Hello community,
here is the log from the commit of package python-backports.ssl_match_hostname
for openSUSE:Factory checked in at 2016-04-28 16:57:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-backports.ssl_match_hostname (Old)
and /work/SRC/openSUSE:Factory/.python-backports.ssl_match_hostname.new
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-backports.ssl_match_hostname"
Changes:
--------
---
/work/SRC/openSUSE:Factory/python-backports.ssl_match_hostname/python-backports.ssl_match_hostname.changes
2014-05-27 12:02:24.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.python-backports.ssl_match_hostname.new/python-backports.ssl_match_hostname.changes
2016-04-28 17:02:18.000000000 +0200
@@ -1,0 +2,5 @@
+Mon Apr 25 09:57:25 UTC 2016 - [email protected]
+
+- Update to upstream version 3.5.0.1
+
+-------------------------------------------------------------------
Old:
----
backports.ssl_match_hostname-3.4.0.2.tar.gz
New:
----
backports.ssl_match_hostname-3.5.0.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-backports.ssl_match_hostname.spec ++++++
--- /var/tmp/diff_new_pack.FcOYJT/_old 2016-04-28 17:02:20.000000000 +0200
+++ /var/tmp/diff_new_pack.FcOYJT/_new 2016-04-28 17:02:20.000000000 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python-backports.ssl_match_hostname
#
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
Name: python-backports.ssl_match_hostname
-Version: 3.4.0.2
+Version: 3.5.0.1
Release: 0
Summary: The ssl.match_hostname() function from Python 3.4
License: Python-2.0
@@ -75,8 +75,8 @@
%dir %{python_sitelib}/backports/
%{python_sitelib}/backports/__init__.py*
%dir %{python_sitelib}/backports/ssl_match_hostname/
-%doc %{python_sitelib}/backports/ssl_match_hostname/LICENSE.txt
-%doc %{python_sitelib}/backports/ssl_match_hostname/README.txt
+%doc backports/ssl_match_hostname/README.txt
+%doc backports/ssl_match_hostname/LICENSE.txt
%{python_sitelib}/backports/ssl_match_hostname/__init__.py*
%{python_sitelib}/backports.ssl_match_hostname-%{version}-py*.egg-info
++++++ backports.ssl_match_hostname-3.4.0.2.tar.gz ->
backports.ssl_match_hostname-3.5.0.1.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/backports.ssl_match_hostname-3.4.0.2/MANIFEST.in
new/backports.ssl_match_hostname-3.5.0.1/MANIFEST.in
--- old/backports.ssl_match_hostname-3.4.0.2/MANIFEST.in 2013-10-27
20:21:12.000000000 +0100
+++ new/backports.ssl_match_hostname-3.5.0.1/MANIFEST.in 1970-01-01
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-recursive-include src *
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/backports.ssl_match_hostname-3.4.0.2/PKG-INFO
new/backports.ssl_match_hostname-3.5.0.1/PKG-INFO
--- old/backports.ssl_match_hostname-3.4.0.2/PKG-INFO 2013-10-27
20:24:03.000000000 +0100
+++ new/backports.ssl_match_hostname-3.5.0.1/PKG-INFO 2015-12-19
23:33:16.000000000 +0100
@@ -1,13 +1,16 @@
Metadata-Version: 1.1
Name: backports.ssl_match_hostname
-Version: 3.4.0.2
-Summary: The ssl.match_hostname() function from Python 3.4
+Version: 3.5.0.1
+Summary: The ssl.match_hostname() function from Python 3.5
Home-page: http://bitbucket.org/brandon/backports.ssl_match_hostname
-Author: Brandon Craig Rhodes
-Author-email: [email protected]
-License: UNKNOWN
+Author: Toshio Kuratomi
+Author-email: [email protected]
+License: Python Software Foundation License
Description:
- The Secure Sockets layer is only actually *secure*
+ The ssl.match_hostname() function from Python 3.5
+ =================================================
+
+ The Secure Sockets Layer is only actually *secure*
if you check the hostname in the certificate returned
by the server to which you are connecting,
and verify that it matches to hostname
@@ -26,31 +29,48 @@
and then use it like this::
from backports.ssl_match_hostname import match_hostname,
CertificateError
- ...
- sslsock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv3,
+ [...]
+ sslsock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv23,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs=...)
try:
match_hostname(sslsock.getpeercert(), hostname)
except CertificateError, ce:
...
- Note that the ``ssl`` module is only included in the Standard Library
- for Python 2.6 and later;
- users of Python 2.5 or earlier versions
- will also need to install the ``ssl`` distribution
- from the Python Package Index to use code like that shown above.
-
Brandon Craig Rhodes is merely the packager of this distribution;
- the actual code inside comes verbatim from Python 3.4.
+ the actual code inside comes from Python 3.5 with small changes for
+ portability.
+
+
+ Requirements
+ ------------
+
+ * If you want to verify hosts match with certificates via ServerAltname
+ IPAddress fields, you need to install the `ipaddress module`_.
+ backports.ssl_match_hostname will continue to work without ipaddress
but
+ will only be able to handle ServerAltName DNSName fields, not
IPAddress.
+ System packagers (Linux distributions, et al) are encouraged to add
+ this as a hard dependency in their packages.
+
+ * If you need to use this on Python versions earlier than 2.6 you will
need to
+ install the `ssl module`_. From Python 2.6 upwards ``ssl`` is
included in
+ the Python Standard Library so you do not need to install it
separately.
+
+ .. _`ipaddress module`:: https://pypi.python.org/pypi/ipaddress
+ .. _`ssl module`:: https://pypi.python.org/pypi/ssl
History
-------
+
* This function was introduced in python-3.2
* It was updated for python-3.4a1 for a CVE
(backports-ssl_match_hostname-3.4.0.1)
* It was updated from RFC2818 to RFC 6125 compliance in order to fix
another
security flaw for python-3.3.3 and python-3.4a5
(backports-ssl_match_hostname-3.4.0.2)
+ * It was updated in python-3.5 to handle IPAddresses in ServerAltName
fields
+ (something that backports.ssl_match_hostname will do if you also
install the
+ ipaddress library from pypi).
.. _RFC2818: http://tools.ietf.org/html/rfc2818.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/backports/__init__.py
new/backports.ssl_match_hostname-3.5.0.1/backports/__init__.py
--- old/backports.ssl_match_hostname-3.4.0.2/backports/__init__.py
1970-01-01 01:00:00.000000000 +0100
+++ new/backports.ssl_match_hostname-3.5.0.1/backports/__init__.py
2015-12-19 23:30:28.000000000 +0100
@@ -0,0 +1,3 @@
+# This is a Python "namespace package" http://www.python.org/dev/peps/pep-0382/
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/backports/ssl_match_hostname/LICENSE.txt
new/backports.ssl_match_hostname-3.5.0.1/backports/ssl_match_hostname/LICENSE.txt
---
old/backports.ssl_match_hostname-3.4.0.2/backports/ssl_match_hostname/LICENSE.txt
1970-01-01 01:00:00.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/backports/ssl_match_hostname/LICENSE.txt
2015-12-19 23:30:28.000000000 +0100
@@ -0,0 +1,51 @@
+Python License (Python-2.0)
+
+Python License, Version 2 (Python-2.0)
+
+PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
+--------------------------------------------
+
+1. This LICENSE AGREEMENT is between the Python Software Foundation
+("PSF"), and the Individual or Organization ("Licensee") accessing and
+otherwise using this software ("Python") in source or binary form and
+its associated documentation.
+
+2. Subject to the terms and conditions of this License Agreement, PSF
+hereby grants Licensee a nonexclusive, royalty-free, world-wide
+license to reproduce, analyze, test, perform and/or display publicly,
+prepare derivative works, distribute, and otherwise use Python
+alone or in any derivative version, provided, however, that PSF's
+License Agreement and PSF's notice of copyright, i.e., "Copyright (c)
+2001-2013 Python Software Foundation; All Rights Reserved" are retained in
+Python alone or in any derivative version prepared by Licensee.
+
+3. In the event Licensee prepares a derivative work that is based on
+or incorporates Python or any part thereof, and wants to make
+the derivative work available to others as provided herein, then
+Licensee hereby agrees to include in any such work a brief summary of
+the changes made to Python.
+
+4. PSF is making Python available to Licensee on an "AS IS"
+basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
+IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
+DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS
+FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT
+INFRINGE ANY THIRD PARTY RIGHTS.
+
+5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
+FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS
+A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,
+OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
+
+6. This License Agreement will automatically terminate upon a material
+breach of its terms and conditions.
+
+7. Nothing in this License Agreement shall be deemed to create any
+relationship of agency, partnership, or joint venture between PSF and
+Licensee. This License Agreement does not grant permission to use PSF
+trademarks or trade name in a trademark sense to endorse or promote
+products or services of Licensee, or any third party.
+
+8. By copying, installing or otherwise using Python, Licensee
+agrees to be bound by the terms and conditions of this License
+Agreement.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/backports/ssl_match_hostname/README.txt
new/backports.ssl_match_hostname-3.5.0.1/backports/ssl_match_hostname/README.txt
---
old/backports.ssl_match_hostname-3.4.0.2/backports/ssl_match_hostname/README.txt
1970-01-01 01:00:00.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/backports/ssl_match_hostname/README.txt
2015-12-19 23:30:28.000000000 +0100
@@ -0,0 +1,69 @@
+
+The ssl.match_hostname() function from Python 3.5
+=================================================
+
+The Secure Sockets Layer is only actually *secure*
+if you check the hostname in the certificate returned
+by the server to which you are connecting,
+and verify that it matches to hostname
+that you are trying to reach.
+
+But the matching logic, defined in `RFC2818`_,
+can be a bit tricky to implement on your own.
+So the ``ssl`` package in the Standard Library of Python 3.2
+and greater now includes a ``match_hostname()`` function
+for performing this check instead of requiring every application
+to implement the check separately.
+
+This backport brings ``match_hostname()`` to users
+of earlier versions of Python.
+Simply make this distribution a dependency of your package,
+and then use it like this::
+
+ from backports.ssl_match_hostname import match_hostname, CertificateError
+ [...]
+ sslsock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv23,
+ cert_reqs=ssl.CERT_REQUIRED, ca_certs=...)
+ try:
+ match_hostname(sslsock.getpeercert(), hostname)
+ except CertificateError, ce:
+ ...
+
+Brandon Craig Rhodes is merely the packager of this distribution;
+the actual code inside comes from Python 3.5 with small changes for
+portability.
+
+
+Requirements
+------------
+
+* If you want to verify hosts match with certificates via ServerAltname
+ IPAddress fields, you need to install the `ipaddress module`_.
+ backports.ssl_match_hostname will continue to work without ipaddress but
+ will only be able to handle ServerAltName DNSName fields, not IPAddress.
+ System packagers (Linux distributions, et al) are encouraged to add
+ this as a hard dependency in their packages.
+
+* If you need to use this on Python versions earlier than 2.6 you will need to
+ install the `ssl module`_. From Python 2.6 upwards ``ssl`` is included in
+ the Python Standard Library so you do not need to install it separately.
+
+.. _`ipaddress module`:: https://pypi.python.org/pypi/ipaddress
+.. _`ssl module`:: https://pypi.python.org/pypi/ssl
+
+History
+-------
+
+* This function was introduced in python-3.2
+* It was updated for python-3.4a1 for a CVE
+ (backports-ssl_match_hostname-3.4.0.1)
+* It was updated from RFC2818 to RFC 6125 compliance in order to fix another
+ security flaw for python-3.3.3 and python-3.4a5
+ (backports-ssl_match_hostname-3.4.0.2)
+* It was updated in python-3.5 to handle IPAddresses in ServerAltName fields
+ (something that backports.ssl_match_hostname will do if you also install the
+ ipaddress library from pypi).
+
+
+.. _RFC2818: http://tools.ietf.org/html/rfc2818.html
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/backports/ssl_match_hostname/__init__.py
new/backports.ssl_match_hostname-3.5.0.1/backports/ssl_match_hostname/__init__.py
---
old/backports.ssl_match_hostname-3.4.0.2/backports/ssl_match_hostname/__init__.py
1970-01-01 01:00:00.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/backports/ssl_match_hostname/__init__.py
2015-12-19 23:30:28.000000000 +0100
@@ -0,0 +1,154 @@
+"""The match_hostname() function from Python 3.3.3, essential when using
SSL."""
+
+import re
+import sys
+
+# ipaddress has been backported to 2.6+ in pypi. If it is installed on the
+# system, use it to handle IPAddress ServerAltnames (this was added in
+# python-3.5) otherwise only do DNS matching. This allows
+# backports.ssl_match_hostname to continue to be used all the way back to
+# python-2.4.
+try:
+ import ipaddress
+except ImportError:
+ ipaddress = None
+
+__version__ = '3.5.0.1'
+
+
+class CertificateError(ValueError):
+ pass
+
+
+def _dnsname_match(dn, hostname, max_wildcards=1):
+ """Matching according to RFC 6125, section 6.4.3
+
+ http://tools.ietf.org/html/rfc6125#section-6.4.3
+ """
+ pats = []
+ if not dn:
+ return False
+
+ # Ported from python3-syntax:
+ # leftmost, *remainder = dn.split(r'.')
+ parts = dn.split(r'.')
+ leftmost = parts[0]
+ remainder = parts[1:]
+
+ wildcards = leftmost.count('*')
+ if wildcards > max_wildcards:
+ # Issue #17980: avoid denials of service by refusing more
+ # than one wildcard per fragment. A survey of established
+ # policy among SSL implementations showed it to be a
+ # reasonable choice.
+ raise CertificateError(
+ "too many wildcards in certificate DNS name: " + repr(dn))
+
+ # speed up common case w/o wildcards
+ if not wildcards:
+ return dn.lower() == hostname.lower()
+
+ # RFC 6125, section 6.4.3, subitem 1.
+ # The client SHOULD NOT attempt to match a presented identifier in which
+ # the wildcard character comprises a label other than the left-most label.
+ if leftmost == '*':
+ # When '*' is a fragment by itself, it matches a non-empty dotless
+ # fragment.
+ pats.append('[^.]+')
+ elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
+ # RFC 6125, section 6.4.3, subitem 3.
+ # The client SHOULD NOT attempt to match a presented identifier
+ # where the wildcard character is embedded within an A-label or
+ # U-label of an internationalized domain name.
+ pats.append(re.escape(leftmost))
+ else:
+ # Otherwise, '*' matches any dotless string, e.g. www*
+ pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
+
+ # add the remaining fragments, ignore any wildcards
+ for frag in remainder:
+ pats.append(re.escape(frag))
+
+ pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
+ return pat.match(hostname)
+
+
+def _to_unicode(obj):
+ if isinstance(obj, str) and sys.version_info < (3,):
+ obj = unicode(obj, encoding='ascii', errors='strict')
+ return obj
+
+def _ipaddress_match(ipname, host_ip):
+ """Exact matching of IP addresses.
+
+ RFC 6125 explicitly doesn't define an algorithm for this
+ (section 1.7.2 - "Out of Scope").
+ """
+ # OpenSSL may add a trailing newline to a subjectAltName's IP address
+ # Divergence from upstream: ipaddress can't handle byte str
+ ip = ipaddress.ip_address(_to_unicode(ipname).rstrip())
+ return ip == host_ip
+
+
+def match_hostname(cert, hostname):
+ """Verify that *cert* (in decoded format as returned by
+ SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
+ rules are followed, but IP addresses are not accepted for *hostname*.
+
+ CertificateError is raised on failure. On success, the function
+ returns nothing.
+ """
+ if not cert:
+ raise ValueError("empty or no certificate, match_hostname needs a "
+ "SSL socket or SSL context with either "
+ "CERT_OPTIONAL or CERT_REQUIRED")
+ try:
+ # Divergence from upstream: ipaddress can't handle byte str
+ host_ip = ipaddress.ip_address(_to_unicode(hostname))
+ except ValueError:
+ # Not an IP address (common case)
+ host_ip = None
+ except UnicodeError:
+ # Divergence from upstream: Have to deal with ipaddress not taking
+ # byte strings. addresses should be all ascii, so we consider it not
+ # an ipaddress in this case
+ host_ip = None
+ except AttributeError:
+ # Divergence from upstream: Make ipaddress library optional
+ if ipaddress is None:
+ host_ip = None
+ else:
+ raise
+ dnsnames = []
+ san = cert.get('subjectAltName', ())
+ for key, value in san:
+ if key == 'DNS':
+ if host_ip is None and _dnsname_match(value, hostname):
+ return
+ dnsnames.append(value)
+ elif key == 'IP Address':
+ if host_ip is not None and _ipaddress_match(value, host_ip):
+ return
+ dnsnames.append(value)
+ if not dnsnames:
+ # The subject is only checked when there is no dNSName entry
+ # in subjectAltName
+ for sub in cert.get('subject', ()):
+ for key, value in sub:
+ # XXX according to RFC 2818, the most specific Common Name
+ # must be used.
+ if key == 'commonName':
+ if _dnsname_match(value, hostname):
+ return
+ dnsnames.append(value)
+ if len(dnsnames) > 1:
+ raise CertificateError("hostname %r "
+ "doesn't match either of %s"
+ % (hostname, ', '.join(map(repr, dnsnames))))
+ elif len(dnsnames) == 1:
+ raise CertificateError("hostname %r "
+ "doesn't match %r"
+ % (hostname, dnsnames[0]))
+ else:
+ raise CertificateError("no appropriate commonName or "
+ "subjectAltName fields were found")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/backports.ssl_match_hostname-3.4.0.2/setup.cfg
new/backports.ssl_match_hostname-3.5.0.1/setup.cfg
--- old/backports.ssl_match_hostname-3.4.0.2/setup.cfg 2013-10-27
20:24:03.000000000 +0100
+++ new/backports.ssl_match_hostname-3.5.0.1/setup.cfg 1970-01-01
01:00:00.000000000 +0100
@@ -1,5 +0,0 @@
-[egg_info]
-tag_build =
-tag_date = 0
-tag_svn_revision = 0
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/backports.ssl_match_hostname-3.4.0.2/setup.py
new/backports.ssl_match_hostname-3.5.0.1/setup.py
--- old/backports.ssl_match_hostname-3.4.0.2/setup.py 2013-10-27
20:23:51.000000000 +0100
+++ new/backports.ssl_match_hostname-3.5.0.1/setup.py 2015-12-19
23:30:28.000000000 +0100
@@ -1,22 +1,34 @@
# -*- coding: utf-8 -*-
-# This setup.py was generated automatically by Pyron.
-# For details, see http://pypi.python.org/pypi/pyron/
-from setuptools import setup, find_packages
+import os
+from distutils.core import setup
-setup(
- name = 'backports.ssl_match_hostname',
- version = '3.4.0.2',
- description = 'The ssl.match_hostname() function from Python 3.4',
- long_description = '\nThe Secure Sockets layer is only actually
*secure*\nif you check the hostname in the certificate returned\nby the server
to which you are connecting,\nand verify that it matches to hostname\nthat you
are trying to reach.\n\nBut the matching logic, defined in `RFC2818`_,\ncan be
a bit tricky to implement on your own.\nSo the ``ssl`` package in the Standard
Library of Python 3.2\nand greater now includes a ``match_hostname()``
function\nfor performing this check instead of requiring every application\nto
implement the check separately.\n\nThis backport brings ``match_hostname()`` to
users\nof earlier versions of Python.\nSimply make this distribution a
dependency of your package,\nand then use it like this::\n\n from
backports.ssl_match_hostname import match_hostname, CertificateError\n ...\n
sslsock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv3,\n
cert_reqs=ssl.CERT_REQUIRED, ca_certs=...)\n try:\n
match_hostname(sslsock.getpeercert(), hostname)\n except CertificateError,
ce:\n ...\n\nNote that the ``ssl`` module is only included in the
Standard Library\nfor Python 2.6 and later;\nusers of Python 2.5 or earlier
versions\nwill also need to install the ``ssl`` distribution\nfrom the Python
Package Index to use code like that shown above.\n\nBrandon Craig Rhodes is
merely the packager of this distribution;\nthe actual code inside comes
verbatim from Python 3.4.\n\nHistory\n-------\n* This function was introduced
in python-3.2\n* It was updated for python-3.4a1 for a CVE \n
(backports-ssl_match_hostname-3.4.0.1)\n* It was updated from RFC2818 to RFC
6125 compliance in order to fix another\n security flaw for python-3.3.3 and
python-3.4a5\n (backports-ssl_match_hostname-3.4.0.2)\n\n\n.. _RFC2818:
http://tools.ietf.org/html/rfc2818.html\n\n',
- author = 'Brandon Craig Rhodes',
- author_email = '[email protected]',
- url = 'http://bitbucket.org/brandon/backports.ssl_match_hostname',
- classifiers = ['Development Status :: 5 - Production/Stable', 'License ::
OSI Approved :: Python Software Foundation License', 'Programming Language ::
Python :: 2.4', 'Programming Language :: Python :: 2.5', 'Programming Language
:: Python :: 2.6', 'Programming Language :: Python :: 2.7', 'Programming
Language :: Python :: 3', 'Programming Language :: Python :: 3.0', 'Programming
Language :: Python :: 3.1', 'Topic :: Security :: Cryptography'],
+long_description = open(os.path.join(
+ os.path.dirname(__file__), 'backports', 'ssl_match_hostname', 'README.txt',
+ )).read()
- package_dir = {'': 'src'},
- packages = find_packages('src'),
- include_package_data = True,
- install_requires = [],
- entry_points = '',
+setup(
+ name='backports.ssl_match_hostname',
+ version='3.5.0.1',
+ description='The ssl.match_hostname() function from Python 3.5',
+ long_description=long_description,
+ author='Brandon Rhodes',
+ author_email='[email protected]',
+ maintainer='Toshio Kuratomi',
+ maintainer_email='[email protected]',
+ url='http://bitbucket.org/brandon/backports.ssl_match_hostname',
+ license='Python Software Foundation License',
+ classifiers=[
+ 'Development Status :: 5 - Production/Stable',
+ 'License :: OSI Approved :: Python Software Foundation License',
+ 'Programming Language :: Python :: 2.4',
+ 'Programming Language :: Python :: 2.5',
+ 'Programming Language :: Python :: 2.6',
+ 'Programming Language :: Python :: 2.7',
+ 'Programming Language :: Python :: 3',
+ 'Programming Language :: Python :: 3.0',
+ 'Programming Language :: Python :: 3.1',
+ 'Topic :: Security :: Cryptography',
+ ],
+ packages=['backports', 'backports.ssl_match_hostname'],
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports/__init__.py
new/backports.ssl_match_hostname-3.5.0.1/src/backports/__init__.py
--- old/backports.ssl_match_hostname-3.4.0.2/src/backports/__init__.py
2013-10-27 20:21:12.000000000 +0100
+++ new/backports.ssl_match_hostname-3.5.0.1/src/backports/__init__.py
1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# This is a Python "namespace package" http://www.python.org/dev/peps/pep-0382/
-from pkgutil import extend_path
-__path__ = extend_path(__path__, __name__)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports/ssl_match_hostname/LICENSE.txt
new/backports.ssl_match_hostname-3.5.0.1/src/backports/ssl_match_hostname/LICENSE.txt
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports/ssl_match_hostname/LICENSE.txt
2013-10-27 20:21:12.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports/ssl_match_hostname/LICENSE.txt
1970-01-01 01:00:00.000000000 +0100
@@ -1,51 +0,0 @@
-Python License (Python-2.0)
-
-Python License, Version 2 (Python-2.0)
-
-PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
---------------------------------------------
-
-1. This LICENSE AGREEMENT is between the Python Software Foundation
-("PSF"), and the Individual or Organization ("Licensee") accessing and
-otherwise using this software ("Python") in source or binary form and
-its associated documentation.
-
-2. Subject to the terms and conditions of this License Agreement, PSF
-hereby grants Licensee a nonexclusive, royalty-free, world-wide
-license to reproduce, analyze, test, perform and/or display publicly,
-prepare derivative works, distribute, and otherwise use Python
-alone or in any derivative version, provided, however, that PSF's
-License Agreement and PSF's notice of copyright, i.e., "Copyright (c)
-2001-2013 Python Software Foundation; All Rights Reserved" are retained in
-Python alone or in any derivative version prepared by Licensee.
-
-3. In the event Licensee prepares a derivative work that is based on
-or incorporates Python or any part thereof, and wants to make
-the derivative work available to others as provided herein, then
-Licensee hereby agrees to include in any such work a brief summary of
-the changes made to Python.
-
-4. PSF is making Python available to Licensee on an "AS IS"
-basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR
-IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND
-DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS
-FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT
-INFRINGE ANY THIRD PARTY RIGHTS.
-
-5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON
-FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS
-A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,
-OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
-
-6. This License Agreement will automatically terminate upon a material
-breach of its terms and conditions.
-
-7. Nothing in this License Agreement shall be deemed to create any
-relationship of agency, partnership, or joint venture between PSF and
-Licensee. This License Agreement does not grant permission to use PSF
-trademarks or trade name in a trademark sense to endorse or promote
-products or services of Licensee, or any third party.
-
-8. By copying, installing or otherwise using Python, Licensee
-agrees to be bound by the terms and conditions of this License
-Agreement.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports/ssl_match_hostname/README.txt
new/backports.ssl_match_hostname-3.5.0.1/src/backports/ssl_match_hostname/README.txt
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports/ssl_match_hostname/README.txt
2013-10-27 20:21:12.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports/ssl_match_hostname/README.txt
1970-01-01 01:00:00.000000000 +0100
@@ -1,52 +0,0 @@
-
-The ssl.match_hostname() function from Python 3.4
-=================================================
-
-The Secure Sockets layer is only actually *secure*
-if you check the hostname in the certificate returned
-by the server to which you are connecting,
-and verify that it matches to hostname
-that you are trying to reach.
-
-But the matching logic, defined in `RFC2818`_,
-can be a bit tricky to implement on your own.
-So the ``ssl`` package in the Standard Library of Python 3.2
-and greater now includes a ``match_hostname()`` function
-for performing this check instead of requiring every application
-to implement the check separately.
-
-This backport brings ``match_hostname()`` to users
-of earlier versions of Python.
-Simply make this distribution a dependency of your package,
-and then use it like this::
-
- from backports.ssl_match_hostname import match_hostname, CertificateError
- ...
- sslsock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv3,
- cert_reqs=ssl.CERT_REQUIRED, ca_certs=...)
- try:
- match_hostname(sslsock.getpeercert(), hostname)
- except CertificateError, ce:
- ...
-
-Note that the ``ssl`` module is only included in the Standard Library
-for Python 2.6 and later;
-users of Python 2.5 or earlier versions
-will also need to install the ``ssl`` distribution
-from the Python Package Index to use code like that shown above.
-
-Brandon Craig Rhodes is merely the packager of this distribution;
-the actual code inside comes verbatim from Python 3.4.
-
-History
--------
-* This function was introduced in python-3.2
-* It was updated for python-3.4a1 for a CVE
- (backports-ssl_match_hostname-3.4.0.1)
-* It was updated from RFC2818 to RFC 6125 compliance in order to fix another
- security flaw for python-3.3.3 and python-3.4a5
- (backports-ssl_match_hostname-3.4.0.2)
-
-
-.. _RFC2818: http://tools.ietf.org/html/rfc2818.html
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports/ssl_match_hostname/__init__.py
new/backports.ssl_match_hostname-3.5.0.1/src/backports/ssl_match_hostname/__init__.py
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports/ssl_match_hostname/__init__.py
2013-10-27 20:21:12.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports/ssl_match_hostname/__init__.py
1970-01-01 01:00:00.000000000 +0100
@@ -1,102 +0,0 @@
-"""The match_hostname() function from Python 3.3.3, essential when using
SSL."""
-
-import re
-
-__version__ = '3.4.0.2'
-
-class CertificateError(ValueError):
- pass
-
-
-def _dnsname_match(dn, hostname, max_wildcards=1):
- """Matching according to RFC 6125, section 6.4.3
-
- http://tools.ietf.org/html/rfc6125#section-6.4.3
- """
- pats = []
- if not dn:
- return False
-
- # Ported from python3-syntax:
- # leftmost, *remainder = dn.split(r'.')
- parts = dn.split(r'.')
- leftmost = parts[0]
- remainder = parts[1:]
-
- wildcards = leftmost.count('*')
- if wildcards > max_wildcards:
- # Issue #17980: avoid denials of service by refusing more
- # than one wildcard per fragment. A survey of established
- # policy among SSL implementations showed it to be a
- # reasonable choice.
- raise CertificateError(
- "too many wildcards in certificate DNS name: " + repr(dn))
-
- # speed up common case w/o wildcards
- if not wildcards:
- return dn.lower() == hostname.lower()
-
- # RFC 6125, section 6.4.3, subitem 1.
- # The client SHOULD NOT attempt to match a presented identifier in which
- # the wildcard character comprises a label other than the left-most label.
- if leftmost == '*':
- # When '*' is a fragment by itself, it matches a non-empty dotless
- # fragment.
- pats.append('[^.]+')
- elif leftmost.startswith('xn--') or hostname.startswith('xn--'):
- # RFC 6125, section 6.4.3, subitem 3.
- # The client SHOULD NOT attempt to match a presented identifier
- # where the wildcard character is embedded within an A-label or
- # U-label of an internationalized domain name.
- pats.append(re.escape(leftmost))
- else:
- # Otherwise, '*' matches any dotless string, e.g. www*
- pats.append(re.escape(leftmost).replace(r'\*', '[^.]*'))
-
- # add the remaining fragments, ignore any wildcards
- for frag in remainder:
- pats.append(re.escape(frag))
-
- pat = re.compile(r'\A' + r'\.'.join(pats) + r'\Z', re.IGNORECASE)
- return pat.match(hostname)
-
-
-def match_hostname(cert, hostname):
- """Verify that *cert* (in decoded format as returned by
- SSLSocket.getpeercert()) matches the *hostname*. RFC 2818 and RFC 6125
- rules are followed, but IP addresses are not accepted for *hostname*.
-
- CertificateError is raised on failure. On success, the function
- returns nothing.
- """
- if not cert:
- raise ValueError("empty or no certificate")
- dnsnames = []
- san = cert.get('subjectAltName', ())
- for key, value in san:
- if key == 'DNS':
- if _dnsname_match(value, hostname):
- return
- dnsnames.append(value)
- if not dnsnames:
- # The subject is only checked when there is no dNSName entry
- # in subjectAltName
- for sub in cert.get('subject', ()):
- for key, value in sub:
- # XXX according to RFC 2818, the most specific Common Name
- # must be used.
- if key == 'commonName':
- if _dnsname_match(value, hostname):
- return
- dnsnames.append(value)
- if len(dnsnames) > 1:
- raise CertificateError("hostname %r "
- "doesn't match either of %s"
- % (hostname, ', '.join(map(repr, dnsnames))))
- elif len(dnsnames) == 1:
- raise CertificateError("hostname %r "
- "doesn't match %r"
- % (hostname, dnsnames[0]))
- else:
- raise CertificateError("no appropriate commonName or "
- "subjectAltName fields were found")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/PKG-INFO
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/PKG-INFO
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/PKG-INFO
2013-10-27 20:24:03.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/PKG-INFO
1970-01-01 01:00:00.000000000 +0100
@@ -1,69 +0,0 @@
-Metadata-Version: 1.1
-Name: backports.ssl-match-hostname
-Version: 3.4.0.2
-Summary: The ssl.match_hostname() function from Python 3.4
-Home-page: http://bitbucket.org/brandon/backports.ssl_match_hostname
-Author: Brandon Craig Rhodes
-Author-email: [email protected]
-License: UNKNOWN
-Description:
- The Secure Sockets layer is only actually *secure*
- if you check the hostname in the certificate returned
- by the server to which you are connecting,
- and verify that it matches to hostname
- that you are trying to reach.
-
- But the matching logic, defined in `RFC2818`_,
- can be a bit tricky to implement on your own.
- So the ``ssl`` package in the Standard Library of Python 3.2
- and greater now includes a ``match_hostname()`` function
- for performing this check instead of requiring every application
- to implement the check separately.
-
- This backport brings ``match_hostname()`` to users
- of earlier versions of Python.
- Simply make this distribution a dependency of your package,
- and then use it like this::
-
- from backports.ssl_match_hostname import match_hostname,
CertificateError
- ...
- sslsock = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_SSLv3,
- cert_reqs=ssl.CERT_REQUIRED,
ca_certs=...)
- try:
- match_hostname(sslsock.getpeercert(), hostname)
- except CertificateError, ce:
- ...
-
- Note that the ``ssl`` module is only included in the Standard Library
- for Python 2.6 and later;
- users of Python 2.5 or earlier versions
- will also need to install the ``ssl`` distribution
- from the Python Package Index to use code like that shown above.
-
- Brandon Craig Rhodes is merely the packager of this distribution;
- the actual code inside comes verbatim from Python 3.4.
-
- History
- -------
- * This function was introduced in python-3.2
- * It was updated for python-3.4a1 for a CVE
- (backports-ssl_match_hostname-3.4.0.1)
- * It was updated from RFC2818 to RFC 6125 compliance in order to fix
another
- security flaw for python-3.3.3 and python-3.4a5
- (backports-ssl_match_hostname-3.4.0.2)
-
-
- .. _RFC2818: http://tools.ietf.org/html/rfc2818.html
-
-
-Platform: UNKNOWN
-Classifier: Development Status :: 5 - Production/Stable
-Classifier: License :: OSI Approved :: Python Software Foundation License
-Classifier: Programming Language :: Python :: 2.4
-Classifier: Programming Language :: Python :: 2.5
-Classifier: Programming Language :: Python :: 2.6
-Classifier: Programming Language :: Python :: 2.7
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.0
-Classifier: Programming Language :: Python :: 3.1
-Classifier: Topic :: Security :: Cryptography
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/SOURCES.txt
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/SOURCES.txt
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/SOURCES.txt
2013-10-27 20:24:03.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/SOURCES.txt
1970-01-01 01:00:00.000000000 +0100
@@ -1,10 +0,0 @@
-MANIFEST.in
-setup.py
-src/backports/__init__.py
-src/backports.ssl_match_hostname.egg-info/PKG-INFO
-src/backports.ssl_match_hostname.egg-info/SOURCES.txt
-src/backports.ssl_match_hostname.egg-info/dependency_links.txt
-src/backports.ssl_match_hostname.egg-info/top_level.txt
-src/backports/ssl_match_hostname/LICENSE.txt
-src/backports/ssl_match_hostname/README.txt
-src/backports/ssl_match_hostname/__init__.py
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/dependency_links.txt
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/dependency_links.txt
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/dependency_links.txt
2013-10-27 20:24:03.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/dependency_links.txt
1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/top_level.txt
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/top_level.txt
---
old/backports.ssl_match_hostname-3.4.0.2/src/backports.ssl_match_hostname.egg-info/top_level.txt
2013-10-27 20:24:03.000000000 +0100
+++
new/backports.ssl_match_hostname-3.5.0.1/src/backports.ssl_match_hostname.egg-info/top_level.txt
1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-backports
