Change-Id: I7969f36edbd03a567b17b93b83fde4e7dbf8c757
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1357
Reviewed-by: Divya Thaluru <dthaluru@vmware.com>
Tested-by: Divya Thaluru <dthaluru@vmware.com>
(cherry picked from commit bb1e868974dc4c7318c2584b3662bca25d2fdb4b)
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/1379
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,56 @@ |
0 |
+--- a/Lib/ssl.py |
|
1 |
+@@ -137,6 +137,11 @@ from socket import socket, AF_INET, SOCK_STREAM, create_connection |
|
2 |
+ from socket import SOL_SOCKET, SO_TYPE |
|
3 |
+ import base64 # for DER-to-PEM translation |
|
4 |
+ import errno |
|
5 |
++try: |
|
6 |
++ from ipaddr import IPAddress |
|
7 |
++except ImportError: |
|
8 |
++ # ipaddr is missing. Make ip address cert match functionality to behave as before. |
|
9 |
++ def IPAddress(*_args): raise ValueError("Not supported") |
|
10 |
+ |
|
11 |
+ if _ssl.HAS_TLS_UNIQUE: |
|
12 |
+ CHANNEL_BINDING_TYPES = ['tls-unique'] |
|
13 |
+@@ -232,7 +237,15 @@ def _dnsname_match(dn, hostname, max_wildcards=1): |
|
14 |
+ pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE) |
|
15 |
+ return pat.match(hostname) |
|
16 |
+ |
|
17 |
++def _ipaddress_match(ipname, host_ip): |
|
18 |
++ """Exact matching of IP addresses. |
|
19 |
+ |
|
20 |
++ RFC 6125 explicitly doesn't define an algorithm for this |
|
21 |
++ (section 1.7.2 - "Out of Scope"). |
|
22 |
++ """ |
|
23 |
++ # OpenSSL may add a trailing newline to a subjectAltName's IP address |
|
24 |
++ ip = IPAddress(ipname.rstrip()) |
|
25 |
++ return ip == host_ip |
|
26 |
+ def match_hostname(cert, hostname): |
|
27 |
+ """Verify that *cert* (in decoded format as returned by |
|
28 |
+ SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125 |
|
29 |
+@@ -245,13 +258,24 @@ def match_hostname(cert, hostname): |
|
30 |
+ raise ValueError("empty or no certificate, match_hostname needs a " |
|
31 |
+ "SSL socket or SSL context with either " |
|
32 |
+ "CERT_OPTIONAL or CERT_REQUIRED") |
|
33 |
++ |
|
34 |
++ try: |
|
35 |
++ host_ip = IPAddress(hostname) |
|
36 |
++ except ValueError: |
|
37 |
++ # Not an IP address (common case) |
|
38 |
++ host_ip = None |
|
39 |
++ |
|
40 |
+ dnsnames = [] |
|
41 |
+ san = cert.get('subjectAltName', ()) |
|
42 |
+ for key, value in san: |
|
43 |
+ if key == 'DNS': |
|
44 |
+- if _dnsname_match(value, hostname): |
|
45 |
++ if host_ip is None and _dnsname_match(value, hostname): |
|
46 |
+ return |
|
47 |
+ dnsnames.append(value) |
|
48 |
++ elif key == 'IP Address': |
|
49 |
++ if host_ip is not None and _ipaddress_match(value, host_ip): |
|
50 |
++ return |
|
51 |
++ dnsnames.append(value) |
|
52 |
+ if not dnsnames: |
|
53 |
+ # The subject is only checked when there is no dNSName entry |
|
54 |
+ # in subjectAltName |
... | ... |
@@ -1,7 +1,7 @@ |
1 | 1 |
Summary: A high-level scripting language |
2 | 2 |
Name: python2 |
3 | 3 |
Version: 2.7.11 |
4 |
-Release: 5%{?dist} |
|
4 |
+Release: 6%{?dist} |
|
5 | 5 |
License: PSF |
6 | 6 |
URL: http://www.python.org/ |
7 | 7 |
Group: System Environment/Programming |
... | ... |
@@ -11,6 +11,7 @@ Source0: http://www.python.org/ftp/python/2.7.11/Python-%{version}.tar.xz |
11 | 11 |
%define sha1 Python=c3b8bbe3f084c4d4ea13ffb03d75a5e22f9756ff |
12 | 12 |
Patch0: cgi.patch |
13 | 13 |
Patch1: added-compiler-flags-for-curses-module.patch |
14 |
+Patch2: added-pyopenssl-ipaddress-certificate-validation.patch |
|
14 | 15 |
BuildRequires: pkg-config >= 0.28 |
15 | 16 |
BuildRequires: bzip2-devel |
16 | 17 |
BuildRequires: openssl-devel |
... | ... |
@@ -99,6 +100,7 @@ to build python programs. |
99 | 99 |
%setup -q -n Python-%{version} |
100 | 100 |
%patch0 -p1 |
101 | 101 |
%patch1 -p1 |
102 |
+%patch2 -p1 |
|
102 | 103 |
%build |
103 | 104 |
export OPT="${CFLAGS}" |
104 | 105 |
./configure \ |
... | ... |
@@ -215,30 +217,32 @@ rm -rf %{buildroot}/* |
215 | 215 |
%{_bindir}/idle* |
216 | 216 |
|
217 | 217 |
%changelog |
218 |
-* Mon Jun 20 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.11-5 |
|
219 |
-- Added stack-protector flag for ncurses module |
|
220 |
-* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-4 |
|
221 |
-- GA - Bump release of all rpms |
|
222 |
-* Tue Apr 26 2016 Nick Shi <nshi@vmware.com> 2.7.11-3 |
|
223 |
-- Adding readline module into python2-libs |
|
218 |
+* Wed Sep 7 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.11-6 |
|
219 |
+- Added patch to python openssl to validate certificates by ipaddress |
|
220 |
+* Mon Jun 20 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.11-5 |
|
221 |
+- Added stack-protector flag for ncurses module |
|
222 |
+* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-4 |
|
223 |
+- GA - Bump release of all rpms |
|
224 |
+* Tue Apr 26 2016 Nick Shi <nshi@vmware.com> 2.7.11-3 |
|
225 |
+- Adding readline module into python2-libs |
|
224 | 226 |
|
225 |
-* Wed Apr 13 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-2 |
|
226 |
-- update python to require python-libs |
|
227 |
+* Wed Apr 13 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.7.11-2 |
|
228 |
+- update python to require python-libs |
|
227 | 229 |
|
228 |
-* Thu Jan 28 2016 Anish Swaminathan <anishs@vmware.com> 2.7.11-1 |
|
229 |
-- Upgrade version |
|
230 |
+* Thu Jan 28 2016 Anish Swaminathan <anishs@vmware.com> 2.7.11-1 |
|
231 |
+- Upgrade version |
|
230 | 232 |
|
231 |
-* Fri Jan 22 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.9-5 |
|
232 |
-- Seperate python-curses package from python-libs package |
|
233 |
+* Fri Jan 22 2016 Divya Thaluru <dthaluru@vmware.com> 2.7.9-5 |
|
234 |
+- Seperate python-curses package from python-libs package |
|
233 | 235 |
|
234 |
-* Thu Oct 29 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 2.7.9-4 |
|
235 |
-- Seperate python-xml package from python-libs package |
|
236 |
+* Thu Oct 29 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 2.7.9-4 |
|
237 |
+- Seperate python-xml package from python-libs package |
|
236 | 238 |
|
237 |
-* Fri Jun 19 2015 Alexey Makhalov <amakhalov@vmware.com> 2.7.9-3 |
|
238 |
-- Provide /bin/python |
|
239 |
+* Fri Jun 19 2015 Alexey Makhalov <amakhalov@vmware.com> 2.7.9-3 |
|
240 |
+- Provide /bin/python |
|
239 | 241 |
|
240 |
-* Wed Jun 3 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-2 |
|
241 |
-- Adding coreutils package to run time required package |
|
242 |
+* Wed Jun 3 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-2 |
|
243 |
+- Adding coreutils package to run time required package |
|
242 | 244 |
|
243 |
-* Mon Apr 6 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-1 |
|
244 |
-- Initial build. First version |
|
245 |
+* Mon Apr 6 2015 Divya Thaluru <dthaluru@vmware.com> 2.7.9-1 |
|
246 |
+- Initial build. First version |