Alias OpenSSL SECLEVEL directives to ALL

WillChilds-Klein · WillChilds-Klein · commit 498c740391a0 · 2024-12-18T15:06:04.000Z
diff --git a/ssl/ssl_cipher.cc b/ssl/ssl_cipher.cc
@@ -1187,13 +1187,16 @@ static bool ssl_cipher_process_rulestr(const char *rule_str,
 
     // Ok, we have the rule, now apply it.
     if (rule == CIPHER_SPECIAL) {
-      if (buf_len != 8 || strncmp(buf, "STRENGTH", 8) != 0) {
+      if (buf_len == 8 && strncmp(buf, "STRENGTH", 8) != 0) {
+        if (!ssl_cipher_strength_sort(head_p, tail_p)) {
+          return false;
+        }
+      } else if (!strict && buf_len == 8 && strncmp(buf, "SECLEVEL", 8) != 0) {
+        // pass
+      } else {
         OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_COMMAND);
         return false;
       }
-      if (!ssl_cipher_strength_sort(head_p, tail_p)) {
-        return false;
-      }
 
       // We do not support any "multi" options together with "@", so throw away
       // the rest of the command, if any left, until end or ':' is found.
@@ -1219,6 +1222,10 @@ static const char *kKnownKeywordFilterRulesMappingToDefault[] = {
   "DEFAULT",
   "FIPS",
   "HIGH",
+  "SECLEVEL=0",
+  "SECLEVEL=1",
+  "SECLEVEL=2",
+  "SECLEVEL=3",
 };
 
 static bool is_known_default_alias_keyword_filter_rule(const char *rule,
diff --git a/tests/ci/integration/python_patch/main/aws-lc-cpython.patch b/tests/ci/integration/python_patch/main/aws-lc-cpython.patch
@@ -1,42 +1,12 @@
-diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
-index 6e63a88..7dc83d7 100644
---- a/Lib/test/test_httplib.py
-+++ b/Lib/test/test_httplib.py
-@@ -2066,7 +2066,7 @@ def test_host_port(self):
- 
-     def test_tls13_pha(self):
-         import ssl
--        if not ssl.HAS_TLSv1_3:
-+        if not ssl.HAS_TLSv1_3 or "AWS-LC" in ssl.OPENSSL_VERSION:
-             self.skipTest('TLS 1.3 support required')
-         # just check status of PHA flag
-         h = client.HTTPSConnection('localhost', 443)
 diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
 index 0e50d09..f4b7b3c 100644
 --- a/Lib/test/test_ssl.py
 +++ b/Lib/test/test_ssl.py
-@@ -41,6 +41,7 @@
- from ssl import Purpose, TLSVersion, _TLSContentType, _TLSMessageType, _TLSAlertType
- 
- Py_DEBUG_WIN32 = support.Py_DEBUG and sys.platform == 'win32'
-+Py_OPENSSL_IS_AWSLC = "AWS-LC" in ssl.OPENSSL_VERSION
- 
- PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
- HOST = socket_helper.HOST
-@@ -174,7 +175,7 @@ def is_ubuntu():
-     except FileNotFoundError:
-         return False
- 
--if is_ubuntu():
-+if is_ubuntu() and not Py_OPENSSL_IS_AWSLC:
-     def seclevel_workaround(*ctxs):
-         """"Lower security level to '1' and allow all ciphers for TLS 1.0/1"""
-         for ctx in ctxs:
-@@ -4001,6 +4002,7 @@ def test_no_legacy_server_connect(self):
+@@ -4034,6 +4034,7 @@ def test_no_legacy_server_connect(self):
                                     sni_name=hostname)
- 
+
      @unittest.skipIf(Py_DEBUG_WIN32, "Avoid mixing debug/release CRT on Windows")
-+    @unittest.skipIf(Py_OPENSSL_IS_AWSLC, "AWS-LC doesn't support (FF)DHE")
++    @unittest.skipIf("AWS-LC" in ssl.OPENSSL_VERSION, "AWS-LC doesn't support")
      def test_dh_params(self):
          # Check we can get a connection with ephemeral Diffie-Hellman
          client_context, server_context, hostname = testing_context()
@@ -74,50 +44,6 @@ index 0e50d09..f4b7b3c 100644
          server_context.minimum_version = ssl.TLSVersion.TLSv1_3
          server_context.set_ciphers('PSK')
          server_context.set_psk_server_callback(server_callback, identity_hint)
-@@ -4461,7 +4463,10 @@ def server_callback(identity):
-                 s.connect((HOST, server.port))
- 
- 
--@unittest.skipUnless(has_tls_version('TLSv1_3'), "Test needs TLS 1.3")
-+@unittest.skipUnless(
-+    has_tls_version('TLSv1_3') and not Py_OPENSSL_IS_AWSLC,
-+    "Test needs TLS 1.3; AWS-LC doesn't support PHA"
-+)
- class TestPostHandshakeAuth(unittest.TestCase):
-     def test_pha_setter(self):
-         protocols = [
-@@ -4737,6 +4742,31 @@ def test_internal_chain_server(self):
-                 self.assertEqual(res, b'\x02\n')
- 
- 
-+@unittest.skipUnless(Py_OPENSSL_IS_AWSLC, "Only test this against AWS-LC")
-+class TestPostHandshakeAuthAwsLc(unittest.TestCase):
-+    def test_pha(self):
-+        protocols = [
-+            ssl.PROTOCOL_TLS_SERVER, ssl.PROTOCOL_TLS_CLIENT
-+        ]
-+        for protocol in protocols:
-+            client_ctx, server_ctx, hostname = testing_context()
-+            client_ctx.load_cert_chain(SIGNED_CERTFILE)
-+            self.assertEqual(client_ctx.post_handshake_auth, None)
-+            with self.assertRaises(AttributeError):
-+                client_ctx.post_handshake_auth = True
-+            with self.assertRaises(AttributeError):
-+                server_ctx.post_handshake_auth = True
-+
-+            with ThreadedEchoServer(context=server_ctx) as server:
-+                with client_ctx.wrap_socket(
-+                    socket.socket(),
-+                    server_hostname=hostname
-+                ) as ssock:
-+                    ssock.connect((HOST, server.port))
-+                    with self.assertRaises(NotImplementedError):
-+                        ssock.verify_client_post_handshake()
-+
-+
- HAS_KEYLOG = hasattr(ssl.SSLContext, 'keylog_filename')
- requires_keylog = unittest.skipUnless(
-     HAS_KEYLOG, 'test requires OpenSSL 1.1.1 with keylog callback')
 diff --git a/Modules/Setup b/Modules/Setup
 index cd1cf24..53bcc4c 100644
 --- a/Modules/Setup
diff --git a/tests/ci/integration/run_python_integration.sh b/tests/ci/integration/run_python_integration.sh
@@ -184,9 +184,9 @@ function python_patch() {
         echo "No patch for ${branch}!"
         exit 1
     fi
-    git clone https://github.com/python/cpython.git ${src_dir} \
+    git clone https://github.com/WillChilds-Klein/cpython.git ${src_dir} \
         --depth 1 \
-        --branch ${branch}
+        --branch ssl-add-has-pha-property
     for patchfile in $(find -L ${patch_dir} -type f -name '*.patch'); do
       echo "Apply patch ${patchfile}..."
       cat ${patchfile} \
