forked from aws/aws-lc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws-lc-cpython.patch
141 lines (126 loc) · 5.79 KB
/
aws-lc-cpython.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 6e63a88..7dc83d7 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -2066,7 +2066,7 @@ def test_host_port(self):
def test_tls13_pha(self):
import ssl
- if not ssl.HAS_TLSv1_3:
+ if not ssl.HAS_TLSv1_3 or "AWS-LC" in ssl.OPENSSL_VERSION:
self.skipTest('TLS 1.3 support required')
# just check status of PHA flag
h = client.HTTPSConnection('localhost', 443)
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0e50d09..f4b7b3c 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -41,6 +41,7 @@
from ssl import Purpose, TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
Py_DEBUG_WIN32 = support.Py_DEBUG and sys.platform == 'win32'
+Py_OPENSSL_IS_AWSLC = "AWS-LC" in ssl.OPENSSL_VERSION
PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
HOST = socket_helper.HOST
@@ -174,7 +175,7 @@ def is_ubuntu():
except FileNotFoundError:
return False
-if is_ubuntu():
+if is_ubuntu() and not Py_OPENSSL_IS_AWSLC:
def seclevel_workaround(*ctxs):
""""Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
for ctx in ctxs:
@@ -4001,6 +4002,7 @@ def test_no_legacy_server_connect(self):
sni_name=hostname)
@unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
+ @unittest.skipIf(Py_OPENSSL_IS_AWSLC, "AWS-LC doesn't support (FF)DHE")
def test_dh_params(self):
# Check we can get a connection with ephemeral Diffie-Hellman
client_context, server_context, hostname = testing_context()
@@ -4364,14 +4366,14 @@ def test_session_handling(self):
def test_psk(self):
psk = bytes.fromhex('deadbeef')
- client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+ client_context, server_context, _ = testing_context()
+
client_context.check_hostname = False
client_context.verify_mode = ssl.CERT_NONE
client_context.maximum_version = ssl.TLSVersion.TLSv1_2
client_context.set_ciphers('PSK')
client_context.set_psk_client_callback(lambda hint: (None, psk))
- server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
server_context.maximum_version = ssl.TLSVersion.TLSv1_2
server_context.set_ciphers('PSK')
server_context.set_psk_server_callback(lambda identity: psk)
@@ -4443,14 +4445,14 @@ def server_callback(identity):
self.assertEqual(identity, client_identity)
return psk
- client_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+ client_context, server_context, _ = testing_context()
+
client_context.check_hostname = False
client_context.verify_mode = ssl.CERT_NONE
client_context.minimum_version = ssl.TLSVersion.TLSv1_3
client_context.set_ciphers('PSK')
client_context.set_psk_client_callback(client_callback)
- server_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
server_context.minimum_version = ssl.TLSVersion.TLSv1_3
server_context.set_ciphers('PSK')
server_context.set_psk_server_callback(server_callback, identity_hint)
@@ -4461,7 +4463,10 @@ def server_callback(identity):
s.connect((HOST, server.port))
[email protected](has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
+ has_tls_version('TLSv1_3') and not Py_OPENSSL_IS_AWSLC,
+ "Test needs TLS 1.3; AWS-LC doesn't support PHA"
+)
class TestPostHandshakeAuth(unittest.TestCase):
def test_pha_setter(self):
protocols = [
@@ -4737,6 +4742,31 @@ def test_internal_chain_server(self):
self.assertEqual(res, b'\x02\n')
[email protected](Py_OPENSSL_IS_AWSLC, "Only test this against AWS-LC")
+class TestPostHandshakeAuthAwsLc(unittest.TestCase):
+ def test_pha(self):
+ protocols = [
+ ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
+ ]
+ for protocol in protocols:
+ client_ctx, server_ctx, hostname = testing_context()
+ client_ctx.load_cert_chain(SIGNED_CERTFILE)
+ self.assertEqual(client_ctx.post_handshake_auth, None)
+ with self.assertRaises(AttributeError):
+ client_ctx.post_handshake_auth = True
+ with self.assertRaises(AttributeError):
+ server_ctx.post_handshake_auth = True
+
+ with ThreadedEchoServer(context=server_ctx) as server:
+ with client_ctx.wrap_socket(
+ socket.socket(),
+ server_hostname=hostname
+ ) as ssock:
+ ssock.connect((HOST, server.port))
+ with self.assertRaises(NotImplementedError):
+ ssock.verify_client_post_handshake()
+
+
HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
requires_keylog = unittest.skipUnless(
HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
diff --git a/Modules/Setup b/Modules/Setup
index cd1cf24..53bcc4c 100644
--- a/Modules/Setup
+++ b/Modules/Setup
@@ -208,11 +208,11 @@ PYTHONPATH=$(COREPYTHONPATH)
#_hashlib _hashopenssl.c $(OPENSSL_INCLUDES) $(OPENSSL_LDFLAGS) -lcrypto
# To statically link OpenSSL:
-# _ssl _ssl.c $(OPENSSL_INCLUDES) $(OPENSSL_LDFLAGS) \
-# -l:libssl.a -Wl,--exclude-libs,libssl.a \
-# -l:libcrypto.a -Wl,--exclude-libs,libcrypto.a
-# _hashlib _hashopenssl.c $(OPENSSL_INCLUDES) $(OPENSSL_LDFLAGS) \
-# -l:libcrypto.a -Wl,--exclude-libs,libcrypto.a
+_ssl _ssl.c $(OPENSSL_INCLUDES) $(OPENSSL_LDFLAGS) \
+ -l:libssl.a -Wl,--exclude-libs,libssl.a \
+ -l:libcrypto.a -Wl,--exclude-libs,libcrypto.a
+_hashlib _hashopenssl.c $(OPENSSL_INCLUDES) $(OPENSSL_LDFLAGS) \
+ -l:libcrypto.a -Wl,--exclude-libs,libcrypto.a
# The _tkinter module.
#