- Add gh-126500-test_ssl-no-stop-ThreadedEchoServer-OSError.patch

and gh-127257-ssl-OSError-ERR_LIB_SYS.patch to make the
  interpreter compatible with OpenSSL 3.5 (bsc#1241067).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python313?expand=0&rev=90

gh-126500-test_ssl-no-stop-ThreadedEchoServer-OSError.patch

@@ -0,0 +1,82 @@
+From 3d390148c05a7ea2d401c4633e7d4db75ebf97d9 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <encukou@gmail.com>
+Date: Thu, 7 Nov 2024 11:07:02 +0100
+Subject: [PATCH] gh-126500: test_ssl: Don't stop ThreadedEchoServer on OSError
+ in ConnectionHandler; rely on __exit__ (GH-126503)
+
+If `read()` in the ConnectionHandler thread raises `OSError` (except `ConnectionError`),
+the ConnectionHandler shuts down the entire ThreadedEchoServer,
+preventing further connections.
+It also does that for `EPROTOTYPE` in `wrap_conn`.
+
+As far as I can see, this is done to avoid the server thread getting stuck,
+forgotten, in its accept loop. However, since 2011 (5b95eb90a7167285b6544b50865227c584943c9a)
+the server is used as a context manager, and its `__exit__` does `stop()` and `join()`.
+(I'm not sure if we *always* used `with` since that commit, but currently we do.)
+
+Make sure that the context manager *is* used, and remove the `server.stop()`
+calls from ConnectionHandler.
+(cherry picked from commit c9cda1608edf7664c10f4f467e24591062c2fe62)
+
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+---
+ Lib/test/test_ssl.py | 17 ++++++++++++-----
+ 1 file changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 9b59ddd887aa0b..b6421c7a3c827b 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -2300,7 +2300,6 @@ def wrap_conn(self):
+                 # See also http://erickt.github.io/blog/2014/11/19/adventures-in-debugging-a-potential-osx-kernel-bug/
+                 if e.errno != errno.EPROTOTYPE and sys.platform != "darwin":
+                     self.running = False
+-                    self.server.stop()
+                     self.close()
+                 return False
+             else:
+@@ -2435,10 +2434,6 @@ def run(self):
+                     self.close()
+                     self.running = False
+ 
+-                    # normally, we'd just stop here, but for the test
+-                    # harness, we want to stop the server
+-                    self.server.stop()
+-
+     def __init__(self, certificate=None, ssl_version=None,
+                  certreqs=None, cacerts=None,
+                  chatty=True, connectionchatty=False, starttls_server=False,
+@@ -2472,21 +2467,33 @@ def __init__(self, certificate=None, ssl_version=None,
+         self.conn_errors = []
+         threading.Thread.__init__(self)
+         self.daemon = True
++        self._in_context = False
+ 
+     def __enter__(self):
++        if self._in_context:
++            raise ValueError('Re-entering ThreadedEchoServer context')
++        self._in_context = True
+         self.start(threading.Event())
+         self.flag.wait()
+         return self
+ 
+     def __exit__(self, *args):
++        assert self._in_context
++        self._in_context = False
+         self.stop()
+         self.join()
+ 
+     def start(self, flag=None):
++        if not self._in_context:
++            raise ValueError(
++                'ThreadedEchoServer must be used as a context manager')
+         self.flag = flag
+         threading.Thread.start(self)
+ 
+     def run(self):
++        if not self._in_context:
++            raise ValueError(
++                'ThreadedEchoServer must be used as a context manager')
+         self.sock.settimeout(1.0)
+         self.sock.listen(5)
+         self.active = True

gh-127257-ssl-OSError-ERR_LIB_SYS.patch

@@ -0,0 +1,67 @@
+From c7908750cbfcfb54688ffff654909ef021095026 Mon Sep 17 00:00:00 2001
+From: "Miss Islington (bot)"
+ <31488909+miss-islington@users.noreply.github.com>
+Date: Mon, 16 Dec 2024 15:43:57 +0100
+Subject: [PATCH] [3.12] gh-127257: ssl: Raise OSError for ERR_LIB_SYS
+ (GH-127361) (GH-127905)
+
+gh-127257: ssl: Raise OSError for ERR_LIB_SYS (GH-127361)
+
+From the ERR_raise manpage:
+
+    ERR_LIB_SYS
+
+        This "library code" indicates that a system error is
+        being reported.  In this case, the reason code given
+        to `ERR_raise()` and `ERR_raise_data()` *must* be
+        `errno(3)`.
+
+This PR only handles ERR_LIB_SYS for the high-lever error types
+SSL_ERROR_SYSCALL and SSL_ERROR_SSL, i.e., not the ones where
+OpenSSL indicates it has some more information about the issue.
+(cherry picked from commit f4b31edf2d9d72878dab1f66a36913b5bcc848ec)
+
+Co-authored-by: Petr Viktorin <encukou@gmail.com>
+(cherry picked from commit 7f707fa6c67d0bfa9bbc1a9f344b932789659397)
+---
+ .../2024-11-28-14-14-46.gh-issue-127257.n6-jU9.rst     |  2 ++
+ Modules/_ssl.c                                         | 10 ++++++++++
+ 2 files changed, 12 insertions(+)
+ create mode 100644 Misc/NEWS.d/next/Library/2024-11-28-14-14-46.gh-issue-127257.n6-jU9.rst
+
+diff --git a/Misc/NEWS.d/next/Library/2024-11-28-14-14-46.gh-issue-127257.n6-jU9.rst b/Misc/NEWS.d/next/Library/2024-11-28-14-14-46.gh-issue-127257.n6-jU9.rst
+new file mode 100644
+index 00000000000000..fb0380cba0b607
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2024-11-28-14-14-46.gh-issue-127257.n6-jU9.rst
+@@ -0,0 +1,2 @@
++In :mod:`ssl`, system call failures that OpenSSL reports using
++``ERR_LIB_SYS`` are now raised as :exc:`OSError`.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 120c739e196732..09207abde14545 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -654,6 +654,11 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+                         ERR_GET_REASON(e) == SSL_R_CERTIFICATE_VERIFY_FAILED) {
+                     type = state->PySSLCertVerificationErrorObject;
+                 }
++                if (ERR_GET_LIB(e) == ERR_LIB_SYS) {
++                    // A system error is being reported; reason is set to errno
++                    errno = ERR_GET_REASON(e);
++                    return PyErr_SetFromErrno(PyExc_OSError);
++                }
+                 p = PY_SSL_ERROR_SYSCALL;
+             }
+             break;
+@@ -679,6 +684,11 @@ PySSL_SetError(PySSLSocket *sslsock, int ret, const char *filename, int lineno)
+                 errstr = "EOF occurred in violation of protocol";
+             }
+ #endif
++            if (ERR_GET_LIB(e) == ERR_LIB_SYS) {
++                // A system error is being reported; reason is set to errno
++                errno = ERR_GET_REASON(e);
++                return PyErr_SetFromErrno(PyExc_OSError);
++            }
+             break;
+         }
+         default:

python313.changes

@@ -276,6 +276,9 @@ Fri Apr 11 19:47:34 UTC 2025 - Matej Cepl <mcepl@cepl.eu>
 - Add gh-132535-rsrc-warn-test_timeout.patch to fix
   failing tests in the build system without network access
   (gh#python/cpython#132535).
+- Add gh-126500-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+  and gh-127257-ssl-OSError-ERR_LIB_SYS.patch to make the
+  interpreter compatible with OpenSSL 3.5 (bsc#1241067).
 
 -------------------------------------------------------------------
 Mon Mar 10 15:44:31 UTC 2025 - Bernhard Wiedemann <bwiedemann@suse.com>

python313.spec

@@ -228,6 +228,10 @@ Patch42:        gh126985-mv-pyvenv.cfg2getpath.patch
 # PATCH-FIX-UPSTREAM gh-132535-rsrc-warn-test_timeout.patch gh#python/cpython#132535 mcepl@suse.com
 # allows test_timeout tests to pass
 Patch43:        gh-132535-rsrc-warn-test_timeout.patch
+# PATCH-FIX-UPSTREAM bsc#1241067 mcepl@suse.com
+# Make the interpreter compatible with OpenSSL 3.5
+Patch44:        gh-126500-test_ssl-no-stop-ThreadedEchoServer-OSError.patch
+Patch44:        gh-127257-ssl-OSError-ERR_LIB_SYS.patch
 BuildRequires:  autoconf-archive
 BuildRequires:  automake
 BuildRequires:  fdupes