From 92e8e94216c40723986219be21b38ceb8bde9d5d Mon Sep 17 00:00:00 2001
From: Toshio Kuratomi <toshio@fedoraproject.org>
Date: Oct 28 2013 19:38:40 +0000
Subject: Update patch for wildcard idna fix to apply against the 1.1.7 release


---

diff --git a/setuptools-ssl-match_hostname-wildcard.patch b/setuptools-ssl-match_hostname-wildcard.patch
index b20ed12..d0a1c93 100644
--- a/setuptools-ssl-match_hostname-wildcard.patch
+++ b/setuptools-ssl-match_hostname-wildcard.patch
@@ -1,7 +1,8 @@
-diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
---- b/setuptools/ssl_support.py
-+++ b/setuptools/ssl_support.py
-@@ -85,26 +85,75 @@
+Index: setuptools-1.1.7/setuptools/ssl_support.py
+===================================================================
+--- setuptools-1.1.7.orig/setuptools/ssl_support.py
++++ setuptools-1.1.7/setuptools/ssl_support.py
+@@ -85,28 +85,69 @@ except ImportError:
  try:
      from ssl import CertificateError, match_hostname
  except ImportError:
@@ -16,7 +17,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
      class CertificateError(ValueError):
          pass
  
--    def _dnsname_to_pat(dn):
+-    def _dnsname_to_pat(dn, max_wildcards=1):
 +if not match_hostname:
 +    def _dnsname_match(dn, hostname, max_wildcards=1):
 +        """Matching according to RFC 6125, section 6.4.3
@@ -25,6 +26,13 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
 +        """
          pats = []
 -        for frag in dn.split(r'.'):
+-            if frag.count('*') > max_wildcards:
+-                # Issue #17980: avoid denials of service by refusing more
+-                # than one wildcard per fragment.  A survery of established
+-                # policy among SSL implementations showed it to be a
+-                # reasonable choice.
+-                raise CertificateError(
+-                    "too many wildcards in certificate DNS name: " + repr(dn))
 -            if frag == '*':
 -                # When '*' is a fragment by itself, it matches a non-empty dotless
 -                # fragment.
@@ -79,18 +87,10 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
 +
 +        pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
 +        return pat.match(hostname)
-+
  
      def match_hostname(cert, hostname):
          """Verify that *cert* (in decoded format as returned by
--        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 rules
--        are mostly followed, but IP addresses are not accepted for *hostname*.
-+        SSLSocket.getpeercert()) matches the *hostname*.  RFC 2818 and RFC 6125
-+        rules are followed, but IP addresses are not accepted for *hostname*.
- 
-         CertificateError is raised on failure. On success, the function
-         returns nothing.
-@@ -115,7 +164,7 @@
+@@ -122,7 +163,7 @@ except ImportError:
          san = cert.get('subjectAltName', ())
          for key, value in san:
              if key == 'DNS':
@@ -99,7 +99,7 @@ diff -u b/setuptools/ssl_support.py b/setuptools/ssl_support.py
                      return
                  dnsnames.append(value)
          if not dnsnames:
-@@ -126,7 +175,7 @@
+@@ -133,7 +174,7 @@ except ImportError:
                      # XXX according to RFC 2818, the most specific Common Name
                      # must be used.
                      if key == 'commonName':