Accepting request 645305 from devel:languages:python:Factory

OBS-URL: https://build.opensuse.org/request/show/645305 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python?expand=0&rev=134
2018-12-10 11:21:19 +00:00 · 2018-12-10 11:21:19 +00:00 · 1a89e27c82
commit 1a89e27c82
parent 6cb1aaa70d a74bb24131
9 changed files with 236 additions and 6 deletions
--- a/openssl-111-middlebox-compat.patch
+++ b/openssl-111-middlebox-compat.patch
@ -0,0 +1,32 @@
 From 4fa35e8b1ebb2a8e88ba7c4c9cd2a17b35638ee6 Mon Sep 17 00:00:00 2001
 From: Dimitri John Ledkov <xnox@ubuntu.com>
 Date: Fri, 28 Sep 2018 16:34:16 +0100
 Subject: [PATCH] bpo-34834: Fix test_ssl.test_options to account for
 OP_ENABLE_MIDDLEBOX_COMPAT.
 Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
 https://bugs.python.org/issue34834
 ---
 Lib/test/test_ssl.py | 5 +++++
 1 file changed, 5 insertions(+)
 Index: Python-2.7.15/Lib/test/test_ssl.py
 ===================================================================
 --- Python-2.7.15.orig/Lib/test/test_ssl.py	2018-10-29 13:32:59.190865648 +0100
 +++ Python-2.7.15/Lib/test/test_ssl.py	2018-10-29 13:41:01.857624490 +0100
@@ -777,8 +777,12 @@ class ContextTests(unittest.TestCase):
         default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
         # SSLContext also enables these by default
         default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE |
 -                    ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE |
 -                    ssl.OP_ENABLE_MIDDLEBOX_COMPAT)
 +                    ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE)
 +        if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
 +            # define MIDDLEBOX constant, as python2.7 does not know about it
 +            # but it is used by default.
 +            OP_ENABLE_MIDDLEBOX_COMPAT = 1048576L
 +            default |= OP_ENABLE_MIDDLEBOX_COMPAT
         self.assertEqual(default, ctx.options)
         ctx.options |= ssl.OP_NO_TLSv1
         self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
--- a/openssl-111-ssl_options.patch
+++ b/openssl-111-ssl_options.patch
@ -0,0 +1,13 @@
 Index: Python-2.7.15/Lib/test/test_ssl.py
 ===================================================================
 --- Python-2.7.15.orig/Lib/test/test_ssl.py	2018-10-29 13:41:01.857624490 +0100
 +++ Python-2.7.15/Lib/test/test_ssl.py	2018-10-29 14:04:59.674004321 +0100
@@ -776,7 +776,7 @@ class ContextTests(unittest.TestCase):
         # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
         default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
         # SSLContext also enables these by default
 -        default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE |
 +        default |= (ssl.OP_NO_COMPRESSION | 
                     ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE)
         if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1):
             # define MIDDLEBOX constant, as python2.7 does not know about it
--- a/openssl-111.patch
+++ b/openssl-111.patch
@ -0,0 +1,137 @@
 From 9e32244ea7d2621030f040b0f4e5af89480ecc0f Mon Sep 17 00:00:00 2001
 From: Christian Heimes <christian@python.org>
 Date: Wed, 15 Aug 2018 09:07:28 +0200
 Subject: [PATCH] [2.7] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
 (GH-8760)
 Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
 1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
 default.
 Also update multissltests to test with latest OpenSSL.
 Signed-off-by: Christian Heimes <christian@python.org>.
 (cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
 Co-authored-by: Christian Heimes <christian@python.org>
 ---
 Doc/library/ssl.rst                           |  8 ++--
 Lib/test/test_ssl.py                          | 37 +++++++++++--------
 .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst  |  3 ++
 3 files changed, 27 insertions(+), 21 deletions(-)
 create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
 Index: Python-2.7.15/Doc/library/ssl.rst
 ===================================================================
 --- Python-2.7.15.orig/Doc/library/ssl.rst
 +++ Python-2.7.15/Doc/library/ssl.rst
@@ -291,11 +291,6 @@ purposes.
      3DES was dropped from the default cipher string.
 -   .. versionchanged:: 2.7.15
 -
 -     TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
 -     and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
 -
 .. function:: _https_verify_certificates(enable=True)
    Specifies whether or not server certificates are verified when creating
@@ -1176,6 +1171,9 @@ to speed up repeated connections from th
       when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
       give the currently selected cipher.
 +      OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
 +      cannot be disabled with :meth:`~SSLContext.set_ciphers`.
 +
 .. method:: SSLContext.set_alpn_protocols(protocols)
    Specify which protocols the socket should advertise during the SSL/TLS
 Index: Python-2.7.15/Lib/test/test_ssl.py
 ===================================================================
 --- Python-2.7.15.orig/Lib/test/test_ssl.py
 +++ Python-2.7.15/Lib/test/test_ssl.py
@@ -775,8 +775,10 @@ class ContextTests(unittest.TestCase):
         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
         # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
         default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
 -        if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
 -            default |= ssl.OP_NO_COMPRESSION
 +        # SSLContext also enables these by default
 +        default |= (ssl.OP_NO_COMPRESSION | ssl.OP_CIPHER_SERVER_PREFERENCE |
 +                    ssl.OP_SINGLE_DH_USE | ssl.OP_SINGLE_ECDH_USE |
 +                    ssl.OP_ENABLE_MIDDLEBOX_COMPAT)
         self.assertEqual(default, ctx.options)
         ctx.options |= ssl.OP_NO_TLSv1
         self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
@@ -2765,19 +2767,24 @@ else:
                     sock.do_handshake()
                 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
 -        def test_default_ciphers(self):
 -            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 -            try:
 -                # Force a set of weak ciphers on our client context
 -                context.set_ciphers("DES")
 -            except ssl.SSLError:
 -                self.skipTest("no DES cipher available")
 -            with ThreadedEchoServer(CERTFILE,
 -                                    ssl_version=ssl.PROTOCOL_SSLv23,
 -                                    chatty=False) as server:
 -                with closing(context.wrap_socket(socket.socket())) as s:
 -                    with self.assertRaises(ssl.SSLError):
 -                        s.connect((HOST, server.port))
 +        def test_no_shared_ciphers(self):
 +            server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 +            server_context.load_cert_chain(SIGNED_CERTFILE)
 +            client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 +            client_context.verify_mode = ssl.CERT_REQUIRED
 +            client_context.check_hostname = True
 +
 +            # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
 +            client_context.options |= ssl.OP_NO_TLSv1_3
 +            # Force different suites on client and master
 +            client_context.set_ciphers("AES128")
 +            server_context.set_ciphers("AES256")
 +            with ThreadedEchoServer(context=server_context) as server:
 +                s = client_context.wrap_socket(
 +                        socket.socket(),
 +                        server_hostname="localhost")
 +                with self.assertRaises(ssl.SSLError):
 +                    s.connect((HOST, server.port))
             self.assertIn("no shared cipher", str(server.conn_errors[0]))
         def test_version_basic(self):
@@ -2805,12 +2812,12 @@ else:
                 ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2
             )
             with ThreadedEchoServer(context=context) as server:
 -                with context.wrap_socket(socket.socket()) as s:
 +                with closing(context.wrap_socket(socket.socket())) as s:
                     s.connect((HOST, server.port))
                     self.assertIn(s.cipher()[0], [
 -                        'TLS13-AES-256-GCM-SHA384',
 -                        'TLS13-CHACHA20-POLY1305-SHA256',
 -                        'TLS13-AES-128-GCM-SHA256',
 +                        'TLS_AES_256_GCM_SHA384',
 +                        'TLS_CHACHA20_POLY1305_SHA256',
 +                        'TLS_AES_128_GCM_SHA256',
                     ])
         @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
@@ -2819,6 +2826,7 @@ else:
             # should be enabled by default on SSL contexts.
             context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
             context.load_cert_chain(CERTFILE)
 +            context.options |= ssl.OP_NO_TLSv1_3
             # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled
             # explicitly using the 'ECCdraft' cipher alias.  Otherwise,
             # our default cipher list should prefer ECDH-based ciphers
 Index: Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
 ===================================================================
 --- /dev/null
 +++ Python-2.7.15/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
@@ -0,0 +1,3 @@
 +Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
 +1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
 +default.
--- a/python-base.changes
+++ b/python-base.changes
@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Add patch openssl-111.patch to work with openssl-1.1.1
 -------------------------------------------------------------------
 Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>
--- a/python-base.spec
+++ b/python-base.spec
@ -60,10 +60,15 @@ Patch38:        reproducible.patch
 Patch40:        python-skip_random_failing_tests.patch
 # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
 Patch41:        python-sorted_tar.patch
 # https://github.com/python/cpython/pull/8771
 Patch42:        openssl-111.patch
 # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
 # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
-Patch42:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
+Patch43:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
-# 
+# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834)
 Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
 # COMMON-PATCH-END
 %define         python_version    %(echo %{tarversion} | head -c 3)
 BuildRequires:  automake
@ -172,6 +177,9 @@ other applications.
 %endif
 %patch41 -p1
 %patch42 -p1
 %patch43 -p1
 %patch47 -p1
 %patch48 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python-doc.changes
+++ b/python-doc.changes
@ -1,3 +1,8 @@
 -------------------------------------------------------------------
 Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Add patch openssl-111.patch to work with openssl-1.1.1
 -------------------------------------------------------------------
 Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>
--- a/python-doc.spec
+++ b/python-doc.spec
@ -61,10 +61,15 @@ Patch38:        reproducible.patch
 Patch40:        python-skip_random_failing_tests.patch
 # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
 Patch41:        python-sorted_tar.patch
 # https://github.com/python/cpython/pull/8771
 Patch42:        openssl-111.patch
 # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
 # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
-Patch42:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
+Patch43:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
-# 
+# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834)
 Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
 # COMMON-PATCH-END
 Provides:       pyth_doc
 Provides:       pyth_ps
@ -119,6 +124,9 @@ Python, and Macintosh Module Reference in PDF format.
 %endif
 %patch41 -p1
 %patch42 -p1
 %patch43 -p1
 %patch47 -p1
 %patch48 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac
--- a/python.changes
+++ b/python.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Mon Oct 29 13:21:20 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
 - Enable all the tests in %check
 - Add more patches to successfully build with openssl 1.1.1
  (bsc#1113755)
  * openssl-111-middlebox-compat.patch
  * openssl-111-ssl_options.patch
 -------------------------------------------------------------------
 Fri Oct 26 10:48:44 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>
 - Add patch openssl-111.patch to work with openssl-1.1.1
 -------------------------------------------------------------------
 Tue Sep 25 22:01:08 UTC 2018 - Matěj Cepl <mcepl@suse.com>
--- a/python.spec
+++ b/python.spec
@ -66,10 +66,15 @@ Patch38:        reproducible.patch
 Patch40:        python-skip_random_failing_tests.patch
 # PATCH-FIX-UPSTREAM sorted tar https://github.com/python/cpython/pull/2263
 Patch41:        python-sorted_tar.patch
 # https://github.com/python/cpython/pull/8771
 Patch42:        openssl-111.patch
 # PATCH-FIX-UPSTREAM CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch mcepl@suse.com
 # Suggested in https://github.com/python/cpython/commit/add531a1e55b.patch
-Patch42:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
+Patch43:        CVE-2018-1000802-shutil_use_subprocess_no_spawn.patch
-# 
+# https://github.com/python/cpython/pull/9624 (https://bugs.python.org/issue34834)
 Patch47:        openssl-111-middlebox-compat.patch
 # PATCH-FIX-SUSE python default SSLContext doesn't contain OP_CIPHER_SERVER_PREFERENCE
 Patch48:        openssl-111-ssl_options.patch
 # COMMON-PATCH-END
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -225,6 +230,9 @@ that rely on earlier non-verification behavior.
 %endif
 %patch41 -p1
 %patch42 -p1
 %patch43 -p1
 %patch47 -p1
 %patch48 -p1
 # drop Autoconf version requirement
 sed -i 's/^version_required/dnl version_required/' configure.ac