From d3980b3c2714ba0675c1dc6e79a891605a595852 Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Fri, 26 Jun 2026 13:43:54 -0500 Subject: [PATCH] Fix to match OpenSSL test behavior --- Python/wolfssl-python-3.12.11.patch | 28 +++++++++++++++------------- Python/wolfssl-python-3.13.4.patch | 28 +++++++++++++++------------- Python/wolfssl-python-3.13.7.patch | 28 +++++++++++++++------------- 3 files changed, 45 insertions(+), 39 deletions(-) diff --git a/Python/wolfssl-python-3.12.11.patch b/Python/wolfssl-python-3.12.11.patch index fe9b65eb..914f266f 100644 --- a/Python/wolfssl-python-3.12.11.patch +++ b/Python/wolfssl-python-3.12.11.patch @@ -454,20 +454,22 @@ index b13e37d0cd1..6ca981aac04 100644 (('DNS', 'projects.developer.nokia.com'), ('DNS', 'projects.forum.nokia.com')) ) -@@ -453,6 +468,13 @@ def test_parse_cert_CVE_2019_5010(self): - ) - - def test_parse_cert_CVE_2013_4238(self): +@@ -465,7 +480,14 @@ def test_parse_cert_CVE_2013_4238(self): + (('emailAddress', 'python-dev@python.org'),)) + self.assertEqual(p['subject'], subject) + self.assertEqual(p['issuer'], subject) +- if ssl._OPENSSL_API_VERSION >= (0, 9, 8): + if ssl.IS_WOLFSSL: -+ # wolfSSL rejects NUL bytes in dNSName/rfc822Name/URI SAN entries -+ # during ASN.1 decoding (RFC 5280 4.2.1.6); the cert fails to parse -+ # rather than returning entries with the embedded NULs intact. -+ self.assertRaises(ssl.SSLError, -+ ssl._ssl._test_decode_cert, NULLBYTECERT) -+ return - p = ssl._ssl._test_decode_cert(NULLBYTECERT) - if support.verbose: - sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ # wolfSSL preserves the embedded NULs and lists SAN entries in a different order. ++ san = (('IP Address', '2001:DB8:0:0:0:0:0:1'), ++ ('IP Address', '192.0.2.1'), ++ ('URI', 'http://null.python.org\x00http://example.org'), ++ ('DNS', 'altnull.python.org\x00example.com'), ++ ('email', 'null@python.org\x00user@example.org')) ++ elif ssl._OPENSSL_API_VERSION >= (0, 9, 8): + san = (('DNS', 'altnull.python.org\x00example.com'), + ('email', 'null@python.org\x00user@example.org'), + ('URI', 'http://null.python.org\x00http://example.org'), @@ -483,7 +505,29 @@ def test_parse_cert_CVE_2013_4238(self): def test_parse_all_sans(self): diff --git a/Python/wolfssl-python-3.13.4.patch b/Python/wolfssl-python-3.13.4.patch index c0608d36..1d1de5ae 100644 --- a/Python/wolfssl-python-3.13.4.patch +++ b/Python/wolfssl-python-3.13.4.patch @@ -454,20 +454,22 @@ index dfd5d2a..0658973 100644 # extra OCSP and AIA fields self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',)) self.assertEqual(p['caIssuers'], -@@ -475,6 +489,13 @@ def test_parse_cert_CVE_2019_5010(self): - ) - - def test_parse_cert_CVE_2013_4238(self): +@@ -487,7 +501,14 @@ class BasicSocketTests(unittest.TestCase): + (('emailAddress', 'python-dev@python.org'),)) + self.assertEqual(p['subject'], subject) + self.assertEqual(p['issuer'], subject) +- if ssl._OPENSSL_API_VERSION >= (0, 9, 8): + if ssl.IS_WOLFSSL: -+ # wolfSSL rejects NUL bytes in dNSName/rfc822Name/URI SAN entries -+ # during ASN.1 decoding (RFC 5280 4.2.1.6); the cert fails to parse -+ # rather than returning entries with the embedded NULs intact. -+ self.assertRaises(ssl.SSLError, -+ ssl._ssl._test_decode_cert, NULLBYTECERT) -+ return - p = ssl._ssl._test_decode_cert(NULLBYTECERT) - if support.verbose: - sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ # wolfSSL preserves the embedded NULs and lists SAN entries in a different order. ++ san = (('IP Address', '2001:DB8:0:0:0:0:0:1'), ++ ('IP Address', '192.0.2.1'), ++ ('URI', 'http://null.python.org\x00http://example.org'), ++ ('DNS', 'altnull.python.org\x00example.com'), ++ ('email', 'null@python.org\x00user@example.org')) ++ elif ssl._OPENSSL_API_VERSION >= (0, 9, 8): + san = (('DNS', 'altnull.python.org\x00example.com'), + ('email', 'null@python.org\x00user@example.org'), + ('URI', 'http://null.python.org\x00http://example.org'), @@ -505,23 +526,45 @@ def test_parse_cert_CVE_2013_4238(self): def test_parse_all_sans(self): diff --git a/Python/wolfssl-python-3.13.7.patch b/Python/wolfssl-python-3.13.7.patch index 61376239..3656d82b 100644 --- a/Python/wolfssl-python-3.13.7.patch +++ b/Python/wolfssl-python-3.13.7.patch @@ -454,20 +454,22 @@ index 37766288a3c..ab4b915b75d 100644 # extra OCSP and AIA fields self.assertEqual(p['OCSP'], ('http://ocsp.verisign.com',)) self.assertEqual(p['caIssuers'], -@@ -476,6 +490,13 @@ def test_parse_cert_CVE_2019_5010(self): - ) - - def test_parse_cert_CVE_2013_4238(self): +@@ -488,7 +502,14 @@ class BasicSocketTests(unittest.TestCase): + (('emailAddress', 'python-dev@python.org'),)) + self.assertEqual(p['subject'], subject) + self.assertEqual(p['issuer'], subject) +- if ssl._OPENSSL_API_VERSION >= (0, 9, 8): + if ssl.IS_WOLFSSL: -+ # wolfSSL rejects NUL bytes in dNSName/rfc822Name/URI SAN entries -+ # during ASN.1 decoding (RFC 5280 4.2.1.6); the cert fails to parse -+ # rather than returning entries with the embedded NULs intact. -+ self.assertRaises(ssl.SSLError, -+ ssl._ssl._test_decode_cert, NULLBYTECERT) -+ return - p = ssl._ssl._test_decode_cert(NULLBYTECERT) - if support.verbose: - sys.stdout.write("\n" + pprint.pformat(p) + "\n") ++ # wolfSSL preserves the embedded NULs and lists SAN entries in a different order. ++ san = (('IP Address', '2001:DB8:0:0:0:0:0:1'), ++ ('IP Address', '192.0.2.1'), ++ ('URI', 'http://null.python.org\x00http://example.org'), ++ ('DNS', 'altnull.python.org\x00example.com'), ++ ('email', 'null@python.org\x00user@example.org')) ++ elif ssl._OPENSSL_API_VERSION >= (0, 9, 8): + san = (('DNS', 'altnull.python.org\x00example.com'), + ('email', 'null@python.org\x00user@example.org'), + ('URI', 'http://null.python.org\x00http://example.org'), @@ -506,23 +527,45 @@ def test_parse_cert_CVE_2013_4238(self): def test_parse_all_sans(self):