Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 1a4b7ee28bf7413af6513fb45ad0d0736048f866^! / . / poky / meta / recipes-devtools / python / python / 0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
commit1a4b7ee28bf7413af6513fb45ad0d0736048f866[log] [tgz]
authorBrad Bishop <bradleyb@fuzziesquirrel.com>Sun Dec 16 17:11:34 2018 -0800
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Tue Jan 08 18:21:44 2019 -0500
tree79f6d8ea698cab8f2eaf4f54b793d2ca7a1451ce
parent5b9ede0403237c7dace972affa65cf64a1aadd0e [diff] [blame]
reset upstream subtrees to yocto 2.6

Reset the following subtrees on thud HEAD:

  poky: 87e3a9739d
  meta-openembedded: 6094ae18c8
  meta-security: 31dc4e7532
  meta-raspberrypi: a48743dc36
  meta-xilinx: c42016e2e6

Also re-apply backports that didn't make it into thud:
  poky:
    17726d0 systemd-systemctl-native: handle Install wildcards

  meta-openembedded:
    4321a5d libtinyxml2: update to 7.0.1
    042f0a3 libcereal: Add native and nativesdk classes
    e23284f libcereal: Allow empty package
    030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG
    179a1b9 gtest: update to 1.8.1

Squashed OpenBMC subtree compatibility updates:
  meta-aspeed:
    Brad Bishop (1):
          aspeed: add yocto 2.6 compatibility

  meta-ibm:
    Brad Bishop (1):
          ibm: prepare for yocto 2.6

  meta-ingrasys:
    Brad Bishop (1):
          ingrasys: set layer compatibility to yocto 2.6

  meta-openpower:
    Brad Bishop (1):
          openpower: set layer compatibility to yocto 2.6

  meta-phosphor:
    Brad Bishop (3):
          phosphor: set layer compatibility to thud
          phosphor: libgpg-error: drop patches
          phosphor: react to fitimage artifact rename

    Ed Tanous (4):
          Dropbear: upgrade options for latest upgrade
          yocto2.6: update openssl options
          busybox: remove upstream watchdog patch
          systemd: Rebase CONFIG_CGROUP_BPF patch

Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>

diff --git a/poky/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch b/poky/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch
new file mode 100644
index 0000000..1f70562
--- /dev/null
+++ b/poky/meta/recipes-devtools/python/python/0001-bpo-33570-TLS-1.3-ciphers-for-OpenSSL-1.1.1-GH-6976-.patch

@@ -0,0 +1,120 @@
+From a333351592f097220fc862911b34d3a300f0985e Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Wed, 15 Aug 2018 09:07:28 +0200
+Subject: [PATCH 1/4] bpo-33570: TLS 1.3 ciphers for OpenSSL 1.1.1 (GH-6976)
+ (GH-8760)
+
+Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
+1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
+default.
+
+Also update multissltests to test with latest OpenSSL.
+
+Signed-off-by: Christian Heimes <christian@python.org>.
+(cherry picked from commit 3e630c541b35c96bfe5619165255e559f577ee71)
+
+Co-authored-by: Christian Heimes <christian@python.org>
+
+Upstream-Status: Accepted [https://github.com/python/cpython/pull/8771]
+
+Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
+---
+ Doc/library/ssl.rst                           |  8 ++--
+ Lib/test/test_ssl.py                          | 37 +++++++++++--------
+ .../2018-05-18-21-50-47.bpo-33570.7CZy4t.rst  |  3 ++
+ 3 files changed, 27 insertions(+), 21 deletions(-)
+ create mode 100644 Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
+
+diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
+index 0421031772..7c7c85b833 100644
+--- a/Doc/library/ssl.rst
++++ b/Doc/library/ssl.rst
+@@ -294,11 +294,6 @@ purposes.
+ 
+      3DES was dropped from the default cipher string.
+ 
+-   .. versionchanged:: 2.7.15
+-
+-     TLS 1.3 cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
+-     and TLS_CHACHA20_POLY1305_SHA256 were added to the default cipher string.
+-
+ .. function:: _https_verify_certificates(enable=True)
+ 
+    Specifies whether or not server certificates are verified when creating
+@@ -1179,6 +1174,9 @@ to speed up repeated connections from the same clients.
+       when connected, the :meth:`SSLSocket.cipher` method of SSL sockets will
+       give the currently selected cipher.
+ 
++      OpenSSL 1.1.1 has TLS 1.3 cipher suites enabled by default. The suites
++      cannot be disabled with :meth:`~SSLContext.set_ciphers`.
++
+ .. method:: SSLContext.set_alpn_protocols(protocols)
+ 
+    Specify which protocols the socket should advertise during the SSL/TLS
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index dc14e22ad1..f51572e319 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -2772,19 +2772,24 @@ else:
+                     sock.do_handshake()
+                 self.assertEqual(cm.exception.errno, errno.ENOTCONN)
+ 
+-        def test_default_ciphers(self):
+-            context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+-            try:
+-                # Force a set of weak ciphers on our client context
+-                context.set_ciphers("DES")
+-            except ssl.SSLError:
+-                self.skipTest("no DES cipher available")
+-            with ThreadedEchoServer(CERTFILE,
+-                                    ssl_version=ssl.PROTOCOL_SSLv23,
+-                                    chatty=False) as server:
+-                with closing(context.wrap_socket(socket.socket())) as s:
+-                    with self.assertRaises(ssl.SSLError):
+-                        s.connect((HOST, server.port))
++        def test_no_shared_ciphers(self):
++            server_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
++            server_context.load_cert_chain(SIGNED_CERTFILE)
++            client_context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
++            client_context.verify_mode = ssl.CERT_REQUIRED
++            client_context.check_hostname = True
++
++            # OpenSSL enables all TLS 1.3 ciphers, enforce TLS 1.2 for test
++            client_context.options |= ssl.OP_NO_TLSv1_3
++            # Force different suites on client and master
++            client_context.set_ciphers("AES128")
++            server_context.set_ciphers("AES256")
++            with ThreadedEchoServer(context=server_context) as server:
++                s = client_context.wrap_socket(
++                        socket.socket(),
++                        server_hostname="localhost")
++                with self.assertRaises(ssl.SSLError):
++                    s.connect((HOST, server.port))
+             self.assertIn("no shared cipher", str(server.conn_errors[0]))
+ 
+         def test_version_basic(self):
+@@ -2815,9 +2820,9 @@ else:
+                 with context.wrap_socket(socket.socket()) as s:
+                     s.connect((HOST, server.port))
+                     self.assertIn(s.cipher()[0], [
+-                        'TLS13-AES-256-GCM-SHA384',
+-                        'TLS13-CHACHA20-POLY1305-SHA256',
+-                        'TLS13-AES-128-GCM-SHA256',
++                        'TLS_AES_256_GCM_SHA384',
++                        'TLS_CHACHA20_POLY1305_SHA256',
++                        'TLS_AES_128_GCM_SHA256',
+                     ])
+ 
+         @unittest.skipUnless(ssl.HAS_ECDH, "test requires ECDH-enabled OpenSSL")
+diff --git a/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
+new file mode 100644
+index 0000000000..bd719a47e8
+--- /dev/null
++++ b/Misc/NEWS.d/next/Library/2018-05-18-21-50-47.bpo-33570.7CZy4t.rst
+@@ -0,0 +1,3 @@
++Change TLS 1.3 cipher suite settings for compatibility with OpenSSL
++1.1.1-pre6 and newer. OpenSSL 1.1.1 will have TLS 1.3 cipers enabled by
++default.
+-- 
+2.17.1
+