From bd6e20542199b4805346059cc8e26f67fff8affd Mon Sep 17 00:00:00 2001 From: Andre Heider Date: Tue, 19 Jul 2022 14:14:16 +0200 Subject: [PATCH] python3: update patches for libressl v3.5 Based upon patches from OpenBSD[0] and Gentoo[1]. Switched to the LibreSSL provided LIBRESSL_VERSION_NUMBER macro, which makes OPENWRT_HOST_BUILD redundant. [0] https://github.com/openbsd/ports/tree/master/lang/python/3.10/patches [1] https://github.com/gentoo/libressl/tree/master/dev-lang/python/files Signed-off-by: Andre Heider --- lang/python/python3/Makefile | 6 +- .../patches/026-openssl-feature-flags.patch | 39 +++++- ...ost-python-support-ssl-with-libressl.patch | 118 +++--------------- 3 files changed, 52 insertions(+), 111 deletions(-) diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile index 7fbc84aa1..d3b043872 100644 --- a/lang/python/python3/Makefile +++ b/lang/python/python3/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk include ../python3-version.mk PKG_NAME:=python3 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_VERSION:=$(PYTHON3_VERSION).$(PYTHON3_VERSION_MICRO) PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz @@ -327,10 +327,6 @@ HOST_MAKE_VARS += \ USE_PYTHON_CONFIG_PY=1 endif -# FIXME: remove when removing patch '028-host-python-support-ssl-with-libressl.patch' -HOST_CFLAGS += \ - -DOPENWRT_HOST_BUILD - HOST_CONFIGURE_ARGS+= \ --enable-optimizations \ --with-ensurepip=upgrade \ diff --git a/lang/python/python3/patches/026-openssl-feature-flags.patch b/lang/python/python3/patches/026-openssl-feature-flags.patch index 9272f36a4..b4c15ab80 100644 --- a/lang/python/python3/patches/026-openssl-feature-flags.patch +++ b/lang/python/python3/patches/026-openssl-feature-flags.patch @@ -1,12 +1,47 @@ --- a/Modules/_hashopenssl.c +++ b/Modules/_hashopenssl.c -@@ -48,7 +48,9 @@ +@@ -45,10 +45,12 @@ + + #define MUNCH_SIZE INT_MAX + ++#if !defined(LIBRESSL_VERSION_NUMBER) #define PY_OPENSSL_HAS_SCRYPT 1 #define PY_OPENSSL_HAS_SHA3 1 #define PY_OPENSSL_HAS_SHAKE 1 -+#ifndef OPENSSL_NO_BLAKE2 #define PY_OPENSSL_HAS_BLAKE2 1 +#endif #if OPENSSL_VERSION_NUMBER >= 0x30000000L #define PY_EVP_MD EVP_MD +@@ -119,6 +121,7 @@ static const py_hashentry_t py_hashes[] + PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256), + PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384), + PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512), ++#if !defined(LIBRESSL_VERSION_NUMBER) + /* truncated sha2 */ + PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224), + PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256), +@@ -133,6 +136,7 @@ static const py_hashentry_t py_hashes[] + /* blake2 digest */ + PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256), + PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512), ++#endif + PY_HASH_ENTRY(NULL, NULL, NULL, 0), + }; + +@@ -873,11 +877,15 @@ py_evp_fromname(PyObject *module, const + goto exit; + } + ++#if defined(LIBRESSL_VERSION_NUMBER) ++ type = get_hashlib_state(module)->EVPtype; ++#else + if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) { + type = get_hashlib_state(module)->EVPXOFtype; + } else { + type = get_hashlib_state(module)->EVPtype; + } ++#endif + + self = newEVPobject(type); + if (self == NULL) { diff --git a/lang/python/python3/patches/028-host-python-support-ssl-with-libressl.patch b/lang/python/python3/patches/028-host-python-support-ssl-with-libressl.patch index a831735bd..7b47c111f 100644 --- a/lang/python/python3/patches/028-host-python-support-ssl-with-libressl.patch +++ b/lang/python/python3/patches/028-host-python-support-ssl-with-libressl.patch @@ -1,117 +1,27 @@ --- a/Modules/_ssl.c +++ b/Modules/_ssl.c -@@ -67,7 +67,18 @@ +@@ -67,6 +67,12 @@ # error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL" #endif -+#ifdef OPENWRT_HOST_BUILD -+#undef TLS1_3_VERSION -+static STACK_OF(X509) *SSL_get0_verified_chain(const SSL *s) -+{ -+ return NULL; -+} - ++#ifdef LIBRESSL_VERSION_NUMBER +static int SSL_CTX_get_security_level(const SSL_CTX *ctx) +{ -+ return 0; ++ return 1; +} +#endif + struct py_ssl_error_code { - const char *mnemonic; -@@ -291,8 +302,10 @@ typedef struct { - int post_handshake_auth; - #endif - PyObject *msg_cb; -+#ifndef OPENWRT_HOST_BUILD - PyObject *keylog_filename; - BIO *keylog_bio; -+#endif - /* Cached module state, also used in SSLSocket and SSLSession code. */ - _sslmodulestate *state; - } PySSLContext; -@@ -2358,8 +2371,14 @@ _ssl__SSLSocket_write_impl(PySSLSocket * - - do { - PySSL_BEGIN_ALLOW_THREADS -+#ifdef OPENWRT_HOST_BUILD -+ retval = SSL_write(self->ssl, b->buf, (int)b->len); -+ if (retval > 0) count = retval; -+ err = _PySSL_errno(retval <= 0, self->ssl, retval); +@@ -169,7 +175,11 @@ extern const SSL_METHOD *TLSv1_2_method( + * Based on Hynek's excellent blog post (update 2021-02-11) + * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + */ ++#ifndef LIBRESSL_VERSION_NUMBER + #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" +#else - retval = SSL_write_ex(self->ssl, b->buf, (size_t)b->len, &count); - err = _PySSL_errno(retval == 0, self->ssl, retval); -+#endif - PySSL_END_ALLOW_THREADS - self->err = err; - -@@ -2510,8 +2529,14 @@ _ssl__SSLSocket_read_impl(PySSLSocket *s - - do { - PySSL_BEGIN_ALLOW_THREADS -+#ifdef OPENWRT_HOST_BUILD -+ retval = SSL_read(self->ssl, mem, len); -+ if (retval > 0) count = retval; -+ err = _PySSL_errno(retval <= 0, self->ssl, retval); -+#else - retval = SSL_read_ex(self->ssl, mem, (size_t)len, &count); - err = _PySSL_errno(retval == 0, self->ssl, retval); -+#endif - PySSL_END_ALLOW_THREADS - self->err = err; - -@@ -3074,8 +3099,10 @@ _ssl__SSLContext_impl(PyTypeObject *type - self->hostflags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; - self->protocol = proto_version; - self->msg_cb = NULL; -+#ifndef OPENWRT_HOST_BUILD - self->keylog_filename = NULL; - self->keylog_bio = NULL; -+#endif - self->alpn_protocols = NULL; - self->set_sni_cb = NULL; - self->state = get_ssl_state(module); -@@ -3199,6 +3226,7 @@ context_clear(PySSLContext *self) - { - Py_CLEAR(self->set_sni_cb); - Py_CLEAR(self->msg_cb); -+#ifndef OPENWRT_HOST_BUILD - Py_CLEAR(self->keylog_filename); - if (self->keylog_bio != NULL) { - PySSL_BEGIN_ALLOW_THREADS -@@ -3206,6 +3234,7 @@ context_clear(PySSLContext *self) - PySSL_END_ALLOW_THREADS - self->keylog_bio = NULL; - } -+#endif - return 0; - } - -@@ -4615,8 +4644,10 @@ static PyGetSetDef context_getsetlist[] - (setter) set_minimum_version, NULL}, - {"maximum_version", (getter) get_maximum_version, - (setter) set_maximum_version, NULL}, -+#ifndef OPENWRT_HOST_BUILD - {"keylog_filename", (getter) _PySSLContext_get_keylog_filename, - (setter) _PySSLContext_set_keylog_filename, NULL}, -+#endif - {"_msg_callback", (getter) _PySSLContext_get_msg_callback, - (setter) _PySSLContext_set_msg_callback, NULL}, - {"sni_callback", (getter) get_sni_callback, ---- a/Modules/_ssl/debughelpers.c -+++ b/Modules/_ssl/debughelpers.c -@@ -114,6 +114,8 @@ _PySSLContext_set_msg_callback(PySSLCont - return 0; - } - -+#ifndef OPENWRT_HOST_BUILD -+ - static void - _PySSL_keylog_callback(const SSL *ssl, const char *line) - { -@@ -217,3 +219,5 @@ _PySSLContext_set_keylog_filename(PySSLC - SSL_CTX_set_keylog_callback(self->ctx, _PySSL_keylog_callback); - return 0; - } -+ ++ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" +#endif + #ifndef PY_SSL_MIN_PROTOCOL + #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION + #endif