From 2dd43dea652e0efa6b0ebe43f778b8bf308ef2a9 Mon Sep 17 00:00:00 2001 From: samuel40791765 Date: Thu, 21 Mar 2024 21:32:32 +0000 Subject: [PATCH] update python 3.12 and main patch --- .../python_patch/3.12/aws-lc-cpython.patch | 286 +--------------- .../python_patch/main/aws-lc-cpython.patch | 304 ++---------------- 2 files changed, 39 insertions(+), 551 deletions(-) diff --git a/tests/ci/integration/python_patch/3.12/aws-lc-cpython.patch b/tests/ci/integration/python_patch/3.12/aws-lc-cpython.patch index 433d7083731..93cf1c1ecbc 100644 --- a/tests/ci/integration/python_patch/3.12/aws-lc-cpython.patch +++ b/tests/ci/integration/python_patch/3.12/aws-lc-cpython.patch @@ -1,26 +1,5 @@ -diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py -index ddc45fd..f982bc2 100644 ---- a/Lib/test/test_asyncio/test_events.py -+++ b/Lib/test/test_asyncio/test_events.py -@@ -1126,12 +1126,12 @@ def test_create_server_ssl_match_failed(self): - # incorrect server_hostname - f_c = self.loop.create_connection(MyProto, host, port, - ssl=sslcontext_client) -+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'" -+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION: -+ regex = "CERTIFICATE_VERIFY_FAILED" - with mock.patch.object(self.loop, 'call_exception_handler'): - with test_utils.disable_logger(): -- with self.assertRaisesRegex( -- ssl.CertificateError, -- "IP address mismatch, certificate is not valid for " -- "'127.0.0.1'"): -+ with self.assertRaisesRegex(ssl.CertificateError, regex): - self.loop.run_until_complete(f_c) - - # close connection diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 089bf5b..1713a5f 100644 +index 6e63a88..7dc83d7 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -2066,7 +2066,7 @@ def test_host_port(self): @@ -32,41 +11,8 @@ index 089bf5b..1713a5f 100644 self.skipTest('TLS 1.3 support required') # just check status of PHA flag h = client.HTTPSConnection('localhost', 443) -diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py -index def9f45..d9aa621 100644 ---- a/Lib/test/test_imaplib.py -+++ b/Lib/test/test_imaplib.py -@@ -558,9 +558,10 @@ def test_ssl_raises(self): - self.assertEqual(ssl_context.check_hostname, True) - ssl_context.load_verify_locations(CAFILE) - -- with self.assertRaisesRegex(ssl.CertificateError, -- "IP address mismatch, certificate is not valid for " -- "'127.0.0.1'"): -+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'" -+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION: -+ regex = "CERTIFICATE_VERIFY_FAILED" -+ with self.assertRaisesRegex(ssl.CertificateError, regex): - _, server = self._setup(SimpleIMAPHandler) - client = self.imap_class(*server.server_address, - ssl_context=ssl_context) -@@ -954,10 +955,10 @@ def test_ssl_verified(self): - ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - ssl_context.load_verify_locations(CAFILE) - -- with self.assertRaisesRegex( -- ssl.CertificateError, -- "IP address mismatch, certificate is not valid for " -- "'127.0.0.1'"): -+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'" -+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION: -+ regex = "CERTIFICATE_VERIFY_FAILED" -+ with self.assertRaisesRegex(ssl.CertificateError, regex): - with self.reaped_server(SimpleIMAPHandler) as server: - client = self.imap_class(*server.server_address, - ssl_context=ssl_context) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 330515a..6745875 100644 +index f3960be..d13baa6 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -41,6 +41,7 @@ @@ -86,15 +32,6 @@ index 330515a..6745875 100644 def seclevel_workaround(*ctxs): """"Lower security level to '1' and allow all ciphers for TLS 1.0/1""" for ctx in ctxs: -@@ -544,7 +545,7 @@ def test_openssl_version(self): - else: - openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}" - self.assertTrue( -- s.startswith((openssl_ver, libressl_ver)), -+ s.startswith((openssl_ver, libressl_ver, "AWS-LC")), - (s, t, hex(n)) - ) - @@ -1102,7 +1103,6 @@ def test_min_max_version(self): if has_tls_protocol(ssl.PROTOCOL_TLSv1_1): @@ -103,180 +40,9 @@ index 330515a..6745875 100644 self.assertIn( ctx.minimum_version, minimum_range ) -@@ -1162,24 +1162,25 @@ def test_load_cert_chain(self): - with self.assertRaises(OSError) as cm: - ctx.load_cert_chain(NONEXISTINGCERT) - self.assertEqual(cm.exception.errno, errno.ENOENT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(BADCERT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(EMPTYCERT) - # Separate key and cert - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) - ctx.load_cert_chain(ONLYCERT, ONLYKEY) - ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY) - ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(ONLYCERT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(ONLYKEY) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT) - # Mismatching key and cert - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) -- with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"): -+ with self.assertRaisesRegex(ssl.SSLError, -+ "(key values mismatch|KEY_VALUES_MISMATCH)"): - ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY) - # Password protected key and cert - ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD) -@@ -1247,7 +1248,7 @@ def test_load_verify_locations(self): - with self.assertRaises(OSError) as cm: - ctx.load_verify_locations(NONEXISTINGCERT) - self.assertEqual(cm.exception.errno, errno.ENOENT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_verify_locations(BADCERT) - ctx.load_verify_locations(CERTFILE, CAPATH) - ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH) -@@ -1650,10 +1651,11 @@ def test_lib_reason(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - with self.assertRaises(ssl.SSLError) as cm: - ctx.load_dh_params(CERTFILE) -- self.assertEqual(cm.exception.library, 'PEM') -- self.assertEqual(cm.exception.reason, 'NO_START_LINE') -+ if not Py_OPENSSL_IS_AWSLC: -+ self.assertEqual(cm.exception.library, 'PEM') -+ self.assertEqual(cm.exception.reason, 'NO_START_LINE') - s = str(cm.exception) -- self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s) -+ self.assertTrue("NO_START_LINE" in s, s) - - def test_subclass(self): - # Check that the appropriate SSLError subclass is raised -@@ -1833,7 +1835,8 @@ def test_connect_fail(self): - s = test_wrap_socket(socket.socket(socket.AF_INET), - cert_reqs=ssl.CERT_REQUIRED) - self.addCleanup(s.close) -- self.assertRaisesRegex(ssl.SSLError, "certificate verify failed", -+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)" -+ self.assertRaisesRegex(ssl.SSLError, msg_re, - s.connect, self.server_addr) - - def test_connect_ex(self): -@@ -1901,7 +1904,8 @@ def test_connect_with_context_fail(self): - server_hostname=SIGNED_CERTFILE_HOSTNAME - ) - self.addCleanup(s.close) -- self.assertRaisesRegex(ssl.SSLError, "certificate verify failed", -+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)" -+ self.assertRaisesRegex(ssl.SSLError, msg_re, - s.connect, self.server_addr) - - def test_connect_capath(self): -@@ -2118,14 +2122,14 @@ def test_bio_handshake(self): - self.assertIsNone(sslobj.version()) - self.assertIsNone(sslobj.shared_ciphers()) - self.assertRaises(ValueError, sslobj.getpeercert) -- if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: -+ if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3": - self.assertIsNone(sslobj.get_channel_binding('tls-unique')) - self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake) - self.assertTrue(sslobj.cipher()) - self.assertIsNone(sslobj.shared_ciphers()) - self.assertIsNotNone(sslobj.version()) - self.assertTrue(sslobj.getpeercert()) -- if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: -+ if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3": - self.assertTrue(sslobj.get_channel_binding('tls-unique')) - try: - self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap) -@@ -2849,11 +2853,11 @@ def test_crl_check(self): - client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF - - server = ThreadedEchoServer(context=server_context, chatty=True) -+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)" - with server: - with client_context.wrap_socket(socket.socket(), - server_hostname=hostname) as s: -- with self.assertRaisesRegex(ssl.SSLError, -- "certificate verify failed"): -+ with self.assertRaisesRegex(ssl.SSLError, msg_re): - s.connect((HOST, server.port)) - - # now load a CRL file. The CRL file is signed by the CA. -@@ -2884,12 +2888,12 @@ def test_check_hostname(self): - - # incorrect hostname should raise an exception - server = ThreadedEchoServer(context=server_context, chatty=True) -+ err_re = "(CERTIFICATE_VERIFY_FAILED|" -+ err_re += "Hostname mismatch, certificate is not valid for 'invalid'.)" - with server: - with client_context.wrap_socket(socket.socket(), - server_hostname="invalid") as s: -- with self.assertRaisesRegex( -- ssl.CertificateError, -- "Hostname mismatch, certificate is not valid for 'invalid'."): -+ with self.assertRaisesRegex(ssl.CertificateError, err_re): - s.connect((HOST, server.port)) - - # missing server_hostname arg should cause an exception, too -@@ -3083,7 +3087,7 @@ def test_wrong_cert_tls13(self): - s.connect((HOST, server.port)) - with self.assertRaisesRegex( - ssl.SSLError, -- 'alert unknown ca|EOF occurred' -+ 'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA' - ): - # TLS 1.3 perform client cert exchange after handshake - s.write(b'data') -@@ -3152,8 +3156,13 @@ def test_ssl_cert_verify_error(self): - self.assertIsInstance(e, ssl.SSLCertVerificationError) - self.assertEqual(e.verify_code, 20) - self.assertEqual(e.verify_message, msg) -+ if Py_OPENSSL_IS_AWSLC: -+ msg = "CERTIFICATE_VERIFY_FAILED" - self.assertIn(msg, repr(e)) -- self.assertIn('certificate verify failed', repr(e)) -+ expected_err = 'certificate verify failed' -+ if Py_OPENSSL_IS_AWSLC: -+ expected_err = "CERTIFICATE_VERIFY_FAILED" -+ self.assertIn(expected_err, repr(e)) - - def test_PROTOCOL_TLS(self): - """Connecting to an SSLv23 server with various client options""" -@@ -3685,7 +3694,10 @@ def test_no_shared_ciphers(self): - server_hostname=hostname) as s: - with self.assertRaises(OSError): - s.connect((HOST, server.port)) -- self.assertIn("no shared cipher", server.conn_errors[0]) -+ expected_err = "no shared cipher" -+ if Py_OPENSSL_IS_AWSLC: -+ expected_err = "NO_SHARED_CIPHER" -+ self.assertIn(expected_err, server.conn_errors[0]) - - def test_version_basic(self): - """ -@@ -3773,7 +3785,10 @@ def test_min_max_version_mismatch(self): - server_hostname=hostname) as s: - with self.assertRaises(ssl.SSLError) as e: - s.connect((HOST, server.port)) -- self.assertIn("alert", str(e.exception)) -+ self.assertTrue( -+ "alert"in str(e.exception) -+ or "ALERT"in str(e.exception) -+ ) - - @requires_tls_version('SSLv3') - def test_min_max_version_sslv3(self): -@@ -3815,6 +3830,9 @@ def test_tls_unique_channel_binding(self): - - client_context, server_context, hostname = testing_context() +@@ -3868,6 +3868,9 @@ def test_tls_unique_channel_binding(self): + # https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5 + client_context.maximum_version = ssl.TLSVersion.TLSv1_2 + # tls-unique isn't defined as of TLSv1.3 + client_context.maximum_version = ssl.TLSVersion.TLSv1_2 @@ -284,7 +50,7 @@ index 330515a..6745875 100644 server = ThreadedEchoServer(context=server_context, chatty=True, connectionchatty=False) -@@ -3901,6 +3919,7 @@ def test_no_legacy_server_connect(self): +@@ -3954,6 +3957,7 @@ def test_no_legacy_server_connect(self): sni_name=hostname) @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows") @@ -292,29 +58,7 @@ index 330515a..6745875 100644 def test_dh_params(self): # Check we can get a connection with ephemeral Diffie-Hellman client_context, server_context, hostname = testing_context() -@@ -3915,7 +3934,7 @@ def test_dh_params(self): - cipher = stats["cipher"][0] - parts = cipher.split("-") - if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts: -- self.fail("Non-DH cipher: " + cipher[0]) -+ self.fail("Non-DH kx: " + parts[0]) - - def test_ecdh_curve(self): - # server secp384r1, client auto -@@ -4082,8 +4101,10 @@ def cb_raising(ssl_sock, server_name, initial_context): - chatty=False, - sni_name='supermessage') - -- self.assertEqual(cm.exception.reason, -- 'SSLV3_ALERT_HANDSHAKE_FAILURE') -+ expected_reason = 'SSLV3_ALERT_HANDSHAKE_FAILURE' -+ if Py_OPENSSL_IS_AWSLC: -+ expected_reason = 'NO_PRIVATE_VALUE' -+ self.assertEqual(cm.exception.reason, expected_reason) - self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError) - - def test_sni_callback_wrong_return_type(self): -@@ -4259,7 +4280,10 @@ def test_session_handling(self): +@@ -4313,7 +4317,10 @@ def test_session_handling(self): 'Session refers to a different SSLContext.') @@ -326,7 +70,7 @@ index 330515a..6745875 100644 class TestPostHandshakeAuth(unittest.TestCase): def test_pha_setter(self): protocols = [ -@@ -4535,6 +4559,32 @@ def test_internal_chain_server(self): +@@ -4589,6 +4596,32 @@ def test_internal_chain_server(self): self.assertEqual(res, b'\x02\n') @@ -398,7 +142,7 @@ index af6d1b2..4b060b3 100644 }; diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index b602eb0..b9f6ed5 100644 +index 5f1425a..d546ce7 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c @@ -182,6 +182,12 @@ extern const SSL_METHOD *TLSv1_2_method(void); @@ -449,7 +193,7 @@ index b602eb0..b9f6ed5 100644 if (ret < 1) return PySSL_SetError(self, ret, __FILE__, __LINE__); if (PySSL_ChainExceptions(self) < 0) -@@ -2754,7 +2766,7 @@ static PyObject * +@@ -2754,7 +2761,7 @@ static PyObject * _ssl__SSLSocket_verify_client_post_handshake_impl(PySSLSocket *self) /*[clinic end generated code: output=532147f3b1341425 input=6bfa874810a3d889]*/ { @@ -458,7 +202,7 @@ index b602eb0..b9f6ed5 100644 int err = SSL_verify_client_post_handshake(self->ssl); if (err == 0) return _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__); -@@ -3182,7 +3194,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) +@@ -3182,7 +3189,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST); X509_VERIFY_PARAM_set_hostflags(params, self->hostflags); @@ -467,7 +211,7 @@ index b602eb0..b9f6ed5 100644 self->post_handshake_auth = 0; SSL_CTX_set_post_handshake_auth(self->ctx, self->post_handshake_auth); #endif -@@ -3556,7 +3568,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c) +@@ -3556,7 +3563,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c) return set_min_max_proto_version(self, arg, 1); } @@ -476,7 +220,7 @@ index b602eb0..b9f6ed5 100644 static PyObject * get_num_tickets(PySSLContext *self, void *c) { -@@ -3587,7 +3599,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c) +@@ -3587,7 +3594,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c) PyDoc_STRVAR(PySSLContext_num_tickets_doc, "Control the number of TLSv1.3 session tickets"); @@ -485,7 +229,7 @@ index b602eb0..b9f6ed5 100644 static PyObject * get_security_level(PySSLContext *self, void *c) -@@ -3690,14 +3702,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c) +@@ -3690,14 +3697,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c) static PyObject * get_post_handshake_auth(PySSLContext *self, void *c) { @@ -502,7 +246,7 @@ index b602eb0..b9f6ed5 100644 static int set_post_handshake_auth(PySSLContext *self, PyObject *arg, void *c) { if (arg == NULL) { -@@ -4652,14 +4664,14 @@ static PyGetSetDef context_getsetlist[] = { +@@ -4707,14 +4714,14 @@ static PyGetSetDef context_getsetlist[] = { (setter) _PySSLContext_set_msg_callback, NULL}, {"sni_callback", (getter) get_sni_callback, (setter) set_sni_callback, PySSLContext_sni_callback_doc}, diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch index 964bf7dcf1b..8557eaaef28 100644 --- a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch +++ b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch @@ -1,26 +1,5 @@ -diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py -index b25c097..8f07868 100644 ---- a/Lib/test/test_asyncio/test_events.py -+++ b/Lib/test/test_asyncio/test_events.py -@@ -1125,12 +1125,12 @@ def test_create_server_ssl_match_failed(self): - # incorrect server_hostname - f_c = self.loop.create_connection(MyProto, host, port, - ssl=sslcontext_client) -+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'" -+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION: -+ regex = "CERTIFICATE_VERIFY_FAILED" - with mock.patch.object(self.loop, 'call_exception_handler'): - with test_utils.disable_logger(): -- with self.assertRaisesRegex( -- ssl.CertificateError, -- "IP address mismatch, certificate is not valid for " -- "'127.0.0.1'"): -+ with self.assertRaisesRegex(ssl.CertificateError, regex): - self.loop.run_until_complete(f_c) - - # close connection diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py -index 089bf5b..1713a5f 100644 +index 6e63a88..7dc83d7 100644 --- a/Lib/test/test_httplib.py +++ b/Lib/test/test_httplib.py @@ -2066,7 +2066,7 @@ def test_host_port(self): @@ -32,52 +11,19 @@ index 089bf5b..1713a5f 100644 self.skipTest('TLS 1.3 support required') # just check status of PHA flag h = client.HTTPSConnection('localhost', 443) -diff --git a/Lib/test/test_imaplib.py b/Lib/test/test_imaplib.py -index b97474a..f598059 100644 ---- a/Lib/test/test_imaplib.py -+++ b/Lib/test/test_imaplib.py -@@ -558,9 +558,10 @@ def test_ssl_raises(self): - self.assertEqual(ssl_context.check_hostname, True) - ssl_context.load_verify_locations(CAFILE) - -- with self.assertRaisesRegex(ssl.CertificateError, -- "IP address mismatch, certificate is not valid for " -- "'127.0.0.1'"): -+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'" -+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION: -+ regex = "CERTIFICATE_VERIFY_FAILED" -+ with self.assertRaisesRegex(ssl.CertificateError, regex): - _, server = self._setup(SimpleIMAPHandler) - client = self.imap_class(*server.server_address, - ssl_context=ssl_context) -@@ -954,10 +955,10 @@ def test_ssl_verified(self): - ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - ssl_context.load_verify_locations(CAFILE) - -- with self.assertRaisesRegex( -- ssl.CertificateError, -- "IP address mismatch, certificate is not valid for " -- "'127.0.0.1'"): -+ regex = "IP address mismatch, certificate is not valid for '127.0.0.1'" -+ if ssl is not None and "AWS-LC" in ssl.OPENSSL_VERSION: -+ regex = "CERTIFICATE_VERIFY_FAILED" -+ with self.assertRaisesRegex(ssl.CertificateError, regex): - with self.reaped_server(SimpleIMAPHandler) as server: - client = self.imap_class(*server.server_address, - ssl_context=ssl_context) diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index 3fdfa29..6f6fea7 100644 +index 3fa806d..0906ca7 100644 --- a/Lib/test/test_ssl.py +++ b/Lib/test/test_ssl.py @@ -41,6 +41,7 @@ - from ssl import TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType + from ssl import Purpose, TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType Py_DEBUG_WIN32 = support.Py_DEBUG and sys.platform == 'win32' +Py_OPENSSL_IS_AWSLC = "AWS-LC" in ssl.OPENSSL_VERSION PROTOCOLS = sorted(ssl._PROTOCOL_NAMES) HOST = socket_helper.HOST -@@ -167,7 +168,7 @@ def is_ubuntu(): +@@ -174,7 +175,7 @@ def is_ubuntu(): except FileNotFoundError: return False @@ -86,16 +32,7 @@ index 3fdfa29..6f6fea7 100644 def seclevel_workaround(*ctxs): """"Lower security level to '1' and allow all ciphers for TLS 1.0/1""" for ctx in ctxs: -@@ -544,7 +545,7 @@ def test_openssl_version(self): - else: - openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}" - self.assertTrue( -- s.startswith((openssl_ver, libressl_ver)), -+ s.startswith((openssl_ver, libressl_ver, "AWS-LC")), - (s, t, hex(n)) - ) - -@@ -1102,7 +1103,6 @@ def test_min_max_version(self): +@@ -1109,7 +1110,6 @@ def test_min_max_version(self): if has_tls_protocol(ssl.PROTOCOL_TLSv1_1): ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1) @@ -103,180 +40,9 @@ index 3fdfa29..6f6fea7 100644 self.assertIn( ctx.minimum_version, minimum_range ) -@@ -1162,24 +1162,25 @@ def test_load_cert_chain(self): - with self.assertRaises(OSError) as cm: - ctx.load_cert_chain(NONEXISTINGCERT) - self.assertEqual(cm.exception.errno, errno.ENOENT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(BADCERT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(EMPTYCERT) - # Separate key and cert - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) - ctx.load_cert_chain(ONLYCERT, ONLYKEY) - ctx.load_cert_chain(certfile=ONLYCERT, keyfile=ONLYKEY) - ctx.load_cert_chain(certfile=BYTES_ONLYCERT, keyfile=BYTES_ONLYKEY) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(ONLYCERT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(ONLYKEY) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_cert_chain(certfile=ONLYKEY, keyfile=ONLYCERT) - # Mismatching key and cert - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) -- with self.assertRaisesRegex(ssl.SSLError, "key values mismatch"): -+ with self.assertRaisesRegex(ssl.SSLError, -+ "(key values mismatch|KEY_VALUES_MISMATCH)"): - ctx.load_cert_chain(CAFILE_CACERT, ONLYKEY) - # Password protected key and cert - ctx.load_cert_chain(CERTFILE_PROTECTED, password=KEY_PASSWORD) -@@ -1247,7 +1248,7 @@ def test_load_verify_locations(self): - with self.assertRaises(OSError) as cm: - ctx.load_verify_locations(NONEXISTINGCERT) - self.assertEqual(cm.exception.errno, errno.ENOENT) -- with self.assertRaisesRegex(ssl.SSLError, "PEM lib"): -+ with self.assertRaisesRegex(ssl.SSLError, "PEM (lib|routines)"): - ctx.load_verify_locations(BADCERT) - ctx.load_verify_locations(CERTFILE, CAPATH) - ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH) -@@ -1650,10 +1651,11 @@ def test_lib_reason(self): - ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) - with self.assertRaises(ssl.SSLError) as cm: - ctx.load_dh_params(CERTFILE) -- self.assertEqual(cm.exception.library, 'PEM') -- self.assertEqual(cm.exception.reason, 'NO_START_LINE') -+ if not Py_OPENSSL_IS_AWSLC: -+ self.assertEqual(cm.exception.library, 'PEM') -+ self.assertEqual(cm.exception.reason, 'NO_START_LINE') - s = str(cm.exception) -- self.assertTrue(s.startswith("[PEM: NO_START_LINE] no start line"), s) -+ self.assertTrue("NO_START_LINE" in s, s) - - def test_subclass(self): - # Check that the appropriate SSLError subclass is raised -@@ -1833,7 +1835,8 @@ def test_connect_fail(self): - s = test_wrap_socket(socket.socket(socket.AF_INET), - cert_reqs=ssl.CERT_REQUIRED) - self.addCleanup(s.close) -- self.assertRaisesRegex(ssl.SSLError, "certificate verify failed", -+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)" -+ self.assertRaisesRegex(ssl.SSLError, msg_re, - s.connect, self.server_addr) - - def test_connect_ex(self): -@@ -1901,7 +1904,8 @@ def test_connect_with_context_fail(self): - server_hostname=SIGNED_CERTFILE_HOSTNAME - ) - self.addCleanup(s.close) -- self.assertRaisesRegex(ssl.SSLError, "certificate verify failed", -+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)" -+ self.assertRaisesRegex(ssl.SSLError, msg_re, - s.connect, self.server_addr) - - def test_connect_capath(self): -@@ -2118,14 +2122,14 @@ def test_bio_handshake(self): - self.assertIsNone(sslobj.version()) - self.assertIsNone(sslobj.shared_ciphers()) - self.assertRaises(ValueError, sslobj.getpeercert) -- if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: -+ if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3": - self.assertIsNone(sslobj.get_channel_binding('tls-unique')) - self.ssl_io_loop(sock, incoming, outgoing, sslobj.do_handshake) - self.assertTrue(sslobj.cipher()) - self.assertIsNone(sslobj.shared_ciphers()) - self.assertIsNotNone(sslobj.version()) - self.assertTrue(sslobj.getpeercert()) -- if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES: -+ if 'tls-unique' in ssl.CHANNEL_BINDING_TYPES and sslobj.version() != "TLSv1.3": - self.assertTrue(sslobj.get_channel_binding('tls-unique')) - try: - self.ssl_io_loop(sock, incoming, outgoing, sslobj.unwrap) -@@ -2849,11 +2853,11 @@ def test_crl_check(self): - client_context.verify_flags |= ssl.VERIFY_CRL_CHECK_LEAF - - server = ThreadedEchoServer(context=server_context, chatty=True) -+ msg_re = "(certificate verify failed|CERTIFICATE_VERIFY_FAILED)" - with server: - with client_context.wrap_socket(socket.socket(), - server_hostname=hostname) as s: -- with self.assertRaisesRegex(ssl.SSLError, -- "certificate verify failed"): -+ with self.assertRaisesRegex(ssl.SSLError, msg_re): - s.connect((HOST, server.port)) - - # now load a CRL file. The CRL file is signed by the CA. -@@ -2884,12 +2888,12 @@ def test_check_hostname(self): - - # incorrect hostname should raise an exception - server = ThreadedEchoServer(context=server_context, chatty=True) -+ err_re = "(CERTIFICATE_VERIFY_FAILED|" -+ err_re += "Hostname mismatch, certificate is not valid for 'invalid'.)" - with server: - with client_context.wrap_socket(socket.socket(), - server_hostname="invalid") as s: -- with self.assertRaisesRegex( -- ssl.CertificateError, -- "Hostname mismatch, certificate is not valid for 'invalid'."): -+ with self.assertRaisesRegex(ssl.CertificateError, err_re): - s.connect((HOST, server.port)) - - # missing server_hostname arg should cause an exception, too -@@ -3083,7 +3087,7 @@ def test_wrong_cert_tls13(self): - s.connect((HOST, server.port)) - with self.assertRaisesRegex( - ssl.SSLError, -- 'alert unknown ca|EOF occurred' -+ 'alert unknown ca|EOF occurred|TLSV1_ALERT_UNKNOWN_CA' - ): - # TLS 1.3 perform client cert exchange after handshake - s.write(b'data') -@@ -3152,8 +3156,13 @@ def test_ssl_cert_verify_error(self): - self.assertIsInstance(e, ssl.SSLCertVerificationError) - self.assertEqual(e.verify_code, 20) - self.assertEqual(e.verify_message, msg) -+ if Py_OPENSSL_IS_AWSLC: -+ msg = "CERTIFICATE_VERIFY_FAILED" - self.assertIn(msg, repr(e)) -- self.assertIn('certificate verify failed', repr(e)) -+ expected_err = 'certificate verify failed' -+ if Py_OPENSSL_IS_AWSLC: -+ expected_err = "CERTIFICATE_VERIFY_FAILED" -+ self.assertIn(expected_err, repr(e)) - - def test_PROTOCOL_TLS(self): - """Connecting to an SSLv23 server with various client options""" -@@ -3685,7 +3694,10 @@ def test_no_shared_ciphers(self): - server_hostname=hostname) as s: - with self.assertRaises(OSError): - s.connect((HOST, server.port)) -- self.assertIn("no shared cipher", server.conn_errors[0]) -+ expected_err = "no shared cipher" -+ if Py_OPENSSL_IS_AWSLC: -+ expected_err = "NO_SHARED_CIPHER" -+ self.assertIn(expected_err, server.conn_errors[0]) - - def test_version_basic(self): - """ -@@ -3773,7 +3785,10 @@ def test_min_max_version_mismatch(self): - server_hostname=hostname) as s: - with self.assertRaises(ssl.SSLError) as e: - s.connect((HOST, server.port)) -- self.assertIn("alert", str(e.exception)) -+ self.assertTrue( -+ "alert"in str(e.exception) -+ or "ALERT"in str(e.exception) -+ ) - - @requires_tls_version('SSLv3') - def test_min_max_version_sslv3(self): -@@ -3815,6 +3830,9 @@ def test_tls_unique_channel_binding(self): - - client_context, server_context, hostname = testing_context() +@@ -3911,6 +3911,9 @@ def test_tls_unique_channel_binding(self): + # https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5 + client_context.maximum_version = ssl.TLSVersion.TLSv1_2 + # tls-unique isn't defined as of TLSv1.3 + client_context.maximum_version = ssl.TLSVersion.TLSv1_2 @@ -284,7 +50,7 @@ index 3fdfa29..6f6fea7 100644 server = ThreadedEchoServer(context=server_context, chatty=True, connectionchatty=False) -@@ -3901,6 +3919,7 @@ def test_no_legacy_server_connect(self): +@@ -3997,6 +4000,7 @@ def test_no_legacy_server_connect(self): sni_name=hostname) @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows") @@ -292,29 +58,7 @@ index 3fdfa29..6f6fea7 100644 def test_dh_params(self): # Check we can get a connection with ephemeral Diffie-Hellman client_context, server_context, hostname = testing_context() -@@ -3915,7 +3934,7 @@ def test_dh_params(self): - cipher = stats["cipher"][0] - parts = cipher.split("-") - if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts: -- self.fail("Non-DH cipher: " + cipher[0]) -+ self.fail("Non-DH kx: " + parts[0]) - - def test_ecdh_curve(self): - # server secp384r1, client auto -@@ -4082,8 +4101,10 @@ def cb_raising(ssl_sock, server_name, initial_context): - chatty=False, - sni_name='supermessage') - -- self.assertEqual(cm.exception.reason, -- 'SSLV3_ALERT_HANDSHAKE_FAILURE') -+ expected_reason = 'SSLV3_ALERT_HANDSHAKE_FAILURE' -+ if Py_OPENSSL_IS_AWSLC: -+ expected_reason = 'NO_PRIVATE_VALUE' -+ self.assertEqual(cm.exception.reason, expected_reason) - self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError) - - def test_sni_callback_wrong_return_type(self): -@@ -4360,7 +4381,10 @@ def server_callback(identity): +@@ -4457,7 +4461,10 @@ def server_callback(identity): s.connect((HOST, server.port)) @@ -326,7 +70,7 @@ index 3fdfa29..6f6fea7 100644 class TestPostHandshakeAuth(unittest.TestCase): def test_pha_setter(self): protocols = [ -@@ -4636,6 +4660,31 @@ def test_internal_chain_server(self): +@@ -4733,6 +4740,31 @@ def test_internal_chain_server(self): self.assertEqual(res, b'\x02\n') @@ -359,7 +103,7 @@ index 3fdfa29..6f6fea7 100644 requires_keylog = unittest.skipUnless( HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback') diff --git a/Modules/Setup b/Modules/Setup -index 8ad9a5a..6138085 100644 +index cd1cf24..53bcc4c 100644 --- a/Modules/Setup +++ b/Modules/Setup @@ -208,11 +208,11 @@ PYTHONPATH=$(COREPYTHONPATH) @@ -397,10 +141,10 @@ index 0e230f3..390d6e0 100644 }; diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index bc30290..0e52f96 100644 +index d00f407..7049f79 100644 --- a/Modules/_ssl.c +++ b/Modules/_ssl.c -@@ -187,6 +187,13 @@ extern const SSL_METHOD *TLSv1_2_method(void); +@@ -188,6 +188,13 @@ extern const SSL_METHOD *TLSv1_2_method(void); #endif @@ -414,7 +158,7 @@ index bc30290..0e52f96 100644 enum py_ssl_error { /* these mirror ssl.h */ PY_SSL_ERROR_NONE, -@@ -231,7 +238,7 @@ enum py_proto_version { +@@ -232,7 +239,7 @@ enum py_proto_version { PY_PROTO_TLSv1 = TLS1_VERSION, PY_PROTO_TLSv1_1 = TLS1_1_VERSION, PY_PROTO_TLSv1_2 = TLS1_2_VERSION, @@ -423,7 +167,7 @@ index bc30290..0e52f96 100644 PY_PROTO_TLSv1_3 = TLS1_3_VERSION, #else PY_PROTO_TLSv1_3 = 0x304, -@@ -293,7 +300,7 @@ typedef struct { +@@ -294,7 +301,7 @@ typedef struct { */ unsigned int hostflags; int protocol; @@ -432,7 +176,7 @@ index bc30290..0e52f96 100644 int post_handshake_auth; #endif PyObject *msg_cb; -@@ -885,7 +892,7 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, +@@ -886,7 +893,7 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock, SSL_set_mode(self->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); @@ -441,7 +185,7 @@ index bc30290..0e52f96 100644 if (sslctx->post_handshake_auth == 1) { if (socket_type == PY_SSL_SERVER) { /* bpo-37428: OpenSSL does not ignore SSL_VERIFY_POST_HANDSHAKE. -@@ -1028,6 +1035,7 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self) +@@ -1029,6 +1036,7 @@ _ssl__SSLSocket_do_handshake_impl(PySSLSocket *self) } while (err.ssl == SSL_ERROR_WANT_READ || err.ssl == SSL_ERROR_WANT_WRITE); Py_XDECREF(sock); @@ -449,7 +193,7 @@ index bc30290..0e52f96 100644 if (ret < 1) return PySSL_SetError(self, ret, __FILE__, __LINE__); if (PySSL_ChainExceptions(self) < 0) -@@ -2787,7 +2800,7 @@ static PyObject * +@@ -2788,7 +2796,7 @@ static PyObject * _ssl__SSLSocket_verify_client_post_handshake_impl(PySSLSocket *self) /*[clinic end generated code: output=532147f3b1341425 input=6bfa874810a3d889]*/ { @@ -458,7 +202,7 @@ index bc30290..0e52f96 100644 int err = SSL_verify_client_post_handshake(self->ssl); if (err == 0) return _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__); -@@ -3211,7 +3224,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) +@@ -3212,7 +3220,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version) X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST); X509_VERIFY_PARAM_set_hostflags(params, self->hostflags); @@ -467,7 +211,7 @@ index bc30290..0e52f96 100644 self->post_handshake_auth = 0; SSL_CTX_set_post_handshake_auth(self->ctx, self->post_handshake_auth); #endif -@@ -3589,7 +3602,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c) +@@ -3590,7 +3598,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c) return set_min_max_proto_version(self, arg, 1); } @@ -476,7 +220,7 @@ index bc30290..0e52f96 100644 static PyObject * get_num_tickets(PySSLContext *self, void *c) { -@@ -3620,7 +3633,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c) +@@ -3621,7 +3629,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c) PyDoc_STRVAR(PySSLContext_num_tickets_doc, "Control the number of TLSv1.3 session tickets"); @@ -485,7 +229,7 @@ index bc30290..0e52f96 100644 static PyObject * get_security_level(PySSLContext *self, void *c) -@@ -3723,14 +3736,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c) +@@ -3724,14 +3732,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c) static PyObject * get_post_handshake_auth(PySSLContext *self, void *c) { @@ -502,7 +246,7 @@ index bc30290..0e52f96 100644 static int set_post_handshake_auth(PySSLContext *self, PyObject *arg, void *c) { if (arg == NULL) { -@@ -4917,14 +4930,14 @@ static PyGetSetDef context_getsetlist[] = { +@@ -4973,14 +4981,14 @@ static PyGetSetDef context_getsetlist[] = { (setter) _PySSLContext_set_msg_callback, NULL}, {"sni_callback", (getter) get_sni_callback, (setter) set_sni_callback, PySSLContext_sni_callback_doc},