Skip to content

Commit

Permalink
update python 3.12 and main patch
Browse files Browse the repository at this point in the history
  • Loading branch information
@samuel40791765
samuel40791765 committed Mar 21, 2024
1 parent 5ed7b42 commit 2dd43de
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 551 deletions.
286 changes: 15 additions & 271 deletions tests/ci/integration/python_patch/3.12/aws-lc-cpython.patch
View file
Original file line number Diff line number Diff line change
@@ -1,26 +1,5 @@
diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py
index ddc45fd..f982bc2 100644
--- a/Lib/test/test_asyncio/test_events.py
+++ b/Lib/test/test_asyncio/test_events.py
@@ -1126,12 +1126,12 @@ def test_create_server_ssl_match_failed(self):
# incorrect server_hostname
f_c = self.loop.create_connection(MyProto, host, port,
ssl=sslcontext_client)
+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'"
+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION:
+ regex = "CERTIFICATE_VERIFY_FAILED"
with mock.patch.object(self.loop, 'call_exception_handler'):
with test_utils.disable_logger():
- with self.assertRaisesRegex(
- ssl.CertificateError,
- "IP address mismatch, certificate is not valid for "
- "'127.0.0.1'"):
+ with self.assertRaisesRegex(ssl.CertificateError, regex):
self.loop.run_until_complete(f_c)

# close connection
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 089bf5b..1713a5f 100644
index 6e63a88..7dc83d7 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -2066,7 +2066,7 @@ def test_host_port(self):
Expand All @@ -32,41 +11,8 @@ index 089bf5b..1713a5f 100644
self.skipTest('TLS 1.3 support required')
# just check status of PHA flag
h = client.HTTPSConnection('localhost', 443)
diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py
index def9f45..d9aa621 100644
--- a/Lib/test/test_imaplib.py
+++ b/Lib/test/test_imaplib.py
@@ -558,9 +558,10 @@ def test_ssl_raises(self):
self.assertEqual(ssl_context.check_hostname, True)
ssl_context.load_verify_locations(CAFILE)

- with self.assertRaisesRegex(ssl.CertificateError,
- "IP address mismatch, certificate is not valid for "
- "'127.0.0.1'"):
+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'"
+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION:
+ regex = "CERTIFICATE_VERIFY_FAILED"
+ with self.assertRaisesRegex(ssl.CertificateError, regex):
_, server = self._setup(SimpleIMAPHandler)
client = self.imap_class(*server.server_address,
ssl_context=ssl_context)
@@ -954,10 +955,10 @@ def test_ssl_verified(self):
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ssl_context.load_verify_locations(CAFILE)

- with self.assertRaisesRegex(
- ssl.CertificateError,
- "IP address mismatch, certificate is not valid for "
- "'127.0.0.1'"):
+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'"
+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION:
+ regex = "CERTIFICATE_VERIFY_FAILED"
+ with self.assertRaisesRegex(ssl.CertificateError, regex):
with self.reaped_server(SimpleIMAPHandler) as server:
client = self.imap_class(*server.server_address,
ssl_context=ssl_context)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 330515a..6745875 100644
index f3960be..d13baa6 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -41,6 +41,7 @@
Expand All @@ -86,15 +32,6 @@ index 330515a..6745875 100644
def seclevel_workaround(*ctxs):
""""Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
for ctx in ctxs:
@@ -544,7 +545,7 @@ def test_openssl_version(self):
else:
openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}"
self.assertTrue(
- s.startswith((openssl_ver, libressl_ver)),
+ s.startswith((openssl_ver, libressl_ver, "AWS-LC")),
(s, t, hex(n))
)

@@ -1102,7 +1103,6 @@ def test_min_max_version(self):

if has_tls_protocol(ssl.PROTOCOL_TLSv1_1):
Expand All @@ -103,218 +40,25 @@ index 330515a..6745875 100644
self.assertIn(
ctx.minimum_version, minimum_range
)
@@ -1162,24 +1162,25 @@ def test_load_cert_chain(self):
with self.assertRaises(OSError) as cm:
ctx.load_cert_chain(NONEXISTINGCERT)
self.assertEqual(cm.exception.errno, errno.ENOENT)
- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
ctx.load_cert_chain(BADCERT)
- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
ctx.load_cert_chain(EMPTYCERT)
# Separate key and cert
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ctx.load_cert_chain(ONLYCERT, ONLYKEY)
ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY)
ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY)
- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
ctx.load_cert_chain(ONLYCERT)
- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
ctx.load_cert_chain(ONLYKEY)
- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT)
# Mismatching key and cert
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
- with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"):
+ with self.assertRaisesRegex(ssl.SSLError,
+ "(key values mismatch|KEY_VALUES_MISMATCH)"):
ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY)
# Password protected key and cert
ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD)
@@ -1247,7 +1248,7 @@ def test_load_verify_locations(self):
with self.assertRaises(OSError) as cm:
ctx.load_verify_locations(NONEXISTINGCERT)
self.assertEqual(cm.exception.errno, errno.ENOENT)
- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"):
+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"):
ctx.load_verify_locations(BADCERT)
ctx.load_verify_locations(CERTFILE, CAPATH)
ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
@@ -1650,10 +1651,11 @@ def test_lib_reason(self):
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
with self.assertRaises(ssl.SSLError) as cm:
ctx.load_dh_params(CERTFILE)
- self.assertEqual(cm.exception.library, 'PEM')
- self.assertEqual(cm.exception.reason, 'NO_START_LINE')
+ if not Py_OPENSSL_IS_AWSLC:
+ self.assertEqual(cm.exception.library, 'PEM')
+ self.assertEqual(cm.exception.reason, 'NO_START_LINE')
s = str(cm.exception)
- self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s)
+ self.assertTrue("NO_START_LINE" in s, s)

def test_subclass(self):
# Check that the appropriate SSLError subclass is raised
@@ -1833,7 +1835,8 @@ def test_connect_fail(self):
s = test_wrap_socket(socket.socket(socket.AF_INET),
cert_reqs=ssl.CERT_REQUIRED)
self.addCleanup(s.close)
- self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)"
+ self.assertRaisesRegex(ssl.SSLError, msg_re,
s.connect, self.server_addr)

def test_connect_ex(self):
@@ -1901,7 +1904,8 @@ def test_connect_with_context_fail(self):
server_hostname=SIGNED_CERTFILE_HOSTNAME
)
self.addCleanup(s.close)
- self.assertRaisesRegex(ssl.SSLError, "certificate verify failed",
+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)"
+ self.assertRaisesRegex(ssl.SSLError, msg_re,
s.connect, self.server_addr)

def test_connect_capath(self):
@@ -2118,14 +2122,14 @@ def test_bio_handshake(self):
self.assertIsNone(sslobj.version())
self.assertIsNone(sslobj.shared_ciphers())
self.assertRaises(ValueError, sslobj.getpeercert)
- if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
+ if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3":
self.assertIsNone(sslobj.get_channel_binding('tls-unique'))
self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake)
self.assertTrue(sslobj.cipher())
self.assertIsNone(sslobj.shared_ciphers())
self.assertIsNotNone(sslobj.version())
self.assertTrue(sslobj.getpeercert())
- if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES:
+ if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3":
self.assertTrue(sslobj.get_channel_binding('tls-unique'))
try:
self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap)
@@ -2849,11 +2853,11 @@ def test_crl_check(self):
client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF

server = ThreadedEchoServer(context=server_context, chatty=True)
+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)"
with server:
with client_context.wrap_socket(socket.socket(),
server_hostname=hostname) as s:
- with self.assertRaisesRegex(ssl.SSLError,
- "certificate verify failed"):
+ with self.assertRaisesRegex(ssl.SSLError, msg_re):
s.connect((HOST, server.port))

# now load a CRL file. The CRL file is signed by the CA.
@@ -2884,12 +2888,12 @@ def test_check_hostname(self):

# incorrect hostname should raise an exception
server = ThreadedEchoServer(context=server_context, chatty=True)
+ err_re = "(CERTIFICATE_VERIFY_FAILED|"
+ err_re += "Hostname mismatch, certificate is not valid for 'invalid'.)"
with server:
with client_context.wrap_socket(socket.socket(),
server_hostname="invalid") as s:
- with self.assertRaisesRegex(
- ssl.CertificateError,
- "Hostname mismatch, certificate is not valid for 'invalid'."):
+ with self.assertRaisesRegex(ssl.CertificateError, err_re):
s.connect((HOST, server.port))

# missing server_hostname arg should cause an exception, too
@@ -3083,7 +3087,7 @@ def test_wrong_cert_tls13(self):
s.connect((HOST, server.port))
with self.assertRaisesRegex(
ssl.SSLError,
- 'alert unknown ca|EOF occurred'
+ 'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA'
):
# TLS 1.3 perform client cert exchange after handshake
s.write(b'data')
@@ -3152,8 +3156,13 @@ def test_ssl_cert_verify_error(self):
self.assertIsInstance(e, ssl.SSLCertVerificationError)
self.assertEqual(e.verify_code, 20)
self.assertEqual(e.verify_message, msg)
+ if Py_OPENSSL_IS_AWSLC:
+ msg = "CERTIFICATE_VERIFY_FAILED"
self.assertIn(msg, repr(e))
- self.assertIn('certificate verify failed', repr(e))
+ expected_err = 'certificate verify failed'
+ if Py_OPENSSL_IS_AWSLC:
+ expected_err = "CERTIFICATE_VERIFY_FAILED"
+ self.assertIn(expected_err, repr(e))

def test_PROTOCOL_TLS(self):
"""Connecting to an SSLv23 server with various client options"""
@@ -3685,7 +3694,10 @@ def test_no_shared_ciphers(self):
server_hostname=hostname) as s:
with self.assertRaises(OSError):
s.connect((HOST, server.port))
- self.assertIn("no shared cipher", server.conn_errors[0])
+ expected_err = "no shared cipher"
+ if Py_OPENSSL_IS_AWSLC:
+ expected_err = "NO_SHARED_CIPHER"
+ self.assertIn(expected_err, server.conn_errors[0])

def test_version_basic(self):
"""
@@ -3773,7 +3785,10 @@ def test_min_max_version_mismatch(self):
server_hostname=hostname) as s:
with self.assertRaises(ssl.SSLError) as e:
s.connect((HOST, server.port))
- self.assertIn("alert", str(e.exception))
+ self.assertTrue(
+ "alert"in str(e.exception)
+ or "ALERT"in str(e.exception)
+ )

@requires_tls_version('SSLv3')
def test_min_max_version_sslv3(self):
@@ -3815,6 +3830,9 @@ def test_tls_unique_channel_binding(self):

client_context, server_context, hostname = testing_context()
@@ -3868,6 +3868,9 @@ def test_tls_unique_channel_binding(self):
# https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5
client_context.maximum_version = ssl.TLSVersion.TLSv1_2

+ # tls-unique isn't defined as of TLSv1.3
+ client_context.maximum_version = ssl.TLSVersion.TLSv1_2
+
server = ThreadedEchoServer(context=server_context,
chatty=True,
connectionchatty=False)
@@ -3901,6 +3919,7 @@ def test_no_legacy_server_connect(self):
@@ -3954,6 +3957,7 @@ def test_no_legacy_server_connect(self):
sni_name=hostname)

@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
+ @unittest.skipIf(Py_OPENSSL_IS_AWSLC, "AWS-LC doesn't support (FF)DHE")
def test_dh_params(self):
# Check we can get a connection with ephemeral Diffie-Hellman
client_context, server_context, hostname = testing_context()
@@ -3915,7 +3934,7 @@ def test_dh_params(self):
cipher = stats["cipher"][0]
parts = cipher.split("-")
if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
- self.fail("Non-DH cipher: " + cipher[0])
+ self.fail("Non-DH kx: " + parts[0])

def test_ecdh_curve(self):
# server secp384r1, client auto
@@ -4082,8 +4101,10 @@ def cb_raising(ssl_sock, server_name, initial_context):
chatty=False,
sni_name='supermessage')

- self.assertEqual(cm.exception.reason,
- 'SSLV3_ALERT_HANDSHAKE_FAILURE')
+ expected_reason = 'SSLV3_ALERT_HANDSHAKE_FAILURE'
+ if Py_OPENSSL_IS_AWSLC:
+ expected_reason = 'NO_PRIVATE_VALUE'
+ self.assertEqual(cm.exception.reason, expected_reason)
self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)

def test_sni_callback_wrong_return_type(self):
@@ -4259,7 +4280,10 @@ def test_session_handling(self):
@@ -4313,7 +4317,10 @@ def test_session_handling(self):
'Session refers to a different SSLContext.')


Expand All @@ -326,7 +70,7 @@ index 330515a..6745875 100644
class TestPostHandshakeAuth(unittest.TestCase):
def test_pha_setter(self):
protocols = [
@@ -4535,6 +4559,32 @@ def test_internal_chain_server(self):
@@ -4589,6 +4596,32 @@ def test_internal_chain_server(self):
self.assertEqual(res, b'\x02\n')


Expand Down Expand Up @@ -398,7 +142,7 @@ index af6d1b2..4b060b3 100644
};

diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index b602eb0..b9f6ed5 100644
index 5f1425a..d546ce7 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -182,6 +182,12 @@ extern const SSL_METHOD *TLSv1_2_method(void);
Expand Down Expand Up @@ -449,7 +193,7 @@ index b602eb0..b9f6ed5 100644
if (ret < 1)
return PySSL_SetError(self, ret, __FILE__, __LINE__);
if (PySSL_ChainExceptions(self) < 0)
@@ -2754,7 +2766,7 @@ static PyObject *
@@ -2754,7 +2761,7 @@ static PyObject *
_ssl__SSLSocket_verify_client_post_handshake_impl(PySSLSocket *self)
/*[clinic end generated code: output=532147f3b1341425 input=6bfa874810a3d889]*/
{
Expand All @@ -458,7 +202,7 @@ index b602eb0..b9f6ed5 100644
int err = SSL_verify_client_post_handshake(self->ssl);
if (err == 0)
return _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
@@ -3182,7 +3194,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
@@ -3182,7 +3189,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST);
X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);

Expand All @@ -467,7 +211,7 @@ index b602eb0..b9f6ed5 100644
self->post_handshake_auth = 0;
SSL_CTX_set_post_handshake_auth(self->ctx, self->post_handshake_auth);
#endif
@@ -3556,7 +3568,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c)
@@ -3556,7 +3563,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c)
return set_min_max_proto_version(self, arg, 1);
}

Expand All @@ -476,7 +220,7 @@ index b602eb0..b9f6ed5 100644
static PyObject *
get_num_tickets(PySSLContext *self, void *c)
{
@@ -3587,7 +3599,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c)
@@ -3587,7 +3594,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c)

PyDoc_STRVAR(PySSLContext_num_tickets_doc,
"Control the number of TLSv1.3 session tickets");
Expand All @@ -485,7 +229,7 @@ index b602eb0..b9f6ed5 100644

static PyObject *
get_security_level(PySSLContext *self, void *c)
@@ -3690,14 +3702,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c)
@@ -3690,14 +3697,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c)

static PyObject *
get_post_handshake_auth(PySSLContext *self, void *c) {
Expand All @@ -502,7 +246,7 @@ index b602eb0..b9f6ed5 100644
static int
set_post_handshake_auth(PySSLContext *self, PyObject *arg, void *c) {
if (arg == NULL) {
@@ -4652,14 +4664,14 @@ static PyGetSetDef context_getsetlist[] = {
@@ -4707,14 +4714,14 @@ static PyGetSetDef context_getsetlist[] = {
(setter) _PySSLContext_set_msg_callback, NULL},
{"sni_callback", (getter) get_sni_callback,
(setter) set_sni_callback, PySSLContext_sni_callback_doc},
Expand Down
Loading

0 comments on commit 2dd43de

Please sign in to comment.