Also refreshed patches.
Signed-off-by: Rosen Penev <redacted>
PYTHON_VERSION_MICRO:=$(PYTHON3_VERSION_MICRO)
PKG_NAME:=python3
-PKG_RELEASE:=5
+PKG_RELEASE:=6
PKG_VERSION:=$(PYTHON_VERSION).$(PYTHON_VERSION_MICRO)
PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
+zlib zlibmodule.c -lz
# Interface to the Expat XML parser
- #
+ # More information on Expat can be found at www.libexpat.org.
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
-@@ -1381,6 +1381,7 @@ libinstall: build_all $(srcdir)/Modules/
+@@ -1389,6 +1389,7 @@ libinstall: build_all $(srcdir)/Modules/
$(INSTALL_DATA) `cat pybuilddir.txt`/_sysconfigdata_$(ABIFLAGS)_$(MACHDEP)_$(MULTIARCH).py \
$(DESTDIR)$(LIBDEST); \
$(INSTALL_DATA) $(srcdir)/LICENSE $(DESTDIR)$(LIBDEST)/LICENSE.txt
if test -d $(DESTDIR)$(LIBDEST)/distutils/tests; then \
$(INSTALL_DATA) $(srcdir)/Modules/xxmodule.c \
$(DESTDIR)$(LIBDEST)/distutils/tests ; \
-@@ -1416,6 +1417,7 @@ libinstall: build_all $(srcdir)/Modules/
+@@ -1424,6 +1425,7 @@ libinstall: build_all $(srcdir)/Modules/
$(PYTHON_FOR_BUILD) -m lib2to3.pgen2.driver $(DESTDIR)$(LIBDEST)/lib2to3/Grammar.txt
-PYTHONPATH=$(DESTDIR)$(LIBDEST) $(RUNSHARED) \
$(PYTHON_FOR_BUILD) -m lib2to3.pgen2.driver $(DESTDIR)$(LIBDEST)/lib2to3/PatternGrammar.txt
--- a/setup.py
+++ b/setup.py
-@@ -537,16 +537,9 @@ class PyBuildExt(build_ext):
+@@ -542,16 +542,9 @@ class PyBuildExt(build_ext):
os.unlink(tmpfile)
def detect_modules(self):
--- a/setup.py
+++ b/setup.py
-@@ -547,8 +547,9 @@ class PyBuildExt(build_ext):
+@@ -552,8 +552,9 @@ class PyBuildExt(build_ext):
# directly since an inconsistently reproducible issue comes up where
# the environment variable is not set even though the value were passed
# into configure and stored in the Makefile (issue found on OS X 10.3).
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
-@@ -743,6 +743,16 @@ regen-all: regen-opcode regen-opcode-tar
+@@ -751,6 +751,16 @@ regen-all: regen-opcode regen-opcode-tar
############################################################################
# Special rules for object files
Modules/getbuildinfo.o: $(PARSER_OBJS) \
$(OBJECT_OBJS) \
$(PYTHON_OBJS) \
-@@ -750,6 +760,8 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \
+@@ -758,6 +768,8 @@ Modules/getbuildinfo.o: $(PARSER_OBJS) \
$(MODOBJS) \
$(srcdir)/Modules/getbuildinfo.c
$(CC) -c $(PY_CORE_CFLAGS) \
--- a/configure
+++ b/configure
-@@ -14962,7 +14962,7 @@ $as_echo_n "checking ABIFLAGS... " >&6;
+@@ -15129,7 +15129,7 @@ $as_echo_n "checking ABIFLAGS... " >&6;
$as_echo "$ABIFLAGS" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking SOABI" >&5
$as_echo_n "checking SOABI... " >&6; }
--- a/configure.ac
+++ b/configure.ac
-@@ -4665,7 +4665,7 @@ AC_SUBST(SOABI)
+@@ -4719,7 +4719,7 @@ AC_SUBST(SOABI)
AC_MSG_CHECKING(ABIFLAGS)
AC_MSG_RESULT($ABIFLAGS)
AC_MSG_CHECKING(SOABI)
--- a/setup.py
+++ b/setup.py
-@@ -354,6 +354,7 @@ class PyBuildExt(build_ext):
+@@ -359,6 +359,7 @@ class PyBuildExt(build_ext):
print("Failed to build these modules:")
print_three_column(failed)
print()
abi=sys.abiflags,
--- a/Makefile.pre.in
+++ b/Makefile.pre.in
-@@ -1390,7 +1390,7 @@ libinstall: build_all $(srcdir)/Modules/
+@@ -1398,7 +1398,7 @@ libinstall: build_all $(srcdir)/Modules/
esac; \
done; \
done
$(DESTDIR)$(LIBDEST); \
$(INSTALL_DATA) $(srcdir)/LICENSE $(DESTDIR)$(LIBDEST)/LICENSE.txt
ifeq (@COMPILE_ALL_TESTS@,yes)
-@@ -1525,7 +1525,7 @@ sharedinstall: sharedmods
+@@ -1543,7 +1543,7 @@ sharedinstall: sharedmods
--install-scripts=$(BINDIR) \
--install-platlib=$(DESTSHARED) \
--root=$(DESTDIR)/
# Here are a couple of targets for MacOSX again, to install a full
--- a/configure
+++ b/configure
-@@ -14981,7 +14981,7 @@ LDVERSION='$(VERSION)$(ABIFLAGS)'
+@@ -15148,7 +15148,7 @@ LDVERSION='$(VERSION)$(ABIFLAGS)'
$as_echo "$LDVERSION" >&6; }
LIBPL='$(prefix)'"/lib/python${VERSION}/config-${LDVERSION}-${PLATFORM_TRIPLET}"
--- a/configure.ac
+++ b/configure.ac
-@@ -4682,7 +4682,7 @@ AC_MSG_RESULT($LDVERSION)
+@@ -4736,7 +4736,7 @@ AC_MSG_RESULT($LDVERSION)
dnl define LIBPL after ABIFLAGS and LDVERSION is defined.
AC_SUBST(PY_ENABLE_SHARED)
--- /dev/null
+From 991f0176e188227647bf4c993d8da81cf794b3ae Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Sun, 25 Feb 2018 20:03:07 +0100
+Subject: [PATCH] bpo-30008: SSL module: emulate tls methods
+
+OpenSSL 1.1 compatility: emulate version specific TLS methods with
+SSL_CTX_set_min/max_proto_version().
+---
+ .../2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst | 4 +
+ Modules/_ssl.c | 134 ++++++++++++++++-----
+ 2 files changed, 108 insertions(+), 30 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
+
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2018-02-25-20-05-51.bpo-30008.6Bmyhr.rst
+@@ -0,0 +1,4 @@
++The ssl module no longer uses function that are deprecated since OpenSSL
++1.1.0. The version specific TLS methods are emulated with TLS_method() plus
++SSL_CTX_set_min/max_proto_version(). Pseudo random numbers are generated
++with RAND_bytes().
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -45,14 +45,6 @@ static PySocketModule_APIObject PySocketModule;
+ #include <sys/poll.h>
+ #endif
+
+-/* Don't warn about deprecated functions */
+-#ifdef __GNUC__
+-#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+-#endif
+-#ifdef __clang__
+-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+-#endif
+-
+ /* Include OpenSSL header files */
+ #include "openssl/rsa.h"
+ #include "openssl/crypto.h"
+@@ -201,6 +193,7 @@ static void _PySSLFixErrno(void) {
+ #ifndef PY_OPENSSL_1_1_API
+ /* OpenSSL 1.1 API shims for OpenSSL < 1.1.0 and LibreSSL < 2.7.0 */
+
++#define ASN1_STRING_get0_data ASN1_STRING_data
+ #define TLS_method SSLv23_method
+ #define TLS_client_method SSLv23_client_method
+ #define TLS_server_method SSLv23_server_method
+@@ -1319,8 +1312,9 @@ _get_peer_alt_names (X509 *certificate) {
+ goto fail;
+ }
+ PyTuple_SET_ITEM(t, 0, v);
+- v = PyUnicode_FromStringAndSize((char *)ASN1_STRING_data(as),
+- ASN1_STRING_length(as));
++ v = PyUnicode_FromStringAndSize(
++ (char *)ASN1_STRING_get0_data(as),
++ ASN1_STRING_length(as));
+ if (v == NULL) {
+ Py_DECREF(t);
+ goto fail;
+@@ -2959,38 +2953,118 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
+ #endif
+
+ PySSL_BEGIN_ALLOW_THREADS
+- if (proto_version == PY_SSL_VERSION_TLS1)
++ switch (proto_version) {
++#if OPENSSL_VERSION_NUMBER <= 0x10100000L
++ /* OpenSSL < 1.1.0 or not LibreSSL
++ * Use old-style methods for OpenSSL 1.0.2
++ */
++#if defined(SSL2_VERSION) && !defined(OPENSSL_NO_SSL2)
++ case PY_SSL_VERSION_SSL2:
++ ctx = SSL_CTX_new(SSLv2_method());
++ break;
++#endif
++#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
++ case PY_SSL_VERSION_SSL3:
++ ctx = SSL_CTX_new(SSLv3_method());
++ break;
++#endif
++#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
++ case PY_SSL_VERSION_TLS1:
+ ctx = SSL_CTX_new(TLSv1_method());
+-#if HAVE_TLSv1_2
+- else if (proto_version == PY_SSL_VERSION_TLS1_1)
++ break;
++#endif
++#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
++ case PY_SSL_VERSION_TLS1_1:
+ ctx = SSL_CTX_new(TLSv1_1_method());
+- else if (proto_version == PY_SSL_VERSION_TLS1_2)
++ break;
++#endif
++#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
++ case PY_SSL_VERSION_TLS1_2:
+ ctx = SSL_CTX_new(TLSv1_2_method());
++ break;
+ #endif
+-#ifndef OPENSSL_NO_SSL3
+- else if (proto_version == PY_SSL_VERSION_SSL3)
+- ctx = SSL_CTX_new(SSLv3_method());
++#else
++ /* OpenSSL >= 1.1 or LibreSSL
++ * create context with TLS_method for all protocols
++ * no SSLv2_method in OpenSSL 1.1.
++ */
++#if defined(SSL3_VERSION) && !defined(OPENSSL_NO_SSL3)
++ case PY_SSL_VERSION_SSL3:
++ ctx = SSL_CTX_new(TLS_method());
++ if (ctx != NULL) {
++ /* OpenSSL 1.1.0 sets SSL_OP_NO_SSLv3 for TLS_method by default */
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3);
++ if (!SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION))
++ result = -2;
++ if (!SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION))
++ result = -2;
++ }
++ break;
+ #endif
+-#ifndef OPENSSL_NO_SSL2
+- else if (proto_version == PY_SSL_VERSION_SSL2)
+- ctx = SSL_CTX_new(SSLv2_method());
++#if defined(TLS1_VERSION) && !defined(OPENSSL_NO_TLS1)
++ case PY_SSL_VERSION_TLS1:
++ ctx = SSL_CTX_new(TLS_method());
++ if (ctx != NULL) {
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1);
++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION))
++ result = -2;
++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION))
++ result = -2;
++ }
++ break;
++#endif
++#if defined(TLS1_1_VERSION) && !defined(OPENSSL_NO_TLS1_1)
++ case PY_SSL_VERSION_TLS1_1:
++ ctx = SSL_CTX_new(TLS_method());
++ if (ctx != NULL) {
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_1);
++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION))
++ result = -2;
++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION))
++ result = -2;
++ }
++ break;
++#endif
++#if defined(TLS1_2_VERSION) && !defined(OPENSSL_NO_TLS1_2)
++ case PY_SSL_VERSION_TLS1_2:
++ ctx = SSL_CTX_new(TLS_method());
++ if (ctx != NULL) {
++ SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
++ if (!SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION))
++ result = -2;
++ if (!SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
++ result = -2;
++ }
++ break;
+ #endif
+- else if (proto_version == PY_SSL_VERSION_TLS) /* SSLv23 */
++#endif /* OpenSSL >= 1.1 */
++ case PY_SSL_VERSION_TLS:
++ /* SSLv23 */
+ ctx = SSL_CTX_new(TLS_method());
+- else if (proto_version == PY_SSL_VERSION_TLS_CLIENT)
++ break;
++ case PY_SSL_VERSION_TLS_CLIENT:
+ ctx = SSL_CTX_new(TLS_client_method());
+- else if (proto_version == PY_SSL_VERSION_TLS_SERVER)
++ break;
++ case PY_SSL_VERSION_TLS_SERVER:
+ ctx = SSL_CTX_new(TLS_server_method());
+- else
+- proto_version = -1;
++ break;
++ default:
++ result = -1;
++ break;
++ }
+ PySSL_END_ALLOW_THREADS
+
+- if (proto_version == -1) {
++ if (result == -1) {
+ PyErr_SetString(PyExc_ValueError,
+ "invalid protocol version");
+ return NULL;
+ }
+- if (ctx == NULL) {
++ else if (result == -2) {
++ PyErr_SetString(PyExc_ValueError,
++ "protocol configuration error");
++ return NULL;
++ }
++ else if (ctx == NULL) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ return NULL;
+ }
--- /dev/null
+--- a/Modules/_hashopenssl.c
++++ b/Modules/_hashopenssl.c
+@@ -1071,7 +1071,7 @@ PyInit__hashlib(void)
+ {
+ PyObject *m, *openssl_md_meth_names;
+
+-#ifndef OPENSSL_VERSION_1_1
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ /* Load all digest algorithms and initialize cpuid */
+ OPENSSL_add_all_algorithms_noconf();
+ ERR_load_crypto_strings();
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -47,6 +47,7 @@ static PySocketModule_APIObject PySocketModule;
+
+ /* Include OpenSSL header files */
+ #include "openssl/rsa.h"
++#include "openssl/dh.h"
+ #include "openssl/crypto.h"
+ #include "openssl/x509.h"
+ #include "openssl/x509v3.h"
+@@ -128,13 +129,13 @@ static void _PySSLFixErrno(void) {
+ #include "_ssl_data.h"
+
+ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
+-# define OPENSSL_VERSION_1_1 1
+-# define PY_OPENSSL_1_1_API 1
++# define OPENSSL_VERSION_1_1 1
++# define PY_OPENSSL_1_1_API 1
+ #endif
+
+ /* LibreSSL 2.7.0 provides necessary OpenSSL 1.1.0 APIs */
+ #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x2070000fL
+-# define PY_OPENSSL_1_1_API 1
++# define PY_OPENSSL_1_1_API 1
+ #endif
+
+ /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
+@@ -197,6 +198,11 @@ static void _PySSLFixErrno(void) {
+ #define TLS_method SSLv23_method
+ #define TLS_client_method SSLv23_client_method
+ #define TLS_server_method SSLv23_server_method
++#define X509_getm_notBefore X509_get_notBefore
++#define X509_getm_notAfter X509_get_notAfter
++#define OpenSSL_version_num SSLeay
++#define OpenSSL_version SSLeay_version
++#define OPENSSL_VERSION SSLEAY_VERSION
+
+ static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
+ {
+@@ -859,7 +865,7 @@ _ssl_configure_hostname(PySSLSocket *self, const char* server_hostname)
+ goto error;
+ }
+ } else {
+- if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_data(ip),
++ if (!X509_VERIFY_PARAM_set1_ip(param, ASN1_STRING_get0_data(ip),
+ ASN1_STRING_length(ip))) {
+ _setSSLError(NULL, 0, __FILE__, __LINE__);
+ goto error;
+@@ -1624,7 +1630,7 @@ _decode_certificate(X509 *certificate) {
+ Py_DECREF(sn_obj);
+
+ (void) BIO_reset(biobuf);
+- notBefore = X509_get_notBefore(certificate);
++ notBefore = X509_getm_notBefore(certificate);
+ ASN1_TIME_print(biobuf, notBefore);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+@@ -1641,7 +1647,7 @@ _decode_certificate(X509 *certificate) {
+ Py_DECREF(pnotBefore);
+
+ (void) BIO_reset(biobuf);
+- notAfter = X509_get_notAfter(certificate);
++ notAfter = X509_getm_notAfter(certificate);
+ ASN1_TIME_print(biobuf, notAfter);
+ len = BIO_gets(biobuf, buf, sizeof(buf)-1);
+ if (len < 0) {
+@@ -3152,7 +3158,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
+ conservative and assume it wasn't fixed until release. We do this check
+ at runtime to avoid problems from the dynamic linker.
+ See #25672 for more on this. */
+- libver = SSLeay();
++ libver = OpenSSL_version_num();
+ if (!(libver >= 0x10001000UL && libver < 0x1000108fUL) &&
+ !(libver >= 0x10000000UL && libver < 0x100000dfUL)) {
+ SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
+@@ -5159,7 +5175,7 @@ PySSL_RAND(int len, int pseudo)
+ if (bytes == NULL)
+ return NULL;
+ if (pseudo) {
+- ok = RAND_pseudo_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
++ ok = RAND_bytes((unsigned char*)PyBytes_AS_STRING(bytes), len);
+ if (ok == 0 || ok == 1)
+ return Py_BuildValue("NO", bytes, ok == 1 ? Py_True : Py_False);
+ }
+@@ -6176,10 +6192,10 @@ PyInit__ssl(void)
+ return NULL;
+
+ /* OpenSSL version */
+- /* SSLeay() gives us the version of the library linked against,
++ /* OpenSSL_version_num() gives us the version of the library linked against,
+ which could be different from the headers version.
+ */
+- libver = SSLeay();
++ libver = OpenSSL_version_num();
+ r = PyLong_FromUnsignedLong(libver);
+ if (r == NULL)
+ return NULL;
+@@ -6199,7 +6205,7 @@ PyInit__ssl(void)
+ r = Py_BuildValue("IIIII", major, minor, fix, patch, status);
+ if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION_INFO", r))
+ return NULL;
+- r = PyUnicode_FromString(SSLeay_version(SSLEAY_VERSION));
++ r = PyUnicode_FromString(OpenSSL_version(OPENSSL_VERSION));
+ if (r == NULL || PyModule_AddObject(m, "OPENSSL_VERSION", r))
+ return NULL;
+
git.99rst.org / openwrt-packages.git / commitdiff