From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- ...dd-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch | 227 --------------------- 1 file changed, 227 deletions(-) delete mode 100644 external/poky/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch (limited to 'external/poky/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch') diff --git a/external/poky/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch b/external/poky/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch deleted file mode 100644 index d48cad75..00000000 --- a/external/poky/meta/recipes-devtools/python/python3/0002-bpo-29136-Add-TLS-1.3-cipher-suites-and-OP_NO_TLSv1_.patch +++ /dev/null @@ -1,227 +0,0 @@ -From e950ea68dab006944af194c9910b8f2341d1437d Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Thu, 7 Sep 2017 20:23:52 -0700 -Subject: [PATCH] bpo-29136: Add TLS 1.3 cipher suites and OP_NO_TLSv1_3 - (GH-1363) (#3444) - -* bpo-29136: Add TLS 1.3 support - -TLS 1.3 introduces a new, distinct set of cipher suites. The TLS 1.3 -cipher suites don't overlap with cipher suites from TLS 1.2 and earlier. -Since Python sets its own set of permitted ciphers, TLS 1.3 handshake -will fail as soon as OpenSSL 1.1.1 is released. Let's enable the common -AES-GCM and ChaCha20 suites. - -Additionally the flag OP_NO_TLSv1_3 is added. It defaults to 0 (no op) with -OpenSSL prior to 1.1.1. This allows applications to opt-out from TLS 1.3 -now. - -Signed-off-by: Christian Heimes . -(cherry picked from commit cb5b68abdeb1b1d56c581d5b4d647018703d61e3) - -Upstream-Status: Backport -[https://github.com/python/cpython/commit/cb5b68abdeb1b1d56c581d5b4d647018703d61e3] - -Signed-off-by: Anuj Mittal ---- - Doc/library/ssl.rst | 21 ++++++++++++++ - Lib/ssl.py | 7 +++++ - Lib/test/test_ssl.py | 29 ++++++++++++++++++- - .../2017-09-04-16-39-49.bpo-29136.vSn1oR.rst | 1 + - Modules/_ssl.c | 13 +++++++++ - 5 files changed, 70 insertions(+), 1 deletion(-) - create mode 100644 Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst - -diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst -index 14f2d68217..29c5e94cf6 100644 ---- a/Doc/library/ssl.rst -+++ b/Doc/library/ssl.rst -@@ -285,6 +285,11 @@ purposes. - - 3DES was dropped from the default cipher string. - -+ .. versionchanged:: 3.7 -+ -+ TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, -+ and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string. -+ - - Random generation - ^^^^^^^^^^^^^^^^^ -@@ -719,6 +724,16 @@ Constants - - .. versionadded:: 3.4 - -+.. data:: OP_NO_TLSv1_3 -+ -+ Prevents a TLSv1.3 connection. This option is only applicable in conjunction -+ with :const:`PROTOCOL_TLS`. It prevents the peers from choosing TLSv1.3 as -+ the protocol version. TLS 1.3 is available with OpenSSL 1.1.1 or later. -+ When Python has been compiled against an older version of OpenSSL, the -+ flag defaults to *0*. -+ -+ .. versionadded:: 3.7 -+ - .. data:: OP_CIPHER_SERVER_PREFERENCE - - Use the server's cipher ordering preference, rather than the client's. -@@ -783,6 +798,12 @@ Constants - - .. versionadded:: 3.3 - -+.. data:: HAS_TLSv1_3 -+ -+ Whether the OpenSSL library has built-in support for the TLS 1.3 protocol. -+ -+ .. versionadded:: 3.7 -+ - .. data:: CHANNEL_BINDING_TYPES - - List of supported TLS channel binding types. Strings in this list -diff --git a/Lib/ssl.py b/Lib/ssl.py -index 4d302a78fa..f233e72e1f 100644 ---- a/Lib/ssl.py -+++ b/Lib/ssl.py -@@ -122,6 +122,7 @@ _import_symbols('OP_') - _import_symbols('ALERT_DESCRIPTION_') - _import_symbols('SSL_ERROR_') - _import_symbols('VERIFY_') -+from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN, HAS_TLSv1_3 - - from _ssl import HAS_SNI, HAS_ECDH, HAS_NPN, HAS_ALPN - -@@ -162,6 +163,7 @@ else: - # (OpenSSL's default setting is 'DEFAULT:!aNULL:!eNULL') - # Enable a better set of ciphers by default - # This list has been explicitly chosen to: -+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites - # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) - # * Prefer ECDHE over DHE for better performance - # * Prefer AEAD over CBC for better performance and security -@@ -173,6 +175,8 @@ else: - # * Disable NULL authentication, NULL encryption, 3DES and MD5 MACs - # for security reasons - _DEFAULT_CIPHERS = ( -+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' -+ 'TLS13-AES-128-GCM-SHA256:' - 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:' - 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:' - '!aNULL:!eNULL:!MD5:!3DES' -@@ -180,6 +184,7 @@ _DEFAULT_CIPHERS = ( - - # Restricted and more secure ciphers for the server side - # This list has been explicitly chosen to: -+# * TLS 1.3 ChaCha20 and AES-GCM cipher suites - # * Prefer cipher suites that offer perfect forward secrecy (DHE/ECDHE) - # * Prefer ECDHE over DHE for better performance - # * Prefer AEAD over CBC for better performance and security -@@ -190,6 +195,8 @@ _DEFAULT_CIPHERS = ( - # * Disable NULL authentication, NULL encryption, MD5 MACs, DSS, RC4, and - # 3DES for security reasons - _RESTRICTED_SERVER_CIPHERS = ( -+ 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:' -+ 'TLS13-AES-128-GCM-SHA256:' - 'ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:DH+CHACHA20:ECDH+AES256:DH+AES256:' - 'ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:RSA+AESGCM:RSA+AES:RSA+HIGH:' - '!aNULL:!eNULL:!MD5:!DSS:!RC4:!3DES' -diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py -index f91af7bd05..1acc12ec2d 100644 ---- a/Lib/test/test_ssl.py -+++ b/Lib/test/test_ssl.py -@@ -150,6 +150,13 @@ class BasicSocketTests(unittest.TestCase): - ssl.OP_NO_COMPRESSION - self.assertIn(ssl.HAS_SNI, {True, False}) - self.assertIn(ssl.HAS_ECDH, {True, False}) -+ ssl.OP_NO_SSLv2 -+ ssl.OP_NO_SSLv3 -+ ssl.OP_NO_TLSv1 -+ ssl.OP_NO_TLSv1_3 -+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1): -+ ssl.OP_NO_TLSv1_1 -+ ssl.OP_NO_TLSv1_2 - - def test_str_for_enums(self): - # Make sure that the PROTOCOL_* constants have enum-like string -@@ -3028,12 +3035,33 @@ else: - self.assertEqual(s.version(), 'TLSv1') - self.assertIs(s.version(), None) - -+ @unittest.skipUnless(ssl.HAS_TLSv1_3, -+ "test requires TLSv1.3 enabled OpenSSL") -+ def test_tls1_3(self): -+ context = ssl.SSLContext(ssl.PROTOCOL_TLS) -+ context.load_cert_chain(CERTFILE) -+ # disable all but TLS 1.3 -+ context.options |= ( -+ ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1 | ssl.OP_NO_TLSv1_2 -+ ) -+ with ThreadedEchoServer(context=context) as server: -+ with context.wrap_socket(socket.socket()) as s: -+ s.connect((HOST, server.port)) -+ self.assertIn(s.cipher()[0], [ -+ 'TLS13-AES-256-GCM-SHA384', -+ 'TLS13-CHACHA20-POLY1305-SHA256', -+ 'TLS13-AES-128-GCM-SHA256', -+ ]) -+ - @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL") - def test_default_ecdh_curve(self): - # Issue #21015: elliptic curve-based Diffie Hellman key exchange - # should be enabled by default on SSL contexts. - context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) - context.load_cert_chain(CERTFILE) -+ # TLSv1.3 defaults to PFS key agreement and no longer has KEA in -+ # cipher name. -+ context.options |= ssl.OP_NO_TLSv1_3 - # Prior to OpenSSL 1.0.0, ECDH ciphers have to be enabled - # explicitly using the 'ECCdraft' cipher alias. Otherwise, - # our default cipher list should prefer ECDH-based ciphers -@@ -3394,7 +3422,6 @@ else: - s.sendfile(file) - self.assertEqual(s.recv(1024), TEST_DATA) - -- - def test_main(verbose=False): - if support.verbose: - import warnings -diff --git a/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst -new file mode 100644 -index 0000000000..e76997ef83 ---- /dev/null -+++ b/Misc/NEWS.d/next/Library/2017-09-04-16-39-49.bpo-29136.vSn1oR.rst -@@ -0,0 +1 @@ -+Add TLS 1.3 cipher suites and OP_NO_TLSv1_3. -diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index 0d5c121d2c..c71d89607c 100644 ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -4842,6 +4842,11 @@ PyInit__ssl(void) - #if HAVE_TLSv1_2 - PyModule_AddIntConstant(m, "OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1); - PyModule_AddIntConstant(m, "OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2); -+#endif -+#ifdef SSL_OP_NO_TLSv1_3 -+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", SSL_OP_NO_TLSv1_3); -+#else -+ PyModule_AddIntConstant(m, "OP_NO_TLSv1_3", 0); - #endif - PyModule_AddIntConstant(m, "OP_CIPHER_SERVER_PREFERENCE", - SSL_OP_CIPHER_SERVER_PREFERENCE); -@@ -4890,6 +4895,14 @@ PyInit__ssl(void) - Py_INCREF(r); - PyModule_AddObject(m, "HAS_ALPN", r); - -+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) -+ r = Py_True; -+#else -+ r = Py_False; -+#endif -+ Py_INCREF(r); -+ PyModule_AddObject(m, "HAS_TLSv1_3", r); -+ - /* Mappings for error codes */ - err_codes_to_names = PyDict_New(); - err_names_to_codes = PyDict_New(); --- -2.17.1 - -- cgit 1.2.3-korg