aws · WillChilds-Klein · Apr 4, 2024 · Mar 26, 2024 · Apr 1, 2024
@@ -66,7 +66,7 @@ index b5c78a5..41235c1 100644
                  client = self.imap_class(*server.server_address,
                                           ssl_context=ssl_context)
 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
-index a1a581a..c69e711 100644
+index a1a581a..6f42437 100644
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
 @@ -44,6 +44,7 @@
@@ -253,19 +253,16 @@ index a1a581a..c69e711 100644
 
      def test_version_basic(self):
          """
-@@ -4004,7 +4016,10 @@ def test_min_max_version_mismatch(self):
+@@ -4004,7 +4016,7 @@ def test_min_max_version_mismatch(self):
                                              server_hostname=hostname) as s:
                  with self.assertRaises(ssl.SSLError) as e:
                      s.connect((HOST, server.port))
 -                self.assertIn("alert", str(e.exception))
-+                self.assertTrue(
-+                    "alert"in str(e.exception)
-+                    or "ALERT"in str(e.exception)
-+                )
++                self.assertRegex(str(e.exception), "(alert|ALERT)")
 
      @requires_tls_version('SSLv3')
      def test_min_max_version_sslv3(self):
-@@ -4046,6 +4061,9 @@ def test_tls_unique_channel_binding(self):
+@@ -4046,6 +4058,9 @@ def test_tls_unique_channel_binding(self):
 
          client_context, server_context, hostname = testing_context()
 
@@ -275,15 +272,15 @@ index a1a581a..c69e711 100644
          server = ThreadedEchoServer(context=server_context,
                                      chatty=True,
                                      connectionchatty=False)
-@@ -4118,6 +4136,7 @@ def test_compression_disabled(self):
+@@ -4118,6 +4133,7 @@ def test_compression_disabled(self):
          self.assertIs(stats['compression'], None)
 
      @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
 +    @unittest.skipIf(Py_OPENSSL_IS_AWSLC, "AWS-LC doesn't support (FF)DHE")
      def test_dh_params(self):
          # Check we can get a connection with ephemeral Diffie-Hellman
          client_context, server_context, hostname = testing_context()
-@@ -4132,7 +4151,7 @@ def test_dh_params(self):
+@@ -4132,7 +4148,7 @@ def test_dh_params(self):
          cipher = stats["cipher"][0]
          parts = cipher.split("-")
          if "ADH" not in parts and "EDH" not in parts and "DHE" not in parts:
@@ -292,7 +289,7 @@ index a1a581a..c69e711 100644
 
      def test_ecdh_curve(self):
          # server secp384r1, client auto
-@@ -4299,8 +4318,10 @@ def cb_raising(ssl_sock, server_name, initial_context):
+@@ -4299,8 +4315,10 @@ def cb_raising(ssl_sock, server_name, initial_context):
                                             chatty=False,
                                             sni_name='supermessage')
 
@@ -305,7 +302,7 @@ index a1a581a..c69e711 100644
              self.assertEqual(catch.unraisable.exc_type, ZeroDivisionError)
 
      def test_sni_callback_wrong_return_type(self):
-@@ -4476,7 +4497,10 @@ def test_session_handling(self):
+@@ -4476,7 +4494,10 @@ def test_session_handling(self):
                                   'Session refers to a different SSLContext.')
 
 
@@ -317,7 +314,7 @@ index a1a581a..c69e711 100644
  class TestPostHandshakeAuth(unittest.TestCase):
      def test_pha_setter(self):
          protocols = [
-@@ -4752,6 +4776,31 @@ def test_internal_chain_server(self):
+@@ -4752,6 +4773,31 @@ def test_internal_chain_server(self):
                  self.assertEqual(res, b'\x02\n')
 
 
@@ -350,7 +347,7 @@ index a1a581a..c69e711 100644
  requires_keylog = unittest.skipUnless(
      HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
 diff --git a/Modules/Setup b/Modules/Setup
-index 87c6a15..f67d7ec 100644
+index 87c6a15..1a7257c 100644
 --- a/Modules/Setup
 +++ b/Modules/Setup
 @@ -208,8 +208,8 @@ _symtable symtablemodule.c
@@ -403,7 +400,7 @@ index 35addf4..77a12c6 100644
  };
 
 diff --git a/Modules/_ssl.c b/Modules/_ssl.c
-index 7a28f2d..b0d2ea1 100644
+index e637830..dc99dd8 100644
 --- a/Modules/_ssl.c
 +++ b/Modules/_ssl.c
 @@ -181,6 +181,12 @@ extern const SSL_METHOD *TLSv1_2_method(void);
@@ -454,7 +451,7 @@ index 7a28f2d..b0d2ea1 100644
      if (ret < 1)
          return PySSL_SetError(self, ret, __FILE__, __LINE__);
      if (PySSL_ChainExceptions(self) < 0)
-@@ -2771,7 +2783,7 @@ static PyObject *
+@@ -2771,7 +2778,7 @@ static PyObject *
  _ssl__SSLSocket_verify_client_post_handshake_impl(PySSLSocket *self)
  /*[clinic end generated code: output=532147f3b1341425 input=6bfa874810a3d889]*/
  {
@@ -463,7 +460,7 @@ index 7a28f2d..b0d2ea1 100644
      int err = SSL_verify_client_post_handshake(self->ssl);
      if (err == 0)
          return _setSSLError(get_state_sock(self), NULL, 0, __FILE__, __LINE__);
-@@ -3199,7 +3211,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
+@@ -3199,7 +3206,7 @@ _ssl__SSLContext_impl(PyTypeObject *type, int proto_version)
      X509_VERIFY_PARAM_set_flags(params, X509_V_FLAG_TRUSTED_FIRST);
      X509_VERIFY_PARAM_set_hostflags(params, self->hostflags);
 
@@ -472,7 +469,7 @@ index 7a28f2d..b0d2ea1 100644
      self->post_handshake_auth = 0;
      SSL_CTX_set_post_handshake_auth(self->ctx, self->post_handshake_auth);
  #endif
-@@ -3573,7 +3585,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c)
+@@ -3573,7 +3580,7 @@ set_maximum_version(PySSLContext *self, PyObject *arg, void *c)
      return set_min_max_proto_version(self, arg, 1);
  }
 
@@ -481,7 +478,7 @@ index 7a28f2d..b0d2ea1 100644
  static PyObject *
  get_num_tickets(PySSLContext *self, void *c)
  {
-@@ -3604,7 +3616,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c)
+@@ -3604,7 +3611,7 @@ set_num_tickets(PySSLContext *self, PyObject *arg, void *c)
 
  PyDoc_STRVAR(PySSLContext_num_tickets_doc,
  "Control the number of TLSv1.3 session tickets");
@@ -490,7 +487,7 @@ index 7a28f2d..b0d2ea1 100644
 
  static PyObject *
  get_security_level(PySSLContext *self, void *c)
-@@ -3694,14 +3706,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c)
+@@ -3694,14 +3701,14 @@ set_check_hostname(PySSLContext *self, PyObject *arg, void *c)
 
  static PyObject *
  get_post_handshake_auth(PySSLContext *self, void *c) {
@@ -507,7 +504,7 @@ index 7a28f2d..b0d2ea1 100644
  static int
  set_post_handshake_auth(PySSLContext *self, PyObject *arg, void *c) {
      if (arg == NULL) {
-@@ -4651,14 +4663,14 @@ static PyGetSetDef context_getsetlist[] = {
+@@ -4706,14 +4713,14 @@ static PyGetSetDef context_getsetlist[] = {
                        (setter) _PySSLContext_set_msg_callback, NULL},
      {"sni_callback", (getter) get_sni_callback,
                       (setter) set_sni_callback, PySSLContext_sni_callback_doc},

@@ -32,18 +32,6 @@ index f3960be..ffd360b 100644
      def seclevel_workaround(*ctxs):
          """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
          for ctx in ctxs:
-@@ -3822,7 +3823,10 @@ def test_min_max_version_mismatch(self):
-                                             server_hostname=hostname) as s:
-                 with self.assertRaises(ssl.SSLError) as e:
-                     s.connect((HOST, server.port))
--                self.assertRegex("(alert|ALERT)", str(e.exception))
-+                self.assertTrue(
-+                    "alert"in str(e.exception)
-+                    or "ALERT"in str(e.exception)
-+                )
-
-     @requires_tls_version('SSLv3')
-     def test_min_max_version_sslv3(self):
 @@ -3954,6 +3958,7 @@ def test_no_legacy_server_connect(self):
                                     sni_name=hostname)
 

@@ -32,18 +32,6 @@ index 3fa806d..0983212 100644
      def seclevel_workaround(*ctxs):
          """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
          for ctx in ctxs:
-@@ -3865,7 +3866,10 @@ def test_min_max_version_mismatch(self):
-                                             server_hostname=hostname) as s:
-                 with self.assertRaises(ssl.SSLError) as e:
-                     s.connect((HOST, server.port))
--                self.assertRegex("(alert|ALERT)", str(e.exception))
-+                self.assertTrue(
-+                    "alert"in str(e.exception)
-+                    or "ALERT"in str(e.exception)
-+                )
-
-     @requires_tls_version('SSLv3')
-     def test_min_max_version_sslv3(self):
 @@ -3997,6 +4001,7 @@ def test_no_legacy_server_connect(self):
                                     sni_name=hostname)