("AES128")
+ server_context.set_ciphers("AES256")
+ with ThreadedEchoServer(context=server_context) as server:
+ s = client_context.wrap_socket(
+ socket.socket(),
+ server_hostname="localhost")
+ with self.assertRaises(ssl.SSLError):
+ s.connect((HOST, server.port))
self.assertIn("no shared cipher", str(server.conn_errors[0]))
def test_version_basic(self):
@@ -2805,12 +2812,12 @@ else:
ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
)
with ThreadedEchoServer(context=context) as server:
- with context.wrap_socket(socket.socket()) as s:
+ with closing(context.wrap_socket(socket.socket())) as s:
s.connect((HOST, server.port))
self.assertIn(s.cipher()[0], [
- 'TLS13-AES-256-GCM-SHA384',
- 'TLS13-CHACHA20-POLY1305-SHA256',
- 'TLS13-AES-128-GCM-SHA256',
+ 'TLS_AES_256_GCM_SHA384',
+ 'TLS_CHACHA20_POLY1305_SHA256',
+ 'TLS_AES_128_GCM_SHA256',
])
@unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
@@ -2819,6 +2826,7 @@ else:
# should be enabled by default on SSL contexts.
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_cert_chain(CERTFILE)
+ context.options |= ssl.OP_NO_TLSv1_3
# Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
# explicitly using the 'ECCdraft' cipher alias. Otherwise,
# our default cipher list should prefer ECDH-based ciphers
Index: Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
===================================================================
--- /dev/null
+++ Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
@@ -0,0 +1,3 @@
+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
+default.

5
python-base.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Add patch openssl-111.patch to work with openssl-1.1.1
-------------------------------------------------------------------
Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>

12
python-base.spec
View File

@ -60,10 +60,15 @@ Patch38: reproducible.patch
Patch40: python-skip_random_failing_tests.patch
# PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
Patch41: python-sorted_tar.patch
# https://github.com/python/cpython/pull/8771
Patch42: openssl-111.patch
# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
#
Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834)
Patch47: openssl-111-middlebox-compat.patch
# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
Patch48: openssl-111-ssl_options.patch
# COMMON-PATCH-END
%define python_version %(echo %{tarversion} | head -c 3)
BuildRequires: automake
@ -172,6 +177,9 @@ other applications.
%endif
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch47 -p1
%patch48 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac

5
python-doc.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Add patch openssl-111.patch to work with openssl-1.1.1
-------------------------------------------------------------------
Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>

12
python-doc.spec
View File

@ -61,10 +61,15 @@ Patch38: reproducible.patch
Patch40: python-skip_random_failing_tests.patch
# PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
Patch41: python-sorted_tar.patch
# https://github.com/python/cpython/pull/8771
Patch42: openssl-111.patch
# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
#
Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834)
Patch47: openssl-111-middlebox-compat.patch
# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
Patch48: openssl-111-ssl_options.patch
# COMMON-PATCH-END
Provides: pyth_doc
Provides: pyth_ps
@ -119,6 +124,9 @@ Python, and Macintosh Module Reference in PDF format.
%endif
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch47 -p1
%patch48 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac

14
python.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Mon Oct 29 13:21:20 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
- Enable all the tests in %check
- Add more patches to successfully build with openssl 1.1.1
(bsc#1113755)
* openssl-111-middlebox-compat.patch
* openssl-111-ssl_options.patch
-------------------------------------------------------------------
Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
- Add patch openssl-111.patch to work with openssl-1.1.1
-------------------------------------------------------------------
Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>

12
python.spec
View File

@ -66,10 +66,15 @@ Patch38: reproducible.patch
Patch40: python-skip_random_failing_tests.patch
# PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
Patch41: python-sorted_tar.patch
# https://github.com/python/cpython/pull/8771
Patch42: openssl-111.patch
# PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
# Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
Patch42: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
#
Patch43: CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834)
Patch47: openssl-111-middlebox-compat.patch
# PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
Patch48: openssl-111-ssl_options.patch
# COMMON-PATCH-END
BuildRequires: automake
BuildRequires: db-devel
@ -225,6 +230,9 @@ that rely on earlier non-verification behavior.
%endif
%patch41 -p1
%patch42 -p1
%patch43 -p1
%patch47 -p1
%patch48 -p1
# drop Autoconf version requirement
sed -i 's/^version_required/dnl version_required/' configure.ac