python-interpreters/python39
SHA256
7
0
Fork 0
forked from pool/python39
Code Pull Requests Activity

Mark the upgrade to 3.9.24 as fixing CVE-2025-8291, bsc#1251305.

Browse Source
This commit is contained in:
Matej Cepl
2025-11-10 01:12:31 +01:00
parent 9eec107af7
commit 69e885b9cf
2 changed files with 169 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

304
CVE-2024-5642-OpenSSL-API-buf-overread-NPN.patch
View File

@@ -44,9 +44,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
15 files changed, 77 insertions(+), 873 deletions(-) 15 files changed, 77 insertions(+), 873 deletions(-)
create mode 100644 Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst create mode 100644 Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
--- a/Doc/using/unix.rst Index: Python-3.9.24/Doc/using/unix.rst
+++ b/Doc/using/unix.rst ===================================================================
@@ -113,6 +113,7 @@ For example, on most Linux systems, the --- Python-3.9.24.orig/Doc/using/unix.rst 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Doc/using/unix.rst 2025-11-14 00:55:05.521462804 +0100
@@ -113,6 +113,7 @@
| | embedding the interpreter. | | | embedding the interpreter. |
+-----------------------------------------------+------------------------------------------+ +-----------------------------------------------+------------------------------------------+
@@ -54,9 +56,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Miscellaneous Miscellaneous
============= =============
--- a/Lib/ssl.py Index: Python-3.9.24/Lib/ssl.py
+++ b/Lib/ssl.py ===================================================================
@@ -912,15 +912,12 @@ class SSLObject: --- Python-3.9.24.orig/Lib/ssl.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Lib/ssl.py 2025-11-14 00:55:05.522031528 +0100
@@ -912,15 +912,12 @@
"""Return the currently selected NPN protocol as a string, or ``None`` """Return the currently selected NPN protocol as a string, or ``None``
if a next protocol was not negotiated or if NPN is not supported by one if a next protocol was not negotiated or if NPN is not supported by one
of the peers.""" of the peers."""
@@ -73,7 +77,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def cipher(self): def cipher(self):
"""Return the currently selected cipher as a 3-tuple ``(name, """Return the currently selected cipher as a 3-tuple ``(name,
@@ -1162,10 +1159,7 @@ class SSLSocket(socket): @@ -1162,10 +1159,7 @@
@_sslcopydoc @_sslcopydoc
def selected_npn_protocol(self): def selected_npn_protocol(self):
self._checkClosed() self._checkClosed()
@@ -85,9 +89,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
@_sslcopydoc @_sslcopydoc
def selected_alpn_protocol(self): def selected_alpn_protocol(self):
--- a/Lib/test/test_ssl.py Index: Python-3.9.24/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py ===================================================================
@@ -39,7 +39,6 @@ Py_DEBUG_WIN32 = Py_DEBUG and sys.platfo --- Python-3.9.24.orig/Lib/test/test_ssl.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Lib/test/test_ssl.py 2025-11-14 00:55:05.522484943 +0100
@@ -39,7 +39,6 @@
PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
HOST = socket_helper.HOST HOST = socket_helper.HOST
IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL') IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
@@ -95,7 +101,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1) IS_OPENSSL_1_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 1)
IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0) IS_OPENSSL_3_0_0 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (3, 0, 0)
PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS') PY_SSL_DEFAULT_CIPHERS = sysconfig.get_config_var('PY_SSL_DEFAULT_CIPHERS')
@@ -269,18 +268,6 @@ def handle_error(prefix): @@ -269,18 +268,6 @@
if support.verbose: if support.verbose:
sys.stdout.write(prefix + exc_format) sys.stdout.write(prefix + exc_format)
@@ -114,7 +120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def _have_secp_curves(): def _have_secp_curves():
if not ssl.HAS_ECDH: if not ssl.HAS_ECDH:
return False return False
@@ -371,17 +358,15 @@ class BasicSocketTests(unittest.TestCase @@ -371,17 +358,15 @@
ssl.OP_SINGLE_DH_USE ssl.OP_SINGLE_DH_USE
if ssl.HAS_ECDH: if ssl.HAS_ECDH:
ssl.OP_SINGLE_ECDH_USE ssl.OP_SINGLE_ECDH_USE
@@ -135,7 +141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23) self.assertEqual(ssl.PROTOCOL_TLS, ssl.PROTOCOL_SSLv23)
def test_private_init(self): def test_private_init(self):
@@ -1169,7 +1154,6 @@ class ContextTests(unittest.TestCase): @@ -1169,7 +1154,6 @@
self.assertNotIn("RC4", name) self.assertNotIn("RC4", name)
self.assertNotIn("3DES", name) self.assertNotIn("3DES", name)
@@ -143,7 +149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_get_ciphers(self): def test_get_ciphers(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.set_ciphers('AESGCM') ctx.set_ciphers('AESGCM')
@@ -1201,15 +1185,11 @@ class ContextTests(unittest.TestCase): @@ -1201,15 +1185,11 @@
self.assertEqual(default, ctx.options) self.assertEqual(default, ctx.options)
ctx.options |= ssl.OP_NO_TLSv1 ctx.options |= ssl.OP_NO_TLSv1
self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options) self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
@@ -164,7 +170,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_verify_mode_protocol(self): def test_verify_mode_protocol(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS)
@@ -1328,8 +1308,6 @@ class ContextTests(unittest.TestCase): @@ -1328,8 +1308,6 @@
with self.assertRaises(ValueError): with self.assertRaises(ValueError):
ctx.maximum_version = ssl.TLSVersion.TLSv1 ctx.maximum_version = ssl.TLSVersion.TLSv1
@@ -173,7 +179,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_verify_flags(self): def test_verify_flags(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
# default value # default value
@@ -1807,7 +1785,6 @@ class ContextTests(unittest.TestCase): @@ -1807,7 +1785,6 @@
obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO()) obj = ctx.wrap_bio(ssl.MemoryBIO(), ssl.MemoryBIO())
self.assertIsInstance(obj, MySSLObject) self.assertIsInstance(obj, MySSLObject)
@@ -181,7 +187,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_num_tickest(self): def test_num_tickest(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
self.assertEqual(ctx.num_tickets, 2) self.assertEqual(ctx.num_tickets, 2)
@@ -2972,8 +2949,6 @@ class ThreadedTests(unittest.TestCase): @@ -2972,8 +2949,6 @@
after = ssl.cert_time_to_seconds(cert['notAfter']) after = ssl.cert_time_to_seconds(cert['notAfter'])
self.assertLess(before, after) self.assertLess(before, after)
@@ -190,7 +196,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_crl_check(self): def test_crl_check(self):
if support.verbose: if support.verbose:
sys.stdout.write("\n") sys.stdout.write("\n")
@@ -3877,12 +3852,7 @@ class ThreadedTests(unittest.TestCase): @@ -3877,12 +3852,7 @@
self.assertIs(s.version(), None) self.assertIs(s.version(), None)
self.assertIs(s._sslobj, None) self.assertIs(s._sslobj, None)
s.connect((HOST, server.port)) s.connect((HOST, server.port))
@@ -204,7 +210,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertIs(s._sslobj, None) self.assertIs(s._sslobj, None)
self.assertIs(s.version(), None) self.assertIs(s.version(), None)
@@ -3984,8 +3954,6 @@ class ThreadedTests(unittest.TestCase): @@ -3984,8 +3954,6 @@
# explicitly using the 'ECCdraft' cipher alias. Otherwise, # explicitly using the 'ECCdraft' cipher alias. Otherwise,
# our default cipher list should prefer ECDH-based ciphers # our default cipher list should prefer ECDH-based ciphers
# automatically. # automatically.
@@ -213,7 +219,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
with ThreadedEchoServer(context=context) as server: with ThreadedEchoServer(context=context) as server:
with context.wrap_socket(socket.socket()) as s: with context.wrap_socket(socket.socket()) as s:
s.connect((HOST, server.port)) s.connect((HOST, server.port))
@@ -4117,15 +4085,11 @@ class ThreadedTests(unittest.TestCase): @@ -4117,15 +4085,11 @@
server_context.set_ciphers("ECDHE:!eNULL:!aNULL") server_context.set_ciphers("ECDHE:!eNULL:!aNULL")
server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 server_context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1
try: try:
@@ -233,7 +239,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_alpn_protocol(self): def test_selected_alpn_protocol(self):
# selected_alpn_protocol() is None unless ALPN is used. # selected_alpn_protocol() is None unless ALPN is used.
@@ -4135,7 +4099,6 @@ class ThreadedTests(unittest.TestCase): @@ -4135,7 +4099,6 @@
sni_name=hostname) sni_name=hostname)
self.assertIs(stats['client_alpn_protocol'], None) self.assertIs(stats['client_alpn_protocol'], None)
@@ -241,7 +247,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_alpn_protocol_if_server_uses_alpn(self): def test_selected_alpn_protocol_if_server_uses_alpn(self):
# selected_alpn_protocol() is None unless ALPN is used by the client. # selected_alpn_protocol() is None unless ALPN is used by the client.
client_context, server_context, hostname = testing_context() client_context, server_context, hostname = testing_context()
@@ -4145,7 +4108,6 @@ class ThreadedTests(unittest.TestCase): @@ -4145,7 +4108,6 @@
sni_name=hostname) sni_name=hostname)
self.assertIs(stats['client_alpn_protocol'], None) self.assertIs(stats['client_alpn_protocol'], None)
@@ -249,7 +255,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_alpn_protocols(self): def test_alpn_protocols(self):
server_protocols = ['foo', 'bar', 'milkshake'] server_protocols = ['foo', 'bar', 'milkshake']
protocol_tests = [ protocol_tests = [
@@ -4168,22 +4130,17 @@ class ThreadedTests(unittest.TestCase): @@ -4168,22 +4130,17 @@
except ssl.SSLError as e: except ssl.SSLError as e:
stats = e stats = e
@@ -283,7 +289,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_selected_npn_protocol(self): def test_selected_npn_protocol(self):
# selected_npn_protocol() is None unless NPN is used # selected_npn_protocol() is None unless NPN is used
@@ -4193,31 +4150,8 @@ class ThreadedTests(unittest.TestCase): @@ -4193,31 +4150,8 @@
sni_name=hostname) sni_name=hostname)
self.assertIs(stats['client_npn_protocol'], None) self.assertIs(stats['client_npn_protocol'], None)
@@ -316,7 +322,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
def test_empty_npn_protocols(self): def test_empty_npn_protocols(self):
"""npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227""" """npn_protocols cannot be empty, see CVE-2024-5642 & gh-121227"""
@@ -4393,8 +4327,7 @@ class ThreadedTests(unittest.TestCase): @@ -4393,8 +4327,7 @@
self.assertGreater(session.time, 0) self.assertGreater(session.time, 0)
self.assertGreater(session.timeout, 0) self.assertGreater(session.timeout, 0)
self.assertTrue(session.has_ticket) self.assertTrue(session.has_ticket)
@@ -326,13 +332,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
self.assertFalse(stats['session_reused']) self.assertFalse(stats['session_reused'])
sess_stat = server_context.session_stats() sess_stat = server_context.session_stats()
self.assertEqual(sess_stat['accept'], 1) self.assertEqual(sess_stat['accept'], 1)
--- /dev/null Index: Python-3.9.24/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst
+++ b/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst ===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ Python-3.9.24/Misc/NEWS.d/next/Build/2021-03-30-14-19-39.bpo-43669.lWMUYx.rst 2025-11-14 00:55:05.523862509 +0100
@@ -0,0 +1 @@ @@ -0,0 +1 @@
+Implement :pep:`644`. Python now requires OpenSSL 1.1.1 or newer. +Implement :pep:`644`. Python now requires OpenSSL 1.1.1 or newer.
--- a/Modules/Setup Index: Python-3.9.24/Modules/Setup
+++ b/Modules/Setup ===================================================================
@@ -210,11 +210,23 @@ _symtable symtablemodule.c --- Python-3.9.24.orig/Modules/Setup 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/Setup 2025-11-14 00:55:05.524260958 +0100
@@ -210,11 +210,23 @@
#_socket socketmodule.c #_socket socketmodule.c
# Socket module helper for SSL support; you must comment out the other # Socket module helper for SSL support; you must comment out the other
@@ -361,8 +371,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# The crypt module is now disabled by default because it breaks builds # The crypt module is now disabled by default because it breaks builds
# on many systems (where -lcrypt is needed), e.g. Linux (I believe). # on many systems (where -lcrypt is needed), e.g. Linux (I believe).
--- a/Modules/_hashopenssl.c Index: Python-3.9.24/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c ===================================================================
--- Python-3.9.24.orig/Modules/_hashopenssl.c 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/_hashopenssl.c 2025-11-14 00:55:05.524484942 +0100
@@ -43,51 +43,12 @@ @@ -43,51 +43,12 @@
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif #endif
@@ -416,7 +428,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PY_EVP_MD EVP_MD #define PY_EVP_MD EVP_MD
@@ -1311,8 +1272,7 @@ pbkdf2_hmac_impl(PyObject *module, const @@ -1311,8 +1272,7 @@
return key_obj; return key_obj;
} }
@@ -426,7 +438,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* XXX: Parameters salt, n, r and p should be required keyword-only parameters. /* XXX: Parameters salt, n, r and p should be required keyword-only parameters.
They are optional in the Argument Clinic declaration only due to a They are optional in the Argument Clinic declaration only due to a
@@ -1433,7 +1393,7 @@ _hashlib_scrypt_impl(PyObject *module, P @@ -1433,7 +1393,7 @@
} }
return key_obj; return key_obj;
} }
@@ -435,7 +447,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Fast HMAC for hmac.digest() /* Fast HMAC for hmac.digest()
*/ */
@@ -1920,12 +1880,6 @@ hashlib_md_meth_names(PyObject *module) @@ -1920,12 +1880,6 @@
return 0; return 0;
} }
@@ -448,7 +460,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_hashlib.get_fips_mode -> int _hashlib.get_fips_mode -> int
@@ -1963,7 +1917,6 @@ _hashlib_get_fips_mode_impl(PyObject *mo @@ -1963,7 +1917,6 @@
return result; return result;
#endif #endif
} }
@@ -456,7 +468,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int static int
@@ -2144,17 +2097,6 @@ hashlib_free(void *m) @@ -2144,17 +2097,6 @@
/* Py_mod_exec functions */ /* Py_mod_exec functions */
static int static int
@@ -474,7 +486,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
hashlib_init_hashtable(PyObject *module) hashlib_init_hashtable(PyObject *module)
{ {
_hashlibstate *state = get_hashlib_state(module); _hashlibstate *state = get_hashlib_state(module);
@@ -2227,10 +2169,7 @@ hashlib_init_hmactype(PyObject *module) @@ -2227,10 +2169,7 @@
return 0; return 0;
} }
@@ -485,7 +497,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
{Py_mod_exec, hashlib_init_hashtable}, {Py_mod_exec, hashlib_init_hashtable},
{Py_mod_exec, hashlib_init_evptype}, {Py_mod_exec, hashlib_init_evptype},
{Py_mod_exec, hashlib_init_evpxoftype}, {Py_mod_exec, hashlib_init_evpxoftype},
@@ -2238,7 +2177,6 @@ static PyModuleDef_Slot hashlib_slots[] @@ -2238,7 +2177,6 @@
{Py_mod_exec, hashlib_md_meth_names}, {Py_mod_exec, hashlib_md_meth_names},
{0, NULL} {0, NULL}
}; };
@@ -493,7 +505,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static struct PyModuleDef _hashlibmodule = { static struct PyModuleDef _hashlibmodule = {
PyModuleDef_HEAD_INIT, PyModuleDef_HEAD_INIT,
@@ -2246,7 +2184,7 @@ static struct PyModuleDef _hashlibmodule @@ -2246,7 +2184,7 @@
.m_doc = "OpenSSL interface for hashlib module", .m_doc = "OpenSSL interface for hashlib module",
.m_size = sizeof(_hashlibstate), .m_size = sizeof(_hashlibstate),
.m_methods = EVP_functions, .m_methods = EVP_functions,
@@ -502,7 +514,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
.m_traverse = hashlib_traverse, .m_traverse = hashlib_traverse,
.m_clear = hashlib_clear, .m_clear = hashlib_clear,
.m_free = hashlib_free .m_free = hashlib_free
@@ -2255,41 +2193,5 @@ static struct PyModuleDef _hashlibmodule @@ -2255,41 +2193,5 @@
PyMODINIT_FUNC PyMODINIT_FUNC
PyInit__hashlib(void) PyInit__hashlib(void)
{ {
@@ -545,8 +557,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- return m; - return m;
+ return PyModuleDef_Init(&_hashlibmodule); + return PyModuleDef_Init(&_hashlibmodule);
} }
--- a/Modules/_ssl.c Index: Python-3.9.24/Modules/_ssl.c
+++ b/Modules/_ssl.c ===================================================================
--- Python-3.9.24.orig/Modules/_ssl.c 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/_ssl.c 2025-11-14 00:55:05.525585095 +0100
@@ -29,9 +29,9 @@ @@ -29,9 +29,9 @@
#define _PySSL_FIX_ERRNO #define _PySSL_FIX_ERRNO
@@ -559,7 +573,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#define PySSL_BEGIN_ALLOW_THREADS { \ #define PySSL_BEGIN_ALLOW_THREADS { \
PyThreadState *_save = NULL; \ PyThreadState *_save = NULL; \
PySSL_BEGIN_ALLOW_THREADS_S(_save); PySSL_BEGIN_ALLOW_THREADS_S(_save);
@@ -62,16 +62,6 @@ static PySocketModule_APIObject PySocket @@ -62,16 +62,6 @@
#include "openssl/bio.h" #include "openssl/bio.h"
#include "openssl/dh.h" #include "openssl/dh.h"
@@ -576,7 +590,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef OPENSSL_THREADS #ifndef OPENSSL_THREADS
# error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
#endif #endif
@@ -142,15 +132,7 @@ static void _PySSLFixErrno(void) { @@ -142,15 +132,7 @@
#include "_ssl_data.h" #include "_ssl_data.h"
#endif #endif
@@ -593,7 +607,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef OPENSSL_NO_TLS1_METHOD #ifndef OPENSSL_NO_TLS1_METHOD
extern const SSL_METHOD *TLSv1_method(void); extern const SSL_METHOD *TLSv1_method(void);
#endif #endif
@@ -161,59 +143,10 @@ extern const SSL_METHOD *TLSv1_1_method( @@ -161,59 +143,10 @@
extern const SSL_METHOD *TLSv1_2_method(void); extern const SSL_METHOD *TLSv1_2_method(void);
#endif #endif
@@ -653,7 +667,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */ /* OpenSSL 1.1+ allows locking X509_STORE, 1.0.2 doesn't. */
#ifdef OPENSSL_VERSION_1_1 #ifdef OPENSSL_VERSION_1_1
#define HAVE_OPENSSL_X509_STORE_LOCK #define HAVE_OPENSSL_X509_STORE_LOCK
@@ -224,80 +157,8 @@ extern const SSL_METHOD *TLSv1_2_method( @@ -224,80 +157,8 @@
#define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1 #define HAVE_OPENSSL_X509_STORE_GET1_OBJECTS 1
#endif #endif
@@ -735,7 +749,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Default cipher suites */ /* Default cipher suites */
#ifndef PY_SSL_DEFAULT_CIPHERS #ifndef PY_SSL_DEFAULT_CIPHERS
@@ -409,24 +270,10 @@ enum py_proto_version { @@ -409,24 +270,10 @@
#endif #endif
}; };
@@ -760,7 +774,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for /* In case of 'tls-unique' it will be 12 bytes for TLS, 36 bytes for
* older SSL, but let's be safe */ * older SSL, but let's be safe */
@@ -436,17 +283,9 @@ static unsigned int _ssl_locks_count = 0 @@ -436,17 +283,9 @@
typedef struct { typedef struct {
PyObject_HEAD PyObject_HEAD
SSL_CTX *ctx; SSL_CTX *ctx;
@@ -778,7 +792,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
int check_hostname; int check_hostname;
/* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct. /* OpenSSL has no API to get hostflags from X509_VERIFY_PARAM* struct.
* We have to maintain our own copy. OpenSSL's hostflags default to 0. * We have to maintain our own copy. OpenSSL's hostflags default to 0.
@@ -457,10 +296,8 @@ typedef struct { @@ -457,10 +296,8 @@
int post_handshake_auth; int post_handshake_auth;
#endif #endif
PyObject *msg_cb; PyObject *msg_cb;
@@ -789,7 +803,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} PySSLContext; } PySSLContext;
typedef struct { typedef struct {
@@ -667,23 +504,18 @@ fill_and_set_sslerror(PySSLSocket *sslso @@ -667,23 +504,18 @@
} }
switch (verify_code) { switch (verify_code) {
@@ -813,7 +827,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
default: default:
verify_str = X509_verify_cert_error_string(verify_code); verify_str = X509_verify_cert_error_string(verify_code);
if (verify_str != NULL) { if (verify_str != NULL) {
@@ -2014,7 +1846,6 @@ cipher_to_tuple(const SSL_CIPHER *cipher @@ -2014,7 +1846,6 @@
return NULL; return NULL;
} }
@@ -821,7 +835,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject * static PyObject *
cipher_to_dict(const SSL_CIPHER *cipher) cipher_to_dict(const SSL_CIPHER *cipher)
{ {
@@ -2023,10 +1854,8 @@ cipher_to_dict(const SSL_CIPHER *cipher) @@ -2023,10 +1854,8 @@
unsigned long cipher_id; unsigned long cipher_id;
int alg_bits, strength_bits, len; int alg_bits, strength_bits, len;
char buf[512] = {0}; char buf[512] = {0};
@@ -832,7 +846,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* can be NULL */ /* can be NULL */
cipher_name = SSL_CIPHER_get_name(cipher); cipher_name = SSL_CIPHER_get_name(cipher);
@@ -2039,7 +1868,6 @@ cipher_to_dict(const SSL_CIPHER *cipher) @@ -2039,7 +1868,6 @@
buf[len-1] = '\0'; buf[len-1] = '\0';
strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits); strength_bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
@@ -840,7 +854,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
aead = SSL_CIPHER_is_aead(cipher); aead = SSL_CIPHER_is_aead(cipher);
nid = SSL_CIPHER_get_cipher_nid(cipher); nid = SSL_CIPHER_get_cipher_nid(cipher);
skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL; skcipher = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -2049,13 +1877,10 @@ cipher_to_dict(const SSL_CIPHER *cipher) @@ -2049,13 +1877,10 @@
kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL; kx = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
nid = SSL_CIPHER_get_auth_nid(cipher); nid = SSL_CIPHER_get_auth_nid(cipher);
auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL; auth = nid != NID_undef ? OBJ_nid2ln(nid) : NULL;
@@ -854,7 +868,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
"}", "}",
"id", cipher_id, "id", cipher_id,
"name", cipher_name, "name", cipher_name,
@@ -2063,16 +1888,13 @@ cipher_to_dict(const SSL_CIPHER *cipher) @@ -2063,16 +1888,13 @@
"description", buf, "description", buf,
"strength_bits", strength_bits, "strength_bits", strength_bits,
"alg_bits", alg_bits "alg_bits", alg_bits
@@ -871,7 +885,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_ssl._SSLSocket.shared_ciphers _ssl._SSLSocket.shared_ciphers
@@ -2143,28 +1965,6 @@ _ssl__SSLSocket_version_impl(PySSLSocket @@ -2143,28 +1965,6 @@
return PyUnicode_FromString(version); return PyUnicode_FromString(version);
} }
@@ -900,7 +914,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_ssl._SSLSocket.selected_alpn_protocol _ssl._SSLSocket.selected_alpn_protocol
[clinic start generated code]*/ [clinic start generated code]*/
@@ -2182,7 +1982,6 @@ _ssl__SSLSocket_selected_alpn_protocol_i @@ -2182,7 +1982,6 @@
Py_RETURN_NONE; Py_RETURN_NONE;
return PyUnicode_FromStringAndSize((char *)out, outlen); return PyUnicode_FromStringAndSize((char *)out, outlen);
} }
@@ -908,7 +922,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_ssl._SSLSocket.compression _ssl._SSLSocket.compression
@@ -2219,11 +2018,6 @@ static int PySSL_set_context(PySSLSocket @@ -2219,11 +2018,6 @@
void *closure) { void *closure) {
if (PyObject_TypeCheck(value, &PySSLContext_Type)) { if (PyObject_TypeCheck(value, &PySSLContext_Type)) {
@@ -920,7 +934,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_INCREF(value); Py_INCREF(value);
Py_SETREF(self->ctx, (PySSLContext *)value); Py_SETREF(self->ctx, (PySSLContext *)value);
SSL_set_SSL_CTX(self->ssl, self->ctx->ctx); SSL_set_SSL_CTX(self->ssl, self->ctx->ctx);
@@ -2232,7 +2026,6 @@ static int PySSL_set_context(PySSLSocket @@ -2232,7 +2026,6 @@
self->ssl, self->ssl,
self->ctx->msg_cb ? _PySSL_msg_callback : NULL self->ctx->msg_cb ? _PySSL_msg_callback : NULL
); );
@@ -928,7 +942,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} else { } else {
PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext"); PyErr_SetString(PyExc_TypeError, "The value must be a SSLContext");
return -1; return -1;
@@ -2857,8 +2650,6 @@ _ssl__SSLSocket_verify_client_post_hands @@ -2857,8 +2650,6 @@
#endif #endif
} }
@@ -937,7 +951,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static SSL_SESSION* static SSL_SESSION*
_ssl_session_dup(SSL_SESSION *session) { _ssl_session_dup(SSL_SESSION *session) {
SSL_SESSION *newsession = NULL; SSL_SESSION *newsession = NULL;
@@ -2899,7 +2690,6 @@ _ssl_session_dup(SSL_SESSION *session) { @@ -2899,7 +2690,6 @@
} }
return NULL; return NULL;
} }
@@ -945,7 +959,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject * static PyObject *
PySSL_get_session(PySSLSocket *self, void *closure) { PySSL_get_session(PySSLSocket *self, void *closure) {
@@ -2908,7 +2698,6 @@ PySSL_get_session(PySSLSocket *self, voi @@ -2908,7 +2698,6 @@
PySSLSession *pysess; PySSLSession *pysess;
SSL_SESSION *session; SSL_SESSION *session;
@@ -953,7 +967,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* duplicate session as workaround for session bug in OpenSSL 1.1.0, /* duplicate session as workaround for session bug in OpenSSL 1.1.0,
* https://github.com/openssl/openssl/issues/1550 */ * https://github.com/openssl/openssl/issues/1550 */
session = SSL_get0_session(self->ssl); /* borrowed reference */ session = SSL_get0_session(self->ssl); /* borrowed reference */
@@ -2918,12 +2707,10 @@ PySSL_get_session(PySSLSocket *self, voi @@ -2918,12 +2707,10 @@
if ((session = _ssl_session_dup(session)) == NULL) { if ((session = _ssl_session_dup(session)) == NULL) {
return NULL; return NULL;
} }
@@ -966,7 +980,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
pysess = PyObject_GC_New(PySSLSession, &PySSLSession_Type); pysess = PyObject_GC_New(PySSLSession, &PySSLSession_Type);
if (pysess == NULL) { if (pysess == NULL) {
SSL_SESSION_free(session); SSL_SESSION_free(session);
@@ -2942,9 +2729,7 @@ static int PySSL_set_session(PySSLSocket @@ -2942,9 +2729,7 @@
void *closure) void *closure)
{ {
PySSLSession *pysess; PySSLSession *pysess;
@@ -976,7 +990,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
int result; int result;
if (!PySSLSession_Check(value)) { if (!PySSLSession_Check(value)) {
@@ -2968,7 +2753,6 @@ static int PySSL_set_session(PySSLSocket @@ -2968,7 +2753,6 @@
"Cannot set session after handshake."); "Cannot set session after handshake.");
return -1; return -1;
} }
@@ -984,7 +998,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* duplicate session */ /* duplicate session */
if ((session = _ssl_session_dup(pysess->session)) == NULL) { if ((session = _ssl_session_dup(pysess->session)) == NULL) {
return -1; return -1;
@@ -2976,9 +2760,6 @@ static int PySSL_set_session(PySSLSocket @@ -2976,9 +2760,6 @@
result = SSL_set_session(self->ssl, session); result = SSL_set_session(self->ssl, session);
/* free duplicate, SSL_set_session() bumps ref count */ /* free duplicate, SSL_set_session() bumps ref count */
SSL_SESSION_free(session); SSL_SESSION_free(session);
@@ -994,7 +1008,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if (result == 0) { if (result == 0) {
_setSSLError(NULL, 0, __FILE__, __LINE__); _setSSLError(NULL, 0, __FILE__, __LINE__);
return -1; return -1;
@@ -3029,7 +2810,6 @@ static PyMethodDef PySSLMethods[] = { @@ -3029,7 +2810,6 @@
_SSL__SSLSOCKET_CIPHER_METHODDEF _SSL__SSLSOCKET_CIPHER_METHODDEF
_SSL__SSLSOCKET_SHARED_CIPHERS_METHODDEF _SSL__SSLSOCKET_SHARED_CIPHERS_METHODDEF
_SSL__SSLSOCKET_VERSION_METHODDEF _SSL__SSLSOCKET_VERSION_METHODDEF
@@ -1002,7 +1016,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
_SSL__SSLSOCKET_SELECTED_ALPN_PROTOCOL_METHODDEF _SSL__SSLSOCKET_SELECTED_ALPN_PROTOCOL_METHODDEF
_SSL__SSLSOCKET_COMPRESSION_METHODDEF _SSL__SSLSOCKET_COMPRESSION_METHODDEF
_SSL__SSLSOCKET_SHUTDOWN_METHODDEF _SSL__SSLSOCKET_SHUTDOWN_METHODDEF
@@ -3123,9 +2903,6 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -3123,9 +2903,6 @@
SSL_CTX *ctx = NULL; SSL_CTX *ctx = NULL;
X509_VERIFY_PARAM *params; X509_VERIFY_PARAM *params;
int result; int result;
@@ -1012,7 +1026,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PySSL_BEGIN_ALLOW_THREADS PySSL_BEGIN_ALLOW_THREADS
switch(proto_version) { switch(proto_version) {
@@ -3190,19 +2967,10 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -3190,19 +2967,10 @@
self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS;
self->protocol = proto_version; self->protocol = proto_version;
self->msg_cb = NULL; self->msg_cb = NULL;
@@ -1032,7 +1046,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Don't check host name by default */ /* Don't check host name by default */
if (proto_version == PY_SSL_VERSION_TLS_CLIENT) { if (proto_version == PY_SSL_VERSION_TLS_CLIENT) {
self->check_hostname = 1; self->check_hostname = 1;
@@ -3264,37 +3032,9 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -3264,37 +3032,9 @@
return NULL; return NULL;
} }
@@ -1072,7 +1086,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#define SID_CTX "Python" #define SID_CTX "Python"
SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX, SSL_CTX_set_session_id_context(self->ctx, (const unsigned char *) SID_CTX,
@@ -3302,11 +3042,9 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -3302,11 +3042,9 @@
#undef SID_CTX #undef SID_CTX
params = SSL_CTX_get0_param(self->ctx); params = SSL_CTX_get0_param(self->ctx);
@@ -1084,7 +1098,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
X509_VERIFY_PARAM_set_hostflags(params, self->hostflags); X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
#ifdef TLS1_3_VERSION #ifdef TLS1_3_VERSION
@@ -3320,9 +3058,7 @@ _ssl__SSLContext_impl(PyTypeObject *type @@ -3320,9 +3058,7 @@
static int static int
context_traverse(PySSLContext *self, visitproc visit, void *arg) context_traverse(PySSLContext *self, visitproc visit, void *arg)
{ {
@@ -1094,7 +1108,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_VISIT(self->msg_cb); Py_VISIT(self->msg_cb);
return 0; return 0;
} }
@@ -3330,11 +3066,8 @@ context_traverse(PySSLContext *self, vis @@ -3330,11 +3066,8 @@
static int static int
context_clear(PySSLContext *self) context_clear(PySSLContext *self)
{ {
@@ -1106,7 +1120,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_CLEAR(self->keylog_filename); Py_CLEAR(self->keylog_filename);
if (self->keylog_bio != NULL) { if (self->keylog_bio != NULL) {
PySSL_BEGIN_ALLOW_THREADS PySSL_BEGIN_ALLOW_THREADS
@@ -3342,7 +3075,6 @@ context_clear(PySSLContext *self) @@ -3342,7 +3075,6 @@
PySSL_END_ALLOW_THREADS PySSL_END_ALLOW_THREADS
self->keylog_bio = NULL; self->keylog_bio = NULL;
} }
@@ -1114,7 +1128,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
return 0; return 0;
} }
@@ -3353,12 +3085,7 @@ context_dealloc(PySSLContext *self) @@ -3353,12 +3085,7 @@
PyObject_GC_UnTrack(self); PyObject_GC_UnTrack(self);
context_clear(self); context_clear(self);
SSL_CTX_free(self->ctx); SSL_CTX_free(self->ctx);
@@ -1127,7 +1141,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_TYPE(self)->tp_free(self); Py_TYPE(self)->tp_free(self);
} }
@@ -3385,7 +3112,6 @@ _ssl__SSLContext_set_ciphers_impl(PySSLC @@ -3385,7 +3112,6 @@
Py_RETURN_NONE; Py_RETURN_NONE;
} }
@@ -1135,7 +1149,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_ssl._SSLContext.get_ciphers _ssl._SSLContext.get_ciphers
[clinic start generated code]*/ [clinic start generated code]*/
@@ -3428,10 +3154,8 @@ _ssl__SSLContext_get_ciphers_impl(PySSLC @@ -3428,10 +3154,8 @@
return result; return result;
} }
@@ -1146,7 +1160,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int static int
do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen, do_protocol_selection(int alpn, unsigned char **out, unsigned char *outlen,
const unsigned char *server_protocols, unsigned int server_protocols_len, const unsigned char *server_protocols, unsigned int server_protocols_len,
@@ -3455,77 +3179,7 @@ do_protocol_selection(int alpn, unsigned @@ -3455,77 +3179,7 @@
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
@@ -1224,7 +1238,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int static int
_selectALPN_cb(SSL *s, _selectALPN_cb(SSL *s,
const unsigned char **out, unsigned char *outlen, const unsigned char **out, unsigned char *outlen,
@@ -3537,7 +3191,6 @@ _selectALPN_cb(SSL *s, @@ -3537,7 +3191,6 @@
ctx->alpn_protocols, ctx->alpn_protocols_len, ctx->alpn_protocols, ctx->alpn_protocols_len,
client_protocols, client_protocols_len); client_protocols, client_protocols_len);
} }
@@ -1232,7 +1246,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_ssl._SSLContext._set_alpn_protocols _ssl._SSLContext._set_alpn_protocols
@@ -3550,7 +3203,6 @@ _ssl__SSLContext__set_alpn_protocols_imp @@ -3550,7 +3203,6 @@
Py_buffer *protos) Py_buffer *protos)
/*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/ /*[clinic end generated code: output=87599a7f76651a9b input=9bba964595d519be]*/
{ {
@@ -1240,7 +1254,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if ((size_t)protos->len > UINT_MAX) { if ((size_t)protos->len > UINT_MAX) {
PyErr_Format(PyExc_OverflowError, PyErr_Format(PyExc_OverflowError,
"protocols longer than %u bytes", UINT_MAX); "protocols longer than %u bytes", UINT_MAX);
@@ -3569,11 +3221,6 @@ _ssl__SSLContext__set_alpn_protocols_imp @@ -3569,11 +3221,6 @@
SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self); SSL_CTX_set_alpn_select_cb(self->ctx, _selectALPN_cb, self);
Py_RETURN_NONE; Py_RETURN_NONE;
@@ -1252,7 +1266,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} }
static PyObject * static PyObject *
@@ -3649,9 +3296,6 @@ set_verify_flags(PySSLContext *self, PyO @@ -3649,9 +3296,6 @@
} }
/* Getter and setter for protocol version */ /* Getter and setter for protocol version */
@@ -1262,7 +1276,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int static int
set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what) set_min_max_proto_version(PySSLContext *self, PyObject *arg, int what)
{ {
@@ -3746,9 +3390,8 @@ set_maximum_version(PySSLContext *self, @@ -3746,9 +3390,8 @@
{ {
return set_min_max_proto_version(self, arg, 1); return set_min_max_proto_version(self, arg, 1);
} }
@@ -1273,7 +1287,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject * static PyObject *
get_num_tickets(PySSLContext *self, void *c) get_num_tickets(PySSLContext *self, void *c)
{ {
@@ -3779,7 +3422,7 @@ set_num_tickets(PySSLContext *self, PyOb @@ -3779,7 +3422,7 @@
PyDoc_STRVAR(PySSLContext_num_tickets_doc, PyDoc_STRVAR(PySSLContext_num_tickets_doc,
"Control the number of TLSv1.3 session tickets"); "Control the number of TLSv1.3 session tickets");
@@ -1282,7 +1296,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject * static PyObject *
get_options(PySSLContext *self, void *c) get_options(PySSLContext *self, void *c)
@@ -3797,13 +3440,7 @@ set_options(PySSLContext *self, PyObject @@ -3797,13 +3440,7 @@
clear = opts & ~new_opts; clear = opts & ~new_opts;
set = ~opts & new_opts; set = ~opts & new_opts;
if (clear) { if (clear) {
@@ -1296,7 +1310,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} }
if (set) if (set)
SSL_CTX_set_options(self->ctx, set); SSL_CTX_set_options(self->ctx, set);
@@ -4500,7 +4137,6 @@ _ssl__SSLContext_set_default_verify_path @@ -4500,7 +4137,6 @@
Py_RETURN_NONE; Py_RETURN_NONE;
} }
@@ -1304,7 +1318,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/*[clinic input] /*[clinic input]
_ssl._SSLContext.set_ecdh_curve _ssl._SSLContext.set_ecdh_curve
name: object name: object
@@ -4535,9 +4171,7 @@ _ssl__SSLContext_set_ecdh_curve(PySSLCon @@ -4535,9 +4171,7 @@
EC_KEY_free(key); EC_KEY_free(key);
Py_RETURN_NONE; Py_RETURN_NONE;
} }
@@ -1314,7 +1328,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static int static int
_servername_callback(SSL *s, int *al, void *args) _servername_callback(SSL *s, int *al, void *args)
{ {
@@ -4641,7 +4275,6 @@ error: @@ -4641,7 +4275,6 @@
PyGILState_Release(gstate); PyGILState_Release(gstate);
return ret; return ret;
} }
@@ -1322,7 +1336,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static PyObject * static PyObject *
get_sni_callback(PySSLContext *self, void *c) get_sni_callback(PySSLContext *self, void *c)
@@ -4662,7 +4295,6 @@ set_sni_callback(PySSLContext *self, PyO @@ -4662,7 +4295,6 @@
"sni_callback cannot be set on TLS_CLIENT context"); "sni_callback cannot be set on TLS_CLIENT context");
return -1; return -1;
} }
@@ -1330,7 +1344,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
Py_CLEAR(self->set_sni_cb); Py_CLEAR(self->set_sni_cb);
if (arg == Py_None) { if (arg == Py_None) {
SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL); SSL_CTX_set_tlsext_servername_callback(self->ctx, NULL);
@@ -4680,13 +4312,6 @@ set_sni_callback(PySSLContext *self, PyO @@ -4680,13 +4312,6 @@
SSL_CTX_set_tlsext_servername_arg(self->ctx, self); SSL_CTX_set_tlsext_servername_arg(self->ctx, self);
} }
return 0; return 0;
@@ -1344,7 +1358,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
} }
/* Shim of X509_STORE_get1_objects API from OpenSSL 3.3 /* Shim of X509_STORE_get1_objects API from OpenSSL 3.3
@@ -4882,21 +4507,17 @@ static PyGetSetDef context_getsetlist[] @@ -4882,21 +4507,17 @@
(setter) set_check_hostname, NULL}, (setter) set_check_hostname, NULL},
{"_host_flags", (getter) get_host_flags, {"_host_flags", (getter) get_host_flags,
(setter) set_host_flags, NULL}, (setter) set_host_flags, NULL},
@@ -1367,7 +1381,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
{"num_tickets", (getter) get_num_tickets, {"num_tickets", (getter) get_num_tickets,
(setter) set_num_tickets, PySSLContext_num_tickets_doc}, (setter) set_num_tickets, PySSLContext_num_tickets_doc},
#endif #endif
@@ -4923,7 +4544,6 @@ static struct PyMethodDef context_method @@ -4923,7 +4544,6 @@
_SSL__SSLCONTEXT__WRAP_BIO_METHODDEF _SSL__SSLCONTEXT__WRAP_BIO_METHODDEF
_SSL__SSLCONTEXT_SET_CIPHERS_METHODDEF _SSL__SSLCONTEXT_SET_CIPHERS_METHODDEF
_SSL__SSLCONTEXT__SET_ALPN_PROTOCOLS_METHODDEF _SSL__SSLCONTEXT__SET_ALPN_PROTOCOLS_METHODDEF
@@ -1375,7 +1389,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
_SSL__SSLCONTEXT_LOAD_CERT_CHAIN_METHODDEF _SSL__SSLCONTEXT_LOAD_CERT_CHAIN_METHODDEF
_SSL__SSLCONTEXT_LOAD_DH_PARAMS_METHODDEF _SSL__SSLCONTEXT_LOAD_DH_PARAMS_METHODDEF
_SSL__SSLCONTEXT_LOAD_VERIFY_LOCATIONS_METHODDEF _SSL__SSLCONTEXT_LOAD_VERIFY_LOCATIONS_METHODDEF
@@ -5441,11 +5061,7 @@ PySSL_RAND(int len, int pseudo) @@ -5441,11 +5061,7 @@
if (bytes == NULL) if (bytes == NULL)
return NULL; return NULL;
if (pseudo) { if (pseudo) {
@@ -1387,7 +1401,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if (ok == 0 || ok == 1) if (ok == 0 || ok == 1)
return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False); return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
} }
@@ -6000,92 +5616,6 @@ static PyMethodDef PySSL_methods[] = { @@ -6000,92 +5616,6 @@
}; };
@@ -1480,7 +1494,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(module_doc, PyDoc_STRVAR(module_doc,
"Implementation module for SSL socket operations. See the socket module\n\ "Implementation module for SSL socket operations. See the socket module\n\
for documentation."); for documentation.");
@@ -6152,14 +5682,6 @@ PyInit__ssl(void) @@ -6152,14 +5682,6 @@
return NULL; return NULL;
PySocketModule = *socket_api; PySocketModule = *socket_api;
@@ -1495,7 +1509,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifdef HAVE_OPENSSL_CRYPTO_LOCK #ifdef HAVE_OPENSSL_CRYPTO_LOCK
/* note that this will start threading if not already started */ /* note that this will start threading if not already started */
if (!_setup_ssl_threads()) { if (!_setup_ssl_threads()) {
@@ -6266,10 +5788,8 @@ PyInit__ssl(void) @@ -6266,10 +5788,8 @@
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
PyModule_AddIntConstant(m, "VERIFY_X509_STRICT", PyModule_AddIntConstant(m, "VERIFY_X509_STRICT",
X509_V_FLAG_X509_STRICT); X509_V_FLAG_X509_STRICT);
@@ -1506,7 +1520,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Alert Descriptions from ssl.h */ /* Alert Descriptions from ssl.h */
/* note RESERVED constants no longer intended for use have been removed */ /* note RESERVED constants no longer intended for use have been removed */
@@ -6426,31 +5946,11 @@ PyInit__ssl(void) @@ -6426,31 +5946,11 @@
PyModule_AddObject((m), (key), bool_obj); \ PyModule_AddObject((m), (key), bool_obj); \
} while (0) } while (0)
@@ -1538,9 +1552,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2) #if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
addbool(m, "HAS_SSLv2", 1); addbool(m, "HAS_SSLv2", 1);
--- a/Modules/_ssl/debughelpers.c Index: Python-3.9.24/Modules/_ssl/debughelpers.c
+++ b/Modules/_ssl/debughelpers.c ===================================================================
@@ -114,8 +114,6 @@ _PySSLContext_set_msg_callback(PySSLCont --- Python-3.9.24.orig/Modules/_ssl/debughelpers.c 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/_ssl/debughelpers.c 2025-11-14 00:55:05.526651095 +0100
@@ -114,8 +114,6 @@
return 0; return 0;
} }
@@ -1549,15 +1565,17 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
static void static void
_PySSL_keylog_callback(const SSL *ssl, const char *line) _PySSL_keylog_callback(const SSL *ssl, const char *line)
{ {
@@ -219,5 +217,3 @@ _PySSLContext_set_keylog_filename(PySSLC @@ -219,5 +217,3 @@
SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback); SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback);
return 0; return 0;
} }
- -
-#endif -#endif
--- a/Modules/clinic/_hashopenssl.c.h Index: Python-3.9.24/Modules/clinic/_hashopenssl.c.h
+++ b/Modules/clinic/_hashopenssl.c.h ===================================================================
@@ -965,7 +965,7 @@ exit: --- Python-3.9.24.orig/Modules/clinic/_hashopenssl.c.h 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/clinic/_hashopenssl.c.h 2025-11-14 00:55:05.527005334 +0100
@@ -965,7 +965,7 @@
return return_value; return return_value;
} }
@@ -1566,7 +1584,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_scrypt__doc__, PyDoc_STRVAR(_hashlib_scrypt__doc__,
"scrypt($module, /, password, *, salt=None, n=None, r=None, p=None,\n" "scrypt($module, /, password, *, salt=None, n=None, r=None, p=None,\n"
@@ -1093,7 +1093,7 @@ exit: @@ -1093,7 +1093,7 @@
return return_value; return return_value;
} }
@@ -1575,7 +1593,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_hmac_singleshot__doc__, PyDoc_STRVAR(_hashlib_hmac_singleshot__doc__,
"hmac_digest($module, /, key, msg, digest)\n" "hmac_digest($module, /, key, msg, digest)\n"
@@ -1324,8 +1324,6 @@ _hashlib_HMAC_hexdigest(HMACobject *self @@ -1324,8 +1324,6 @@
return _hashlib_HMAC_hexdigest_impl(self); return _hashlib_HMAC_hexdigest_impl(self);
} }
@@ -1584,7 +1602,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_get_fips_mode__doc__, PyDoc_STRVAR(_hashlib_get_fips_mode__doc__,
"get_fips_mode($module, /)\n" "get_fips_mode($module, /)\n"
"--\n" "--\n"
@@ -1361,8 +1359,6 @@ exit: @@ -1361,8 +1359,6 @@
return return_value; return return_value;
} }
@@ -1593,7 +1611,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_hashlib_compare_digest__doc__, PyDoc_STRVAR(_hashlib_compare_digest__doc__,
"compare_digest($module, a, b, /)\n" "compare_digest($module, a, b, /)\n"
"--\n" "--\n"
@@ -1439,7 +1435,4 @@ exit: @@ -1439,7 +1435,4 @@
#define _HASHLIB_SCRYPT_METHODDEF #define _HASHLIB_SCRYPT_METHODDEF
#endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */ #endif /* !defined(_HASHLIB_SCRYPT_METHODDEF) */
@@ -1601,9 +1619,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
- #define _HASHLIB_GET_FIPS_MODE_METHODDEF - #define _HASHLIB_GET_FIPS_MODE_METHODDEF
-#endif /* !defined(_HASHLIB_GET_FIPS_MODE_METHODDEF) */ -#endif /* !defined(_HASHLIB_GET_FIPS_MODE_METHODDEF) */
/*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/ /*[clinic end generated code: output=b6b280e46bf0b139 input=a9049054013a1b77]*/
--- a/Modules/clinic/_ssl.c.h Index: Python-3.9.24/Modules/clinic/_ssl.c.h
+++ b/Modules/clinic/_ssl.c.h ===================================================================
@@ -139,29 +139,6 @@ _ssl__SSLSocket_version(PySSLSocket *sel --- Python-3.9.24.orig/Modules/clinic/_ssl.c.h 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Modules/clinic/_ssl.c.h 2025-11-14 00:55:05.527465105 +0100
@@ -139,29 +139,6 @@
return _ssl__SSLSocket_version_impl(self); return _ssl__SSLSocket_version_impl(self);
} }
@@ -1633,7 +1653,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLSocket_selected_alpn_protocol__doc__, PyDoc_STRVAR(_ssl__SSLSocket_selected_alpn_protocol__doc__,
"selected_alpn_protocol($self, /)\n" "selected_alpn_protocol($self, /)\n"
"--\n" "--\n"
@@ -179,8 +156,6 @@ _ssl__SSLSocket_selected_alpn_protocol(P @@ -179,8 +156,6 @@
return _ssl__SSLSocket_selected_alpn_protocol_impl(self); return _ssl__SSLSocket_selected_alpn_protocol_impl(self);
} }
@@ -1642,7 +1662,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLSocket_compression__doc__, PyDoc_STRVAR(_ssl__SSLSocket_compression__doc__,
"compression($self, /)\n" "compression($self, /)\n"
"--\n" "--\n"
@@ -457,8 +432,6 @@ exit: @@ -457,8 +432,6 @@
return return_value; return return_value;
} }
@@ -1651,7 +1671,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_get_ciphers__doc__, PyDoc_STRVAR(_ssl__SSLContext_get_ciphers__doc__,
"get_ciphers($self, /)\n" "get_ciphers($self, /)\n"
"--\n" "--\n"
@@ -476,44 +449,6 @@ _ssl__SSLContext_get_ciphers(PySSLContex @@ -476,44 +449,6 @@
return _ssl__SSLContext_get_ciphers_impl(self); return _ssl__SSLContext_get_ciphers_impl(self);
} }
@@ -1696,7 +1716,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext__set_alpn_protocols__doc__, PyDoc_STRVAR(_ssl__SSLContext__set_alpn_protocols__doc__,
"_set_alpn_protocols($self, protos, /)\n" "_set_alpn_protocols($self, protos, /)\n"
"--\n" "--\n"
@@ -844,8 +779,6 @@ _ssl__SSLContext_set_default_verify_path @@ -844,8 +779,6 @@
return _ssl__SSLContext_set_default_verify_paths_impl(self); return _ssl__SSLContext_set_default_verify_paths_impl(self);
} }
@@ -1705,7 +1725,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_curve__doc__, PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_curve__doc__,
"set_ecdh_curve($self, name, /)\n" "set_ecdh_curve($self, name, /)\n"
"--\n" "--\n"
@@ -854,8 +787,6 @@ PyDoc_STRVAR(_ssl__SSLContext_set_ecdh_c @@ -854,8 +787,6 @@
#define _SSL__SSLCONTEXT_SET_ECDH_CURVE_METHODDEF \ #define _SSL__SSLCONTEXT_SET_ECDH_CURVE_METHODDEF \
{"set_ecdh_curve", (PyCFunction)_ssl__SSLContext_set_ecdh_curve, METH_O, _ssl__SSLContext_set_ecdh_curve__doc__}, {"set_ecdh_curve", (PyCFunction)_ssl__SSLContext_set_ecdh_curve, METH_O, _ssl__SSLContext_set_ecdh_curve__doc__},
@@ -1714,7 +1734,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
PyDoc_STRVAR(_ssl__SSLContext_cert_store_stats__doc__, PyDoc_STRVAR(_ssl__SSLContext_cert_store_stats__doc__,
"cert_store_stats($self, /)\n" "cert_store_stats($self, /)\n"
"--\n" "--\n"
@@ -1455,22 +1386,6 @@ exit: @@ -1455,22 +1386,6 @@
#endif /* defined(_MSC_VER) */ #endif /* defined(_MSC_VER) */
@@ -1737,9 +1757,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
#ifndef _SSL_RAND_EGD_METHODDEF #ifndef _SSL_RAND_EGD_METHODDEF
#define _SSL_RAND_EGD_METHODDEF #define _SSL_RAND_EGD_METHODDEF
#endif /* !defined(_SSL_RAND_EGD_METHODDEF) */ #endif /* !defined(_SSL_RAND_EGD_METHODDEF) */
--- a/Tools/ssl/multissltests.py Index: Python-3.9.24/Tools/ssl/multissltests.py
+++ b/Tools/ssl/multissltests.py ===================================================================
@@ -44,8 +44,6 @@ import tarfile --- Python-3.9.24.orig/Tools/ssl/multissltests.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/Tools/ssl/multissltests.py 2025-11-14 00:55:05.527928158 +0100
@@ -43,8 +43,6 @@
log = logging.getLogger("multissl") log = logging.getLogger("multissl")
OPENSSL_OLD_VERSIONS = [ OPENSSL_OLD_VERSIONS = [
@@ -1748,7 +1770,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
] ]
OPENSSL_RECENT_VERSIONS = [ OPENSSL_RECENT_VERSIONS = [
@@ -54,11 +52,9 @@ OPENSSL_RECENT_VERSIONS = [ @@ -53,11 +51,9 @@
] ]
LIBRESSL_OLD_VERSIONS = [ LIBRESSL_OLD_VERSIONS = [
@@ -1760,9 +1782,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
] ]
# store files in ../multissl # store files in ../multissl
--- a/configure Index: Python-3.9.24/configure
+++ b/configure ===================================================================
@@ -88,6 +88,13 @@ fi --- Python-3.9.24.orig/configure 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/configure 2025-11-14 00:55:05.530484938 +0100
@@ -88,6 +88,13 @@
# splitting by setting IFS to empty value.) # splitting by setting IFS to empty value.)
IFS=" "" $as_nl" IFS=" "" $as_nl"
@@ -1776,7 +1800,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# Find who we are. Look in the path if we contain no directory separator. # Find who we are. Look in the path if we contain no directory separator.
as_myself= as_myself=
case $0 in #(( case $0 in #((
@@ -17997,7 +18004,6 @@ as_fn_error () @@ -17997,7 +18004,6 @@
as_fn_exit $as_status as_fn_exit $as_status
} # as_fn_error } # as_fn_error
@@ -1784,14 +1808,16 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# as_fn_set_status STATUS # as_fn_set_status STATUS
# ----------------------- # -----------------------
# Set $? to STATUS, without forking. # Set $? to STATUS, without forking.
@@ -19043,4 +19049,3 @@ if test "$Py_OPT" = 'false' -a "$Py_DEBU @@ -19043,4 +19049,3 @@
echo "" >&6 echo "" >&6
echo "" >&6 echo "" >&6
fi fi
- -
--- a/configure.ac Index: Python-3.9.24/configure.ac
+++ b/configure.ac ===================================================================
@@ -5756,42 +5756,6 @@ ac_includes_default="$save_includes_defa --- Python-3.9.24.orig/configure.ac 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/configure.ac 2025-11-14 00:55:05.531555268 +0100
@@ -5756,42 +5756,6 @@
# Check for usable OpenSSL # Check for usable OpenSSL
AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no]) AX_CHECK_OPENSSL([have_openssl=yes],[have_openssl=no])
@@ -1834,8 +1860,10 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
# ssl module default cipher suite string # ssl module default cipher suite string
AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS, AH_TEMPLATE(PY_SSL_DEFAULT_CIPHERS,
[Default cipher suites list for ssl module. [Default cipher suites list for ssl module.
--- a/pyconfig.h.in Index: Python-3.9.24/pyconfig.h.in
+++ b/pyconfig.h.in ===================================================================
--- Python-3.9.24.orig/pyconfig.h.in 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/pyconfig.h.in 2025-11-14 00:55:05.532315919 +0100
@@ -1351,9 +1351,6 @@ @@ -1351,9 +1351,6 @@
/* Define to 1 if you have the `writev' function. */ /* Define to 1 if you have the `writev' function. */
#undef HAVE_WRITEV #undef HAVE_WRITEV
@@ -1846,9 +1874,11 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
/* Define if the zlib library has inflateCopy */ /* Define if the zlib library has inflateCopy */
#undef HAVE_ZLIB_COPY #undef HAVE_ZLIB_COPY
--- a/setup.py Index: Python-3.9.24/setup.py
+++ b/setup.py ===================================================================
@@ -539,10 +539,7 @@ class PyBuildExt(build_ext): --- Python-3.9.24.orig/setup.py 2025-11-14 00:54:58.674489238 +0100
+++ Python-3.9.24/setup.py 2025-11-14 00:55:05.532484937 +0100
@@ -539,10 +539,7 @@
for l in (self.missing, self.failed, self.failed_on_import)): for l in (self.missing, self.failed, self.failed_on_import)):
print() print()
print("Could not build the ssl module!") print("Could not build the ssl module!")
@@ -1860,7 +1890,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
print() print()
if os.environ.get("PYTHONSTRICTEXTENSIONBUILD") and (self.failed or self.failed_on_import): if os.environ.get("PYTHONSTRICTEXTENSIONBUILD") and (self.failed or self.failed_on_import):
@@ -2346,13 +2343,13 @@ class PyBuildExt(build_ext): @@ -2346,13 +2343,13 @@
self.missing.extend(['_ssl', '_hashlib']) self.missing.extend(['_ssl', '_hashlib'])
return None, None return None, None
@@ -1880,7 +1910,7 @@ Subject: [PATCH] PEP-644: Require OpenSSL 1.1.1 or newer
if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"): if config_vars.get("HAVE_X509_VERIFY_PARAM_SET1_HOST"):
self.add(Extension( self.add(Extension(
@@ -2367,8 +2364,6 @@ class PyBuildExt(build_ext): @@ -2367,8 +2364,6 @@
'_ssl_data_111.h', '_ssl_data_111.h',
'_ssl_data_300.h', '_ssl_data_300.h',
])) ]))

3
python39.changes
View File

@@ -5,7 +5,8 @@ Wed Oct 15 06:28:09 UTC 2025 - Daniel Garcia <daniel.garcia@suse.com>
- Security - Security
- gh-139700: Check consistency of the zip64 end of central - gh-139700: Check consistency of the zip64 end of central
directory record. Support records with “zip64 extensible data” directory record. Support records with “zip64 extensible data”
if there are no bytes prepended to the ZIP file. if there are no bytes prepended to the ZIP file
(CVE-2025-8291, bsc#1251305).
- gh-139400: xml.parsers.expat: Make sure that parent Expat - gh-139400: xml.parsers.expat: Make sure that parent Expat
parsers are only garbage-collected once they are no longer parsers are only garbage-collected once they are no longer
referenced by subparsers created by referenced by subparsers created by