From 1c776095ca9befe45f7b00e056acab4cb3d4087c Mon Sep 17 00:00:00 2001
From: WillChilds-Klein <willck93@gmail.com>
Date: Mon, 22 Jan 2024 16:54:50 +0000
Subject: [PATCH] Fix python main patch

---
 .../python_patch/main/aws-lc-cpython.patch    | 49 +++++++++++++++++--
 .../ci/integration/run_python_integration.sh  |  3 +-
 2 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
index 8dfa9c49e70..5bb8d22cff2 100644
--- a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
+++ b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
@@ -66,10 +66,10 @@ index b97474acca..f5980598c9 100644
                  client = self.imap_class(*server.server_address,
                                           ssl_context=ssl_context)
 diff --git a/Lib/test/test_site.py b/Lib/test/test_site.py
-index 9f199d9069..e64184f296 100644
+index 0502181854..e23531f147 100644
 --- a/Lib/test/test_site.py
 +++ b/Lib/test/test_site.py
-@@ -510,6 +510,7 @@ def test_customization_modules_on_startup(self):
+@@ -564,6 +564,7 @@ def test_customization_modules_on_startup(self):
      def test_license_exists_at_url(self):
          # This test is a bit fragile since it depends on the format of the
          # string displayed by license in the absence of a LICENSE file.
@@ -78,7 +78,7 @@ index 9f199d9069..e64184f296 100644
          req = urllib.request.Request(url, method='HEAD')
          # Reset global urllib.request._opener
 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index 3fdfa29605..9192d09149 100644
+index 3fdfa29605..6f6fea7c36 100644
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
 @@ -41,6 +41,7 @@
@@ -338,6 +338,38 @@ index 3fdfa29605..9192d09149 100644
  class TestPostHandshakeAuth(unittest.TestCase):
      def test_pha_setter(self):
          protocols = [
+@@ -4636,6 +4660,31 @@ def test_internal_chain_server(self):
+                 self.assertEqual(res, b'\x02\n')
+ 
+ 
++@unittest.skipUnless(Py_OPENSSL_IS_AWSLC, "Only test this against AWS-LC")
++class TestPostHandshakeAuthAwsLc(unittest.TestCase):
++    def test_pha(self):
++        protocols = [
++            ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
++        ]
++        for protocol in protocols:
++            client_ctx, server_ctx, hostname = testing_context()
++            client_ctx.load_cert_chain(SIGNED_CERTFILE)
++            self.assertEqual(client_ctx.post_handshake_auth, None)
++            with self.assertRaises(AttributeError):
++                client_ctx.post_handshake_auth = True
++            with self.assertRaises(AttributeError):
++                server_ctx.post_handshake_auth = True
++
++            with ThreadedEchoServer(context=server_ctx) as server:
++                with client_ctx.wrap_socket(
++                    socket.socket(),
++                    server_hostname=hostname
++                ) as ssock:
++                    ssock.connect((HOST, server.port))
++                    with self.assertRaises(NotImplementedError):
++                        ssock.verify_client_post_handshake()
++
++
+ HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
+ requires_keylog = unittest.skipUnless(
+     HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
 diff --git a/Modules/Setup b/Modules/Setup
 index 8ad9a5aebb..6138085c61 100644
 --- a/Modules/Setup
@@ -377,7 +409,7 @@ index 0e230f332f..390d6e0ed9 100644
  };
  
 diff --git a/Modules/_ssl.c b/Modules/_ssl.c
-index 04c9f7daad..e3a2c88b19 100644
+index bc30290942..e0e59b97e5 100644
 --- a/Modules/_ssl.c
 +++ b/Modules/_ssl.c
 @@ -187,6 +187,13 @@ extern const SSL_METHOD *TLSv1_2_method(void);
@@ -451,6 +483,15 @@ index 04c9f7daad..e3a2c88b19 100644
      int err = SSL_verify_client_post_handshake(self->ssl);
      if (err == 0)
          return _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
+@@ -3203,7 +3216,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
+ 
+     /* Set SSL_MODE_RELEASE_BUFFERS. This potentially greatly reduces memory
+        usage for no cost at all. */
+-    SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS);
++    SSL_CTX_set_mode(self->ctx, SSL_MODE_RELEASE_BUFFERS | SSL_MODE_AUTO_RETRY);
+ 
+     params = SSL_CTX_get0_param(self->ctx);
+     /* Improve trust chain building when cross-signed intermediate
 @@ -3211,7 +3224,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
      X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST);
      X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
diff --git a/tests/ci/integration/run_python_integration.sh b/tests/ci/integration/run_python_integration.sh
index 99a7bb65b35..633e7ea40e4 100755
--- a/tests/ci/integration/run_python_integration.sh
+++ b/tests/ci/integration/run_python_integration.sh
@@ -107,8 +107,7 @@ echo 0 >/proc/sys/net/ipv6/conf/all/disable_ipv6 || /bin/true
 
 # NOTE: cpython keeps a unique branch per version, add version branches here
 # TODO: As we add more versions to support, we may want to parallelize here
-for branch in 3.10 3.11 3.12; do
-#for branch in 3.10 3.11 3.12 main; do
+for branch in 3.10 3.11 3.12 main; do
     python_patch ${branch}
     python_build ${branch}
     python_run_tests ${branch}