reset upstream subtrees to yocto 2.6
Reset the following subtrees on thud HEAD:
poky: 87e3a9739d
meta-openembedded: 6094ae18c8
meta-security: 31dc4e7532
meta-raspberrypi: a48743dc36
meta-xilinx: c42016e2e6
Also re-apply backports that didn't make it into thud:
poky:
17726d0 systemd-systemctl-native: handle Install wildcards
meta-openembedded:
4321a5d libtinyxml2: update to 7.0.1
042f0a3 libcereal: Add native and nativesdk classes
e23284f libcereal: Allow empty package
030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
179a1b9 gtest: update to 1.8.1
Squashed OpenBMC subtree compatibility updates:
meta-aspeed:
Brad Bishop (1):
aspeed: add yocto 2.6 compatibility
meta-ibm:
Brad Bishop (1):
ibm: prepare for yocto 2.6
meta-ingrasys:
Brad Bishop (1):
ingrasys: set layer compatibility to yocto 2.6
meta-openpower:
Brad Bishop (1):
openpower: set layer compatibility to yocto 2.6
meta-phosphor:
Brad Bishop (3):
phosphor: set layer compatibility to thud
phosphor: libgpg-error: drop patches
phosphor: react to fitimage artifact rename
Ed Tanous (4):
Dropbear: upgrade options for latest upgrade
yocto2.6: update openssl options
busybox: remove upstream watchdog patch
systemd: Rebase CONFIG_CGROUP_BPF patch
Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/poky/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch b/poky/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
new file mode 100644
index 0000000..56d591d
--- /dev/null
+++ b/poky/meta/recipes-devtools/python/python3/0003-bpo-32947-Fixes-for-TLS-1.3-and-OpenSSL-1.1.1-GH-876.patch
@@ -0,0 +1,173 @@
+From 170a614904febd14ff6cfd7a75c9bccc114b3948 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Tue, 14 Aug 2018 16:56:32 +0200
+Subject: [PATCH] bpo-32947: Fixes for TLS 1.3 and OpenSSL 1.1.1 (GH-8761)
+
+Backport of TLS 1.3 related fixes from 3.7.
+
+Misc fixes and workarounds for compatibility with OpenSSL 1.1.1 from git
+master and TLS 1.3 support. With OpenSSL 1.1.1, Python negotiates TLS 1.3 by
+default. Some test cases only apply to TLS 1.2.
+
+OpenSSL 1.1.1 has added a new option OP_ENABLE_MIDDLEBOX_COMPAT for TLS
+1.3. The feature is enabled by default for maximum compatibility with
+broken middle boxes. Users should be able to disable the hack and CPython's test suite needs
+it to verify default options
+
+Signed-off-by: Christian Heimes <christian@python.org>
+
+Upstream-Status: Backport
+[https://github.com/python/cpython/commit/2a4ee8aa01d61b6a9c8e9c65c211e61bdb471826]
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Doc/library/ssl.rst | 9 ++++++
+ Lib/test/test_asyncio/test_events.py | 6 +++-
+ Lib/test/test_ssl.py | 29 +++++++++++++++----
+ .../2018-08-14-08-57-01.bpo-32947.mqStVW.rst | 2 ++
+ Modules/_ssl.c | 4 +++
+ 5 files changed, 44 insertions(+), 6 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
+
+diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
+index 29c5e94cf6..f63a3deec5 100644
+--- a/Doc/library/ssl.rst
++++ b/Doc/library/ssl.rst
+@@ -757,6 +757,15 @@ Constants
+
+ .. versionadded:: 3.3
+
++.. data:: OP_ENABLE_MIDDLEBOX_COMPAT
++
++ Send dummy Change Cipher Spec (CCS) messages in TLS 1.3 handshake to make
++ a TLS 1.3 connection look more like a TLS 1.2 connection.
++
++ This option is only available with OpenSSL 1.1.1 and later.
++
++ .. versionadded:: 3.6.7
++
+ .. data:: OP_NO_COMPRESSION
+
+ Disable compression on the SSL channel. This is useful if the application
+diff --git a/Lib/test/test_asyncio/test_events.py b/Lib/test/test_asyncio/test_events.py
+index 492a84a231..6f208474b9 100644
+--- a/Lib/test/test_asyncio/test_events.py
++++ b/Lib/test/test_asyncio/test_events.py
+@@ -1169,7 +1169,11 @@ class EventLoopTestsMixin:
+ self.loop.run_until_complete(f_c)
+
+ # close connection
+- proto.transport.close()
++ # transport may be None with TLS 1.3, because connection is
++ # interrupted, server is unable to send session tickets, and
++ # transport is closed.
++ if proto.transport is not None:
++ proto.transport.close()
+ server.close()
+
+ def test_legacy_create_server_ssl_match_failed(self):
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index 1acc12ec2d..a2e1d32a62 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -78,6 +78,7 @@ OP_NO_COMPRESSION = getattr(ssl, "OP_NO_COMPRESSION", 0)
+ OP_SINGLE_DH_USE = getattr(ssl, "OP_SINGLE_DH_USE", 0)
+ OP_SINGLE_ECDH_USE = getattr(ssl, "OP_SINGLE_ECDH_USE", 0)
+ OP_CIPHER_SERVER_PREFERENCE = getattr(ssl, "OP_CIPHER_SERVER_PREFERENCE", 0)
++OP_ENABLE_MIDDLEBOX_COMPAT = getattr(ssl, "OP_ENABLE_MIDDLEBOX_COMPAT", 0)
+
+
+ def handle_error(prefix):
+@@ -155,8 +156,8 @@ class BasicSocketTests(unittest.TestCase):
+ ssl.OP_NO_TLSv1
+ ssl.OP_NO_TLSv1_3
+ if ssl.OPENSSL_VERSION_INFO >= (1, 0, 1):
+- ssl.OP_NO_TLSv1_1
+- ssl.OP_NO_TLSv1_2
++ ssl.OP_NO_TLSv1_1
++ ssl.OP_NO_TLSv1_2
+
+ def test_str_for_enums(self):
+ # Make sure that the PROTOCOL_* constants have enum-like string
+@@ -854,7 +855,8 @@ class ContextTests(unittest.TestCase):
+ default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
+ # SSLContext also enables these by default
+ default |= (OP_NO_COMPRESSION | OP_CIPHER_SERVER_PREFERENCE |
+- OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE)
++ OP_SINGLE_DH_USE | OP_SINGLE_ECDH_USE |
++ OP_ENABLE_MIDDLEBOX_COMPAT)
+ self.assertEqual(default, ctx.options)
+ ctx.options |= ssl.OP_NO_TLSv1
+ self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
+@@ -1860,11 +1862,26 @@ else:
+ self.sock, server_side=True)
+ self.server.selected_npn_protocols.append(self.sslconn.selected_npn_protocol())
+ self.server.selected_alpn_protocols.append(self.sslconn.selected_alpn_protocol())
+- except (ssl.SSLError, ConnectionResetError) as e:
++ except (ConnectionResetError, BrokenPipeError) as e:
+ # We treat ConnectionResetError as though it were an
+ # SSLError - OpenSSL on Ubuntu abruptly closes the
+ # connection when asked to use an unsupported protocol.
+ #
++ # BrokenPipeError is raised in TLS 1.3 mode, when OpenSSL
++ # tries to send session tickets after handshake.
++ # https://github.com/openssl/openssl/issues/6342
++ self.server.conn_errors.append(str(e))
++ if self.server.chatty:
++ handle_error(
++ "\n server: bad connection attempt from " + repr(
++ self.addr) + ":\n")
++ self.running = False
++ self.close()
++ return False
++ except (ssl.SSLError, OSError) as e:
++ # OSError may occur with wrong protocols, e.g. both
++ # sides use PROTOCOL_TLS_SERVER.
++ #
+ # XXX Various errors can have happened here, for example
+ # a mismatching protocol version, an invalid certificate,
+ # or a low-level bug. This should be made more discriminating.
+@@ -2974,7 +2991,7 @@ else:
+ # Block on the accept and wait on the connection to close.
+ evt.set()
+ remote, peer = server.accept()
+- remote.recv(1)
++ remote.send(remote.recv(4))
+
+ t = threading.Thread(target=serve)
+ t.start()
+@@ -2982,6 +2999,8 @@ else:
+ evt.wait()
+ client = context.wrap_socket(socket.socket())
+ client.connect((host, port))
++ client.send(b'data')
++ client.recv()
+ client_addr = client.getsockname()
+ client.close()
+ t.join()
+diff --git a/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
+new file mode 100644
+index 0000000000..28de360c36
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2018-08-14-08-57-01.bpo-32947.mqStVW.rst
+@@ -0,0 +1,2 @@
++Add OP_ENABLE_MIDDLEBOX_COMPAT and test workaround for TLSv1.3 for future
++compatibility with OpenSSL 1.1.1.
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index c71d89607c..eb123a87ba 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -4858,6 +4858,10 @@ PyInit__ssl(void)
+ PyModule_AddIntConstant(m, "OP_NO_COMPRESSION",
+ SSL_OP_NO_COMPRESSION);
+ #endif
++#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
++ PyModule_AddIntConstant(m, "OP_ENABLE_MIDDLEBOX_COMPAT",
++ SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
++#endif
+
+ #if HAVE_SNI
+ r = Py_True;
+--
+2.17.1
+