diff --git a/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch b/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch index d58c211..5db5498 100644 --- a/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch +++ b/CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch @@ -44,9 +44,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer 15 files changed, 77 insertions(+), 873 deletions(-) create mode 100644 Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst ---- a/Doc/using/unix.rst -+++ b/Doc/using/unix.rst -@@ -113,6 +113,7 @@ For example, on most Linux systems, the +Index: Python-3.9.24/Doc/using/unix.rst +=================================================================== +--- Python-3.9.24.orig/Doc/using/unix.rst 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Doc/using/unix.rst 2025-11-14 00:55:05.521462804 +0100 +@@ -113,6 +113,7 @@ | | embedding the interpreter. | +-----------------------------------------------+------------------------------------------+ @@ -54,9 +56,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer Miscellaneous ============= ---- a/Lib/ssl.py -+++ b/Lib/ssl.py -@@ -912,15 +912,12 @@ class SSLObject: +Index: Python-3.9.24/Lib/ssl.py +=================================================================== +--- Python-3.9.24.orig/Lib/ssl.py 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Lib/ssl.py 2025-11-14 00:55:05.522031528 +0100 +@@ -912,15 +912,12 @@ """Return the currently selected NPN protocol as a string, or ``None`` if a next protocol was not negotiated or if NPN is not supported by one of the peers.""" @@ -73,7 +77,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def cipher(self): """Return the currently selected cipher as a 3-tuple ``(name, -@@ -1162,10 +1159,7 @@ class SSLSocket(socket): +@@ -1162,10 +1159,7 @@ @_sslcopydoc def selected_npn_protocol(self): self._checkClosed() @@ -85,9 +89,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer @_sslcopydoc def selected_alpn_protocol(self): ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -39,7 +39,6 @@ Py_DEBUG_WIN32 = Py_DEBUG and sys.platfo +Index: Python-3.9.24/Lib/test/test_ssl.py +=================================================================== +--- Python-3.9.24.orig/Lib/test/test_ssl.py 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Lib/test/test_ssl.py 2025-11-14 00:55:05.522484943 +0100 +@@ -39,7 +39,6 @@ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) HOST = socket_helper.HOST IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') @@ -95,7 +101,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0) PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS') -@@ -269,18 +268,6 @@ def handle_error(prefix): +@@ -269,18 +268,6 @@ if support.verbose: sys.stdout.write(prefix + exc_format) @@ -114,7 +120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def _have_secp_curves(): if not ssl.HAS_ECDH: return False -@@ -371,17 +358,15 @@ class BasicSocketTests(unittest.TestCase +@@ -371,17 +358,15 @@ ssl.OP_SINGLE_DH_USE if ssl.HAS_ECDH: ssl.OP_SINGLE_ECDH_USE @@ -135,7 +141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23) def test_private_init(self): -@@ -1169,7 +1154,6 @@ class ContextTests(unittest.TestCase): +@@ -1169,7 +1154,6 @@ self.assertNotIn("RC4", name) self.assertNotIn("3DES", name) @@ -143,7 +149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_get_ciphers(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.set_ciphers('AESGCM') -@@ -1201,15 +1185,11 @@ class ContextTests(unittest.TestCase): +@@ -1201,15 +1185,11 @@ self.assertEqual(default, ctx.options) ctx.options |= ssl.OP_NO_TLSv1 self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) @@ -164,7 +170,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_verify_mode_protocol(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) -@@ -1328,8 +1308,6 @@ class ContextTests(unittest.TestCase): +@@ -1328,8 +1308,6 @@ with self.assertRaises(ValueError): ctx.maximum_version = ssl.TLSVersion.TLSv1 @@ -173,7 +179,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_verify_flags(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) # default value -@@ -1807,7 +1785,6 @@ class ContextTests(unittest.TestCase): +@@ -1807,7 +1785,6 @@ obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO()) self.assertIsInstance(obj, MySSLObject) @@ -181,7 +187,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_num_tickest(self): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) self.assertEqual(ctx.num_tickets, 2) -@@ -2972,8 +2949,6 @@ class ThreadedTests(unittest.TestCase): +@@ -2972,8 +2949,6 @@ after = ssl.cert_time_to_seconds(cert['notAfter']) self.assertLess(before, after) @@ -190,7 +196,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_crl_check(self): if support.verbose: sys.stdout.write("\n") -@@ -3877,12 +3852,7 @@ class ThreadedTests(unittest.TestCase): +@@ -3877,12 +3852,7 @@ self.assertIs(s.version(), None) self.assertIs(s._sslobj, None) s.connect((HOST, server.port)) @@ -204,7 +210,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer self.assertIs(s._sslobj, None) self.assertIs(s.version(), None) -@@ -3984,8 +3954,6 @@ class ThreadedTests(unittest.TestCase): +@@ -3984,8 +3954,6 @@ # explicitly using the 'ECCdraft' cipher alias. Otherwise, # our default cipher list should prefer ECDH-based ciphers # automatically. @@ -213,7 +219,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer with ThreadedEchoServer(context=context) as server: with context.wrap_socket(socket.socket()) as s: s.connect((HOST, server.port)) -@@ -4117,15 +4085,11 @@ class ThreadedTests(unittest.TestCase): +@@ -4117,15 +4085,11 @@ server_context.set_ciphers("ECDHE:!eNULL:!aNULL") server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 try: @@ -233,7 +239,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_selected_alpn_protocol(self): # selected_alpn_protocol() is None unless ALPN is used. -@@ -4135,7 +4099,6 @@ class ThreadedTests(unittest.TestCase): +@@ -4135,7 +4099,6 @@ sni_name=hostname) self.assertIs(stats['client_alpn_protocol'], None) @@ -241,7 +247,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_selected_alpn_protocol_if_server_uses_alpn(self): # selected_alpn_protocol() is None unless ALPN is used by the client. client_context, server_context, hostname = testing_context() -@@ -4145,7 +4108,6 @@ class ThreadedTests(unittest.TestCase): +@@ -4145,7 +4108,6 @@ sni_name=hostname) self.assertIs(stats['client_alpn_protocol'], None) @@ -249,7 +255,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_alpn_protocols(self): server_protocols = ['foo', 'bar', 'milkshake'] protocol_tests = [ -@@ -4168,22 +4130,17 @@ class ThreadedTests(unittest.TestCase): +@@ -4168,22 +4130,17 @@ except ssl.SSLError as e: stats = e @@ -283,7 +289,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_selected_npn_protocol(self): # selected_npn_protocol() is None unless NPN is used -@@ -4193,31 +4150,8 @@ class ThreadedTests(unittest.TestCase): +@@ -4193,31 +4150,8 @@ sni_name=hostname) self.assertIs(stats['client_npn_protocol'], None) @@ -316,7 +322,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer def test_empty_npn_protocols(self): """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227""" -@@ -4393,8 +4327,7 @@ class ThreadedTests(unittest.TestCase): +@@ -4393,8 +4327,7 @@ self.assertGreater(session.time, 0) self.assertGreater(session.timeout, 0) self.assertTrue(session.has_ticket) @@ -326,13 +332,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer self.assertFalse(stats['session_reused']) sess_stat = server_context.session_stats() self.assertEqual(sess_stat['accept'], 1) ---- /dev/null -+++ b/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst +Index: Python-3.9.24/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ Python-3.9.24/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst 2025-11-14 00:55:05.523862509 +0100 @@ -0,0 +1 @@ +Implement :pep:`644`. Python now requires OpenSSL 1.1.1 or newer. ---- a/Modules/Setup -+++ b/Modules/Setup -@@ -210,11 +210,23 @@ _symtable symtablemodule.c +Index: Python-3.9.24/Modules/Setup +=================================================================== +--- Python-3.9.24.orig/Modules/Setup 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Modules/Setup 2025-11-14 00:55:05.524260958 +0100 +@@ -210,11 +210,23 @@ #_socket socketmodule.c # Socket module helper for SSL support; you must comment out the other @@ -361,8 +371,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer # The crypt module is now disabled by default because it breaks builds # on many systems (where -lcrypt is needed), e.g. Linux (I believe). ---- a/Modules/_hashopenssl.c -+++ b/Modules/_hashopenssl.c +Index: Python-3.9.24/Modules/_hashopenssl.c +=================================================================== +--- Python-3.9.24.orig/Modules/_hashopenssl.c 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Modules/_hashopenssl.c 2025-11-14 00:55:05.524484942 +0100 @@ -43,51 +43,12 @@ # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" #endif @@ -416,7 +428,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #if OPENSSL_VERSION_NUMBER >= 0x30000000L #define PY_EVP_MD EVP_MD -@@ -1311,8 +1272,7 @@ pbkdf2_hmac_impl(PyObject *module, const +@@ -1311,8 +1272,7 @@ return key_obj; } @@ -426,7 +438,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* XXX: Parameters salt, n, r and p should be required keyword-only parameters. They are optional in the Argument Clinic declaration only due to a -@@ -1433,7 +1393,7 @@ _hashlib_scrypt_impl(PyObject *module, P +@@ -1433,7 +1393,7 @@ } return key_obj; } @@ -435,7 +447,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* Fast HMAC for hmac.digest() */ -@@ -1920,12 +1880,6 @@ hashlib_md_meth_names(PyObject *module) +@@ -1920,12 +1880,6 @@ return 0; } @@ -448,7 +460,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _hashlib.get_fips_mode -> int -@@ -1963,7 +1917,6 @@ _hashlib_get_fips_mode_impl(PyObject *mo +@@ -1963,7 +1917,6 @@ return result; #endif } @@ -456,7 +468,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static int -@@ -2144,17 +2097,6 @@ hashlib_free(void *m) +@@ -2144,17 +2097,6 @@ /* Py_mod_exec functions */ static int @@ -474,7 +486,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer hashlib_init_hashtable(PyObject *module) { _hashlibstate *state = get_hashlib_state(module); -@@ -2227,10 +2169,7 @@ hashlib_init_hmactype(PyObject *module) +@@ -2227,10 +2169,7 @@ return 0; } @@ -485,7 +497,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer {Py_mod_exec, hashlib_init_hashtable}, {Py_mod_exec, hashlib_init_evptype}, {Py_mod_exec, hashlib_init_evpxoftype}, -@@ -2238,7 +2177,6 @@ static PyModuleDef_Slot hashlib_slots[] +@@ -2238,7 +2177,6 @@ {Py_mod_exec, hashlib_md_meth_names}, {0, NULL} }; @@ -493,7 +505,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static struct PyModuleDef _hashlibmodule = { PyModuleDef_HEAD_INIT, -@@ -2246,7 +2184,7 @@ static struct PyModuleDef _hashlibmodule +@@ -2246,7 +2184,7 @@ .m_doc = "OpenSSL interface for hashlib module", .m_size = sizeof(_hashlibstate), .m_methods = EVP_functions, @@ -502,7 +514,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer .m_traverse = hashlib_traverse, .m_clear = hashlib_clear, .m_free = hashlib_free -@@ -2255,41 +2193,5 @@ static struct PyModuleDef _hashlibmodule +@@ -2255,41 +2193,5 @@ PyMODINIT_FUNC PyInit__hashlib(void) { @@ -545,8 +557,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer - return m; + return PyModuleDef_Init(&_hashlibmodule); } ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c +Index: Python-3.9.24/Modules/_ssl.c +=================================================================== +--- Python-3.9.24.orig/Modules/_ssl.c 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Modules/_ssl.c 2025-11-14 00:55:05.525585095 +0100 @@ -29,9 +29,9 @@ #define _PySSL_FIX_ERRNO @@ -559,7 +573,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #define PySSL_BEGIN_ALLOW_THREADS { \ PyThreadState *_save = NULL; \ PySSL_BEGIN_ALLOW_THREADS_S(_save); -@@ -62,16 +62,6 @@ static PySocketModule_APIObject PySocket +@@ -62,16 +62,6 @@ #include "openssl/bio.h" #include "openssl/dh.h" @@ -576,7 +590,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #ifndef OPENSSL_THREADS # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" #endif -@@ -142,15 +132,7 @@ static void _PySSLFixErrno(void) { +@@ -142,15 +132,7 @@ #include "_ssl_data.h" #endif @@ -593,7 +607,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #ifndef OPENSSL_NO_TLS1_METHOD extern const SSL_METHOD *TLSv1_method(void); #endif -@@ -161,59 +143,10 @@ extern const SSL_METHOD *TLSv1_1_method( +@@ -161,59 +143,10 @@ extern const SSL_METHOD *TLSv1_2_method(void); #endif @@ -653,7 +667,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */ #ifdef OPENSSL_VERSION_1_1 #define HAVE_OPENSSL_X509_STORE_LOCK -@@ -224,80 +157,8 @@ extern const SSL_METHOD *TLSv1_2_method( +@@ -224,80 +157,8 @@ #define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1 #endif @@ -735,7 +749,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* Default cipher suites */ #ifndef PY_SSL_DEFAULT_CIPHERS -@@ -409,24 +270,10 @@ enum py_proto_version { +@@ -409,24 +270,10 @@ #endif }; @@ -760,7 +774,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for * older SSL, but let's be safe */ -@@ -436,17 +283,9 @@ static unsigned int _ssl_locks_count = 0 +@@ -436,17 +283,9 @@ typedef struct { PyObject_HEAD SSL_CTX *ctx; @@ -778,7 +792,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer int check_hostname; /* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct. * We have to maintain our own copy. OpenSSL's hostflags default to 0. -@@ -457,10 +296,8 @@ typedef struct { +@@ -457,10 +296,8 @@ int post_handshake_auth; #endif PyObject *msg_cb; @@ -789,7 +803,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer } PySSLContext; typedef struct { -@@ -667,23 +504,18 @@ fill_and_set_sslerror(PySSLSocket *sslso +@@ -667,23 +504,18 @@ } switch (verify_code) { @@ -813,7 +827,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer default: verify_str = X509_verify_cert_error_string(verify_code); if (verify_str != NULL) { -@@ -2014,7 +1846,6 @@ cipher_to_tuple(const SSL_CIPHER *cipher +@@ -2014,7 +1846,6 @@ return NULL; } @@ -821,7 +835,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static PyObject * cipher_to_dict(const SSL_CIPHER *cipher) { -@@ -2023,10 +1854,8 @@ cipher_to_dict(const SSL_CIPHER *cipher) +@@ -2023,10 +1854,8 @@ unsigned long cipher_id; int alg_bits, strength_bits, len; char buf[512] = {0}; @@ -832,7 +846,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* can be NULL */ cipher_name = SSL_CIPHER_get_name(cipher); -@@ -2039,7 +1868,6 @@ cipher_to_dict(const SSL_CIPHER *cipher) +@@ -2039,7 +1868,6 @@ buf[len-1] = '\0'; strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits); @@ -840,7 +854,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer aead = SSL_CIPHER_is_aead(cipher); nid = SSL_CIPHER_get_cipher_nid(cipher); skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL; -@@ -2049,13 +1877,10 @@ cipher_to_dict(const SSL_CIPHER *cipher) +@@ -2049,13 +1877,10 @@ kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL; nid = SSL_CIPHER_get_auth_nid(cipher); auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL; @@ -854,7 +868,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer "}", "id", cipher_id, "name", cipher_name, -@@ -2063,16 +1888,13 @@ cipher_to_dict(const SSL_CIPHER *cipher) +@@ -2063,16 +1888,13 @@ "description", buf, "strength_bits", strength_bits, "alg_bits", alg_bits @@ -871,7 +885,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _ssl._SSLSocket.shared_ciphers -@@ -2143,28 +1965,6 @@ _ssl__SSLSocket_version_impl(PySSLSocket +@@ -2143,28 +1965,6 @@ return PyUnicode_FromString(version); } @@ -900,7 +914,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _ssl._SSLSocket.selected_alpn_protocol [clinic start generated code]*/ -@@ -2182,7 +1982,6 @@ _ssl__SSLSocket_selected_alpn_protocol_i +@@ -2182,7 +1982,6 @@ Py_RETURN_NONE; return PyUnicode_FromStringAndSize((char *)out, outlen); } @@ -908,7 +922,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _ssl._SSLSocket.compression -@@ -2219,11 +2018,6 @@ static int PySSL_set_context(PySSLSocket +@@ -2219,11 +2018,6 @@ void *closure) { if (PyObject_TypeCheck(value, &PySSLContext_Type)) { @@ -920,7 +934,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer Py_INCREF(value); Py_SETREF(self->ctx, (PySSLContext *)value); SSL_set_SSL_CTX(self->ssl, self->ctx->ctx); -@@ -2232,7 +2026,6 @@ static int PySSL_set_context(PySSLSocket +@@ -2232,7 +2026,6 @@ self->ssl, self->ctx->msg_cb ? _PySSL_msg_callback : NULL ); @@ -928,7 +942,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer } else { PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext"); return -1; -@@ -2857,8 +2650,6 @@ _ssl__SSLSocket_verify_client_post_hands +@@ -2857,8 +2650,6 @@ #endif } @@ -937,7 +951,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static SSL_SESSION* _ssl_session_dup(SSL_SESSION *session) { SSL_SESSION *newsession = NULL; -@@ -2899,7 +2690,6 @@ _ssl_session_dup(SSL_SESSION *session) { +@@ -2899,7 +2690,6 @@ } return NULL; } @@ -945,7 +959,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static PyObject * PySSL_get_session(PySSLSocket *self, void *closure) { -@@ -2908,7 +2698,6 @@ PySSL_get_session(PySSLSocket *self, voi +@@ -2908,7 +2698,6 @@ PySSLSession *pysess; SSL_SESSION *session; @@ -953,7 +967,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* duplicate session as workaround for session bug in OpenSSL 1.1.0, * https://github.com/openssl/openssl/issues/1550 */ session = SSL_get0_session(self->ssl); /* borrowed reference */ -@@ -2918,12 +2707,10 @@ PySSL_get_session(PySSLSocket *self, voi +@@ -2918,12 +2707,10 @@ if ((session = _ssl_session_dup(session)) == NULL) { return NULL; } @@ -966,7 +980,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer pysess = PyObject_GC_New(PySSLSession, &PySSLSession_Type); if (pysess == NULL) { SSL_SESSION_free(session); -@@ -2942,9 +2729,7 @@ static int PySSL_set_session(PySSLSocket +@@ -2942,9 +2729,7 @@ void *closure) { PySSLSession *pysess; @@ -976,7 +990,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer int result; if (!PySSLSession_Check(value)) { -@@ -2968,7 +2753,6 @@ static int PySSL_set_session(PySSLSocket +@@ -2968,7 +2753,6 @@ "Cannot set session after handshake."); return -1; } @@ -984,7 +998,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* duplicate session */ if ((session = _ssl_session_dup(pysess->session)) == NULL) { return -1; -@@ -2976,9 +2760,6 @@ static int PySSL_set_session(PySSLSocket +@@ -2976,9 +2760,6 @@ result = SSL_set_session(self->ssl, session); /* free duplicate, SSL_set_session() bumps ref count */ SSL_SESSION_free(session); @@ -994,7 +1008,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer if (result == 0) { _setSSLError(NULL, 0, __FILE__, __LINE__); return -1; -@@ -3029,7 +2810,6 @@ static PyMethodDef PySSLMethods[] = { +@@ -3029,7 +2810,6 @@ _SSL__SSLSOCKET_CIPHER_METHODDEF _SSL__SSLSOCKET_SHARED_CIPHERS_METHODDEF _SSL__SSLSOCKET_VERSION_METHODDEF @@ -1002,7 +1016,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer _SSL__SSLSOCKET_SELECTED_ALPN_PROTOCOL_METHODDEF _SSL__SSLSOCKET_COMPRESSION_METHODDEF _SSL__SSLSOCKET_SHUTDOWN_METHODDEF -@@ -3123,9 +2903,6 @@ _ssl__SSLContext_impl(PyTypeObject *type +@@ -3123,9 +2903,6 @@ SSL_CTX *ctx = NULL; X509_VERIFY_PARAM *params; int result; @@ -1012,7 +1026,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PySSL_BEGIN_ALLOW_THREADS switch(proto_version) { -@@ -3190,19 +2967,10 @@ _ssl__SSLContext_impl(PyTypeObject *type +@@ -3190,19 +2967,10 @@ self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; self->protocol = proto_version; self->msg_cb = NULL; @@ -1032,7 +1046,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* Don't check host name by default */ if (proto_version == PY_SSL_VERSION_TLS_CLIENT) { self->check_hostname = 1; -@@ -3264,37 +3032,9 @@ _ssl__SSLContext_impl(PyTypeObject *type +@@ -3264,37 +3032,9 @@ return NULL; } @@ -1072,7 +1086,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #define SID_CTX "Python" SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, -@@ -3302,11 +3042,9 @@ _ssl__SSLContext_impl(PyTypeObject *type +@@ -3302,11 +3042,9 @@ #undef SID_CTX params = SSL_CTX_get0_param(self->ctx); @@ -1084,7 +1098,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer X509_VERIFY_PARAM_set_hostflags(params, self->hostflags); #ifdef TLS1_3_VERSION -@@ -3320,9 +3058,7 @@ _ssl__SSLContext_impl(PyTypeObject *type +@@ -3320,9 +3058,7 @@ static int context_traverse(PySSLContext *self, visitproc visit, void *arg) { @@ -1094,7 +1108,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer Py_VISIT(self->msg_cb); return 0; } -@@ -3330,11 +3066,8 @@ context_traverse(PySSLContext *self, vis +@@ -3330,11 +3066,8 @@ static int context_clear(PySSLContext *self) { @@ -1106,7 +1120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer Py_CLEAR(self->keylog_filename); if (self->keylog_bio != NULL) { PySSL_BEGIN_ALLOW_THREADS -@@ -3342,7 +3075,6 @@ context_clear(PySSLContext *self) +@@ -3342,7 +3075,6 @@ PySSL_END_ALLOW_THREADS self->keylog_bio = NULL; } @@ -1114,7 +1128,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer return 0; } -@@ -3353,12 +3085,7 @@ context_dealloc(PySSLContext *self) +@@ -3353,12 +3085,7 @@ PyObject_GC_UnTrack(self); context_clear(self); SSL_CTX_free(self->ctx); @@ -1127,7 +1141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer Py_TYPE(self)->tp_free(self); } -@@ -3385,7 +3112,6 @@ _ssl__SSLContext_set_ciphers_impl(PySSLC +@@ -3385,7 +3112,6 @@ Py_RETURN_NONE; } @@ -1135,7 +1149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _ssl._SSLContext.get_ciphers [clinic start generated code]*/ -@@ -3428,10 +3154,8 @@ _ssl__SSLContext_get_ciphers_impl(PySSLC +@@ -3428,10 +3154,8 @@ return result; } @@ -1146,7 +1160,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static int do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, const unsigned char *server_protocols, unsigned int server_protocols_len, -@@ -3455,77 +3179,7 @@ do_protocol_selection(int alpn, unsigned +@@ -3455,77 +3179,7 @@ return SSL_TLSEXT_ERR_OK; } @@ -1224,7 +1238,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static int _selectALPN_cb(SSL *s, const unsigned char **out, unsigned char *outlen, -@@ -3537,7 +3191,6 @@ _selectALPN_cb(SSL *s, +@@ -3537,7 +3191,6 @@ ctx->alpn_protocols, ctx->alpn_protocols_len, client_protocols, client_protocols_len); } @@ -1232,7 +1246,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _ssl._SSLContext._set_alpn_protocols -@@ -3550,7 +3203,6 @@ _ssl__SSLContext__set_alpn_protocols_imp +@@ -3550,7 +3203,6 @@ Py_buffer *protos) /*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/ { @@ -1240,7 +1254,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer if ((size_t)protos->len > UINT_MAX) { PyErr_Format(PyExc_OverflowError, "protocols longer than %u bytes", UINT_MAX); -@@ -3569,11 +3221,6 @@ _ssl__SSLContext__set_alpn_protocols_imp +@@ -3569,11 +3221,6 @@ SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self); Py_RETURN_NONE; @@ -1252,7 +1266,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer } static PyObject * -@@ -3649,9 +3296,6 @@ set_verify_flags(PySSLContext *self, PyO +@@ -3649,9 +3296,6 @@ } /* Getter and setter for protocol version */ @@ -1262,7 +1276,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static int set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what) { -@@ -3746,9 +3390,8 @@ set_maximum_version(PySSLContext *self, +@@ -3746,9 +3390,8 @@ { return set_min_max_proto_version(self, arg, 1); } @@ -1273,7 +1287,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static PyObject * get_num_tickets(PySSLContext *self, void *c) { -@@ -3779,7 +3422,7 @@ set_num_tickets(PySSLContext *self, PyOb +@@ -3779,7 +3422,7 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc, "Control the number of TLSv1.3 session tickets"); @@ -1282,7 +1296,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static PyObject * get_options(PySSLContext *self, void *c) -@@ -3797,13 +3440,7 @@ set_options(PySSLContext *self, PyObject +@@ -3797,13 +3440,7 @@ clear = opts & ~new_opts; set = ~opts & new_opts; if (clear) { @@ -1296,7 +1310,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer } if (set) SSL_CTX_set_options(self->ctx, set); -@@ -4500,7 +4137,6 @@ _ssl__SSLContext_set_default_verify_path +@@ -4500,7 +4137,6 @@ Py_RETURN_NONE; } @@ -1304,7 +1318,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /*[clinic input] _ssl._SSLContext.set_ecdh_curve name: object -@@ -4535,9 +4171,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLCon +@@ -4535,9 +4171,7 @@ EC_KEY_free(key); Py_RETURN_NONE; } @@ -1314,7 +1328,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static int _servername_callback(SSL *s, int *al, void *args) { -@@ -4641,7 +4275,6 @@ error: +@@ -4641,7 +4275,6 @@ PyGILState_Release(gstate); return ret; } @@ -1322,7 +1336,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static PyObject * get_sni_callback(PySSLContext *self, void *c) -@@ -4662,7 +4295,6 @@ set_sni_callback(PySSLContext *self, PyO +@@ -4662,7 +4295,6 @@ "sni_callback cannot be set on TLS_CLIENT context"); return -1; } @@ -1330,7 +1344,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer Py_CLEAR(self->set_sni_cb); if (arg == Py_None) { SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL); -@@ -4680,13 +4312,6 @@ set_sni_callback(PySSLContext *self, PyO +@@ -4680,13 +4312,6 @@ SSL_CTX_set_tlsext_servername_arg(self->ctx, self); } return 0; @@ -1344,7 +1358,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer } /* Shim of X509_STORE_get1_objects API from OpenSSL 3.3 -@@ -4882,21 +4507,17 @@ static PyGetSetDef context_getsetlist[] +@@ -4882,21 +4507,17 @@ (setter) set_check_hostname, NULL}, {"_host_flags", (getter) get_host_flags, (setter) set_host_flags, NULL}, @@ -1367,7 +1381,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer {"num_tickets", (getter) get_num_tickets, (setter) set_num_tickets, PySSLContext_num_tickets_doc}, #endif -@@ -4923,7 +4544,6 @@ static struct PyMethodDef context_method +@@ -4923,7 +4544,6 @@ _SSL__SSLCONTEXT__WRAP_BIO_METHODDEF _SSL__SSLCONTEXT_SET_CIPHERS_METHODDEF _SSL__SSLCONTEXT__SET_ALPN_PROTOCOLS_METHODDEF @@ -1375,7 +1389,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer _SSL__SSLCONTEXT_LOAD_CERT_CHAIN_METHODDEF _SSL__SSLCONTEXT_LOAD_DH_PARAMS_METHODDEF _SSL__SSLCONTEXT_LOAD_VERIFY_LOCATIONS_METHODDEF -@@ -5441,11 +5061,7 @@ PySSL_RAND(int len, int pseudo) +@@ -5441,11 +5061,7 @@ if (bytes == NULL) return NULL; if (pseudo) { @@ -1387,7 +1401,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer if (ok == 0 || ok == 1) return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False); } -@@ -6000,92 +5616,6 @@ static PyMethodDef PySSL_methods[] = { +@@ -6000,92 +5616,6 @@ }; @@ -1480,7 +1494,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(module_doc, "Implementation module for SSL socket operations. See the socket module\n\ for documentation."); -@@ -6152,14 +5682,6 @@ PyInit__ssl(void) +@@ -6152,14 +5682,6 @@ return NULL; PySocketModule = *socket_api; @@ -1495,7 +1509,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #ifdef HAVE_OPENSSL_CRYPTO_LOCK /* note that this will start threading if not already started */ if (!_setup_ssl_threads()) { -@@ -6266,10 +5788,8 @@ PyInit__ssl(void) +@@ -6266,10 +5788,8 @@ X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); PyModule_AddIntConstant(m, "VERIFY_X509_STRICT", X509_V_FLAG_X509_STRICT); @@ -1506,7 +1520,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* Alert Descriptions from ssl.h */ /* note RESERVED constants no longer intended for use have been removed */ -@@ -6426,31 +5946,11 @@ PyInit__ssl(void) +@@ -6426,31 +5946,11 @@ PyModule_AddObject((m), (key), bool_obj); \ } while (0) @@ -1538,9 +1552,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2) addbool(m, "HAS_SSLv2", 1); ---- a/Modules/_ssl/debughelpers.c -+++ b/Modules/_ssl/debughelpers.c -@@ -114,8 +114,6 @@ _PySSLContext_set_msg_callback(PySSLCont +Index: Python-3.9.24/Modules/_ssl/debughelpers.c +=================================================================== +--- Python-3.9.24.orig/Modules/_ssl/debughelpers.c 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Modules/_ssl/debughelpers.c 2025-11-14 00:55:05.526651095 +0100 +@@ -114,8 +114,6 @@ return 0; } @@ -1549,15 +1565,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer static void _PySSL_keylog_callback(const SSL *ssl, const char *line) { -@@ -219,5 +217,3 @@ _PySSLContext_set_keylog_filename(PySSLC +@@ -219,5 +217,3 @@ SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback); return 0; } - -#endif ---- a/Modules/clinic/_hashopenssl.c.h -+++ b/Modules/clinic/_hashopenssl.c.h -@@ -965,7 +965,7 @@ exit: +Index: Python-3.9.24/Modules/clinic/_hashopenssl.c.h +=================================================================== +--- Python-3.9.24.orig/Modules/clinic/_hashopenssl.c.h 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Modules/clinic/_hashopenssl.c.h 2025-11-14 00:55:05.527005334 +0100 +@@ -965,7 +965,7 @@ return return_value; } @@ -1566,7 +1584,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_hashlib_scrypt__doc__, "scrypt($module, /, password, *, salt=None, n=None, r=None, p=None,\n" -@@ -1093,7 +1093,7 @@ exit: +@@ -1093,7 +1093,7 @@ return return_value; } @@ -1575,7 +1593,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_hashlib_hmac_singleshot__doc__, "hmac_digest($module, /, key, msg, digest)\n" -@@ -1324,8 +1324,6 @@ _hashlib_HMAC_hexdigest(HMACobject *self +@@ -1324,8 +1324,6 @@ return _hashlib_HMAC_hexdigest_impl(self); } @@ -1584,7 +1602,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_hashlib_get_fips_mode__doc__, "get_fips_mode($module, /)\n" "--\n" -@@ -1361,8 +1359,6 @@ exit: +@@ -1361,8 +1359,6 @@ return return_value; } @@ -1593,7 +1611,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_hashlib_compare_digest__doc__, "compare_digest($module, a, b, /)\n" "--\n" -@@ -1439,7 +1435,4 @@ exit: +@@ -1439,7 +1435,4 @@ #define _HASHLIB_SCRYPT_METHODDEF #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */ @@ -1601,9 +1619,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer - #define _HASHLIB_GET_FIPS_MODE_METHODDEF -#endif /* !defined(_HASHLIB_GET_FIPS_MODE_METHODDEF) */ /*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/ ---- a/Modules/clinic/_ssl.c.h -+++ b/Modules/clinic/_ssl.c.h -@@ -139,29 +139,6 @@ _ssl__SSLSocket_version(PySSLSocket *sel +Index: Python-3.9.24/Modules/clinic/_ssl.c.h +=================================================================== +--- Python-3.9.24.orig/Modules/clinic/_ssl.c.h 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Modules/clinic/_ssl.c.h 2025-11-14 00:55:05.527465105 +0100 +@@ -139,29 +139,6 @@ return _ssl__SSLSocket_version_impl(self); } @@ -1633,7 +1653,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_ssl__SSLSocket_selected_alpn_protocol__doc__, "selected_alpn_protocol($self, /)\n" "--\n" -@@ -179,8 +156,6 @@ _ssl__SSLSocket_selected_alpn_protocol(P +@@ -179,8 +156,6 @@ return _ssl__SSLSocket_selected_alpn_protocol_impl(self); } @@ -1642,7 +1662,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_ssl__SSLSocket_compression__doc__, "compression($self, /)\n" "--\n" -@@ -457,8 +432,6 @@ exit: +@@ -457,8 +432,6 @@ return return_value; } @@ -1651,7 +1671,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_ssl__SSLContext_get_ciphers__doc__, "get_ciphers($self, /)\n" "--\n" -@@ -476,44 +449,6 @@ _ssl__SSLContext_get_ciphers(PySSLContex +@@ -476,44 +449,6 @@ return _ssl__SSLContext_get_ciphers_impl(self); } @@ -1696,7 +1716,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_ssl__SSLContext__set_alpn_protocols__doc__, "_set_alpn_protocols($self, protos, /)\n" "--\n" -@@ -844,8 +779,6 @@ _ssl__SSLContext_set_default_verify_path +@@ -844,8 +779,6 @@ return _ssl__SSLContext_set_default_verify_paths_impl(self); } @@ -1705,7 +1725,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_curve__doc__, "set_ecdh_curve($self, name, /)\n" "--\n" -@@ -854,8 +787,6 @@ PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_c +@@ -854,8 +787,6 @@ #define _SSL__SSLCONTEXT_SET_ECDH_CURVE_METHODDEF \ {"set_ecdh_curve", (PyCFunction)_ssl__SSLContext_set_ecdh_curve, METH_O, _ssl__SSLContext_set_ecdh_curve__doc__}, @@ -1714,7 +1734,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer PyDoc_STRVAR(_ssl__SSLContext_cert_store_stats__doc__, "cert_store_stats($self, /)\n" "--\n" -@@ -1455,22 +1386,6 @@ exit: +@@ -1455,22 +1386,6 @@ #endif /* defined(_MSC_VER) */ @@ -1737,9 +1757,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer #ifndef _SSL_RAND_EGD_METHODDEF #define _SSL_RAND_EGD_METHODDEF #endif /* !defined(_SSL_RAND_EGD_METHODDEF) */ ---- a/Tools/ssl/multissltests.py -+++ b/Tools/ssl/multissltests.py -@@ -44,8 +44,6 @@ import tarfile +Index: Python-3.9.24/Tools/ssl/multissltests.py +=================================================================== +--- Python-3.9.24.orig/Tools/ssl/multissltests.py 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/Tools/ssl/multissltests.py 2025-11-14 00:55:05.527928158 +0100 +@@ -43,8 +43,6 @@ log = logging.getLogger("multissl") OPENSSL_OLD_VERSIONS = [ @@ -1748,7 +1770,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer ] OPENSSL_RECENT_VERSIONS = [ -@@ -54,11 +52,9 @@ OPENSSL_RECENT_VERSIONS = [ +@@ -53,11 +51,9 @@ ] LIBRESSL_OLD_VERSIONS = [ @@ -1760,9 +1782,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer ] # store files in ../multissl ---- a/configure -+++ b/configure -@@ -88,6 +88,13 @@ fi +Index: Python-3.9.24/configure +=================================================================== +--- Python-3.9.24.orig/configure 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/configure 2025-11-14 00:55:05.530484938 +0100 +@@ -88,6 +88,13 @@ # splitting by setting IFS to empty value.) IFS=" "" $as_nl" @@ -1776,7 +1800,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( -@@ -17997,7 +18004,6 @@ as_fn_error () +@@ -17997,7 +18004,6 @@ as_fn_exit $as_status } # as_fn_error @@ -1784,14 +1808,16 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. -@@ -19043,4 +19049,3 @@ if test "$Py_OPT" = 'false' -a "$Py_DEBU +@@ -19043,4 +19049,3 @@ echo "" >&6 echo "" >&6 fi - ---- a/configure.ac -+++ b/configure.ac -@@ -5756,42 +5756,6 @@ ac_includes_default="$save_includes_defa +Index: Python-3.9.24/configure.ac +=================================================================== +--- Python-3.9.24.orig/configure.ac 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/configure.ac 2025-11-14 00:55:05.531555268 +0100 +@@ -5756,42 +5756,6 @@ # Check for usable OpenSSL AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no]) @@ -1834,8 +1860,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer # ssl module default cipher suite string AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS, [Default cipher suites list for ssl module. ---- a/pyconfig.h.in -+++ b/pyconfig.h.in +Index: Python-3.9.24/pyconfig.h.in +=================================================================== +--- Python-3.9.24.orig/pyconfig.h.in 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/pyconfig.h.in 2025-11-14 00:55:05.532315919 +0100 @@ -1351,9 +1351,6 @@ /* Define to 1 if you have the `writev' function. */ #undef HAVE_WRITEV @@ -1846,9 +1874,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer /* Define if the zlib library has inflateCopy */ #undef HAVE_ZLIB_COPY ---- a/setup.py -+++ b/setup.py -@@ -539,10 +539,7 @@ class PyBuildExt(build_ext): +Index: Python-3.9.24/setup.py +=================================================================== +--- Python-3.9.24.orig/setup.py 2025-11-14 00:54:58.674489238 +0100 ++++ Python-3.9.24/setup.py 2025-11-14 00:55:05.532484937 +0100 +@@ -539,10 +539,7 @@ for l in (self.missing, self.failed, self.failed_on_import)): print() print("Could not build the ssl module!") @@ -1860,7 +1890,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer print() if os.environ.get("PYTHONSTRICTEXTENSIONBUILD") and (self.failed or self.failed_on_import): -@@ -2346,13 +2343,13 @@ class PyBuildExt(build_ext): +@@ -2346,13 +2343,13 @@ self.missing.extend(['_ssl', '_hashlib']) return None, None @@ -1880,7 +1910,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"): self.add(Extension( -@@ -2367,8 +2364,6 @@ class PyBuildExt(build_ext): +@@ -2367,8 +2364,6 @@ '_ssl_data_111.h', '_ssl_data_300.h', ])) diff --git a/python39.changes b/python39.changes index 58ca0d3..1043297 100644 --- a/python39.changes +++ b/python39.changes @@ -5,7 +5,8 @@ Wed Oct 15 06:28:09 UTC 2025 - Daniel Garcia - Security - gh-139700: Check consistency of the zip64 end of central directory record. Support records with “zip64 extensible data” - if there are no bytes prepended to the ZIP file. + if there are no bytes prepended to the ZIP file + (CVE-2025-8291, bsc#1251305). - gh-139400: xml.parsers.expat: Make sure that parent Expat parsers are only garbage-collected once they are no longer referenced by subparsers created by