Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package python-pyOpenSSL for
openSUSE:Factory checked in at 2021-11-03 17:25:25
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-pyOpenSSL (Old)
and /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyOpenSSL"
Wed Nov 3 17:25:25 2021 rev:41 rq:928309 version:21.0.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-pyOpenSSL/python-pyOpenSSL.changes
2021-02-04 20:23:51.054805865 +0100
+++
/work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.1890/python-pyOpenSSL.changes
2021-11-03 17:26:13.589335929 +0100
@@ -1,0 +2,17 @@
+Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <[email protected]>
+
+- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
+ before calling OpenSSL (gh#pyca/pyopenssl#1056).
+
+-------------------------------------------------------------------
+Tue Oct 26 20:27:12 UTC 2021 - Dirk M??ller <[email protected]>
+
+- update to 21.0.0:
+ - The minimum ``cryptography`` version is now 3.3.
+ - Drop support for Python 3.5
+ - Raise an error when an invalid ALPN value is set.
+ - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and
``OpenSSL.SSL.Context.set_max_proto_version``
+ - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an
+ upcoming release of ``cryptography`` without raising deprecation warnings.
+
+-------------------------------------------------------------------
Old:
----
pyOpenSSL-20.0.1.tar.gz
New:
----
check_inv_ALPN_lists.patch
pyOpenSSL-21.0.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-pyOpenSSL.spec ++++++
--- /var/tmp/diff_new_pack.pBulzv/_old 2021-11-03 17:26:14.037336175 +0100
+++ /var/tmp/diff_new_pack.pBulzv/_new 2021-11-03 17:26:14.041336176 +0100
@@ -19,7 +19,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python
Name: python-pyOpenSSL
-Version: 20.0.1
+Version: 21.0.0
Release: 0
Summary: Python wrapper module around the OpenSSL library
License: Apache-2.0
@@ -28,8 +28,11 @@
# PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68
[email protected]
# Mark tests requiring network access
Patch0: skip-networked-test.patch
+# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056
[email protected]
+# Check for invalid ALPN lists before calling OpenSSL
+Patch1: check_inv_ALPN_lists.patch
BuildRequires: %{python_module cffi}
-BuildRequires: %{python_module cryptography >= 2.8}
+BuildRequires: %{python_module cryptography >= 3.3}
BuildRequires: %{python_module flaky}
BuildRequires: %{python_module pretend}
BuildRequires: %{python_module pytest >= 3.0.1}
@@ -40,7 +43,7 @@
BuildRequires: openssl
BuildRequires: python-rpm-macros
Requires: python-cffi
-Requires: python-cryptography >= 2.8
+Requires: python-cryptography >= 3.3
Requires: python-six >= 1.5.2
Provides: pyOpenSSL = %{version}
BuildArch: noarch
++++++ check_inv_ALPN_lists.patch ++++++
>From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001
From: "Nathaniel J. Smith" <[email protected]>
Date: Wed, 27 Oct 2021 11:54:08 -0700
Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for
consistency
Fixes gh-1043
---
src/OpenSSL/SSL.py | 12 ++++++++++++
tests/test_ssl.py | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1423,6 +1423,12 @@ class Context(object):
This list should be a Python list of bytestrings representing the
protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
"""
+ # Different versions of OpenSSL are inconsistent about how they handle
+ # empty proto lists (see #1043), so we avoid the problem entirely by
+ # rejecting them ourselves.
+ if not protos:
+ raise ValueError("at least one protocol must be specified")
+
# Take the list of protocols and join them together, prefixing them
# with their lengths.
protostr = b"".join(
@@ -2451,6 +2457,12 @@ class Connection(object):
This list should be a Python list of bytestrings representing the
protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
"""
+ # Different versions of OpenSSL are inconsistent about how they handle
+ # empty proto lists (see #1043), so we avoid the problem entirely by
+ # rejecting them ourselves.
+ if not protos:
+ raise ValueError("at least one protocol must be specified")
+
# Take the list of protocols and join them together, prefixing them
# with their lengths.
protostr = b"".join(
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati
protocols list. Ensure that we produce a user-visible error.
"""
context = Context(SSLv23_METHOD)
- with pytest.raises(Error):
+ with pytest.raises(ValueError):
context.set_alpn_protos([])
def test_alpn_set_on_connection(self):
++++++ pyOpenSSL-20.0.1.tar.gz -> pyOpenSSL-21.0.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/CHANGELOG.rst
new/pyOpenSSL-21.0.0/CHANGELOG.rst
--- old/pyOpenSSL-20.0.1/CHANGELOG.rst 2020-12-15 16:30:54.000000000 +0100
+++ new/pyOpenSSL-21.0.0/CHANGELOG.rst 2021-09-29 00:58:24.000000000 +0200
@@ -4,6 +4,28 @@
Versions are year-based with a strict backward-compatibility policy.
The third digit is only for regressions.
+21.0.0 (2020-09-28)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- The minimum ``cryptography`` version is now 3.3.
+- Drop support for Python 3.5
+
+Deprecations:
+^^^^^^^^^^^^^
+
+Changes:
+^^^^^^^^
+
+- Raise an error when an invalid ALPN value is set.
+ `#993 <https://github.com/pyca/pyopenssl/pull/993>`_
+- Added ``OpenSSL.SSL.Context.set_min_proto_version`` and
``OpenSSL.SSL.Context.set_max_proto_version``
+ to set the minimum and maximum supported TLS version `#985
<https://github.com/pyca/pyopenssl/pull/985>`_.
+- Updated ``to_cryptography`` and ``from_cryptography`` methods to support an
upcoming release of ``cryptography`` without raising deprecation warnings.
+ `#1030 <https://github.com/pyca/pyopenssl/pull/1030>`_
+
20.0.1 (2020-12-15)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/CONTRIBUTING.rst
new/pyOpenSSL-21.0.0/CONTRIBUTING.rst
--- old/pyOpenSSL-20.0.1/CONTRIBUTING.rst 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/CONTRIBUTING.rst 2021-09-29 00:58:24.000000000
+0200
@@ -116,5 +116,5 @@
.. _members of PyCA: https://github.com/orgs/pyca/people
.. _semantic newlines:
http://rhodesmill.org/brandon/2012/one-sentence-per-line/
.. _reStructuredText: http://sphinx-doc.org/rest.html
-.. _CHANGELOG.rst: https://github.com/pyca/pyopenssl/blob/master/CHANGELOG.rst
-.. _`Code of Conduct`:
https://github.com/pyca/pyopenssl/blob/master/CODE_OF_CONDUCT.rst
+.. _CHANGELOG.rst: https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst
+.. _`Code of Conduct`:
https://github.com/pyca/pyopenssl/blob/main/CODE_OF_CONDUCT.rst
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/MANIFEST.in
new/pyOpenSSL-21.0.0/MANIFEST.in
--- old/pyOpenSSL-20.0.1/MANIFEST.in 2020-12-15 16:30:54.000000000 +0100
+++ new/pyOpenSSL-21.0.0/MANIFEST.in 2021-09-29 00:58:24.000000000 +0200
@@ -1,6 +1,5 @@
include LICENSE MANIFEST.in *.rst tox.ini .coveragerc
-exclude codecov.yml
+exclude codecov.yml .readthedocs.yml
recursive-include tests *.py
recursive-include doc *
prune doc/_build
-prune .travis
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/PKG-INFO
new/pyOpenSSL-21.0.0/PKG-INFO
--- old/pyOpenSSL-20.0.1/PKG-INFO 2020-12-15 16:31:35.327834800 +0100
+++ new/pyOpenSSL-21.0.0/PKG-INFO 2021-09-29 00:59:59.148302300 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: pyOpenSSL
-Version: 20.0.1
+Version: 21.0.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: The pyOpenSSL developers
@@ -14,16 +14,15 @@
:target: https://pyopenssl.org/en/stable/
:alt: Stable Docs
- .. image:: https://travis-ci.com/pyca/pyopenssl.svg?branch=master
- :target: https://travis-ci.com/pyca/pyopenssl
- :alt: Build status
+ .. image::
https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main
+ :target:
https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain
- .. image::
https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg
+ .. image::
https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg
:target: https://codecov.io/github/pyca/pyopenssl
:alt: Test coverage
**Note:** The Python Cryptographic Authority **strongly suggests** the
use of `pyca/cryptography`_
- where possible. If you are using pyOpenSSL for anything other than
making a TLS connection
+ where possible. If you are using pyOpenSSL for anything other than
making a TLS connection
**you should move to cryptography and drop your pyOpenSSL dependency**.
High-level wrapper around a subset of the OpenSSL library. Includes
@@ -58,6 +57,28 @@
Release Information
===================
+ 21.0.0 (2020-09-28)
+ -------------------
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ - The minimum ``cryptography`` version is now 3.3.
+ - Drop support for Python 3.5
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+
+ Changes:
+ ^^^^^^^^
+
+ - Raise an error when an invalid ALPN value is set.
+ `#993 <https://github.com/pyca/pyopenssl/pull/993>`_
+ - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and
``OpenSSL.SSL.Context.set_max_proto_version``
+ to set the minimum and maximum supported TLS version `#985
<https://github.com/pyca/pyopenssl/pull/985>`_.
+ - Updated ``to_cryptography`` and ``from_cryptography`` methods to
support an upcoming release of ``cryptography`` without raising deprecation
warnings.
+ `#1030 <https://github.com/pyca/pyopenssl/pull/1030>`_
+
20.0.1 (2020-12-15)
-------------------
@@ -154,7 +175,6 @@
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
@@ -164,6 +184,6 @@
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Networking
-Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*
-Provides-Extra: docs
+Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*
Provides-Extra: test
+Provides-Extra: docs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/README.rst
new/pyOpenSSL-21.0.0/README.rst
--- old/pyOpenSSL-20.0.1/README.rst 2020-12-15 16:30:54.000000000 +0100
+++ new/pyOpenSSL-21.0.0/README.rst 2021-09-29 00:58:24.000000000 +0200
@@ -6,16 +6,15 @@
:target: https://pyopenssl.org/en/stable/
:alt: Stable Docs
-.. image:: https://travis-ci.com/pyca/pyopenssl.svg?branch=master
- :target: https://travis-ci.com/pyca/pyopenssl
- :alt: Build status
+.. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main
+ :target:
https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain
-.. image::
https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg
+.. image:: https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg
:target: https://codecov.io/github/pyca/pyopenssl
:alt: Test coverage
**Note:** The Python Cryptographic Authority **strongly suggests** the use of
`pyca/cryptography`_
-where possible. If you are using pyOpenSSL for anything other than making a
TLS connection
+where possible. If you are using pyOpenSSL for anything other than making a
TLS connection
**you should move to cryptography and drop your pyOpenSSL dependency**.
High-level wrapper around a subset of the OpenSSL library. Includes
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/doc/api/crypto.rst
new/pyOpenSSL-21.0.0/doc/api/crypto.rst
--- old/pyOpenSSL-20.0.1/doc/api/crypto.rst 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/doc/api/crypto.rst 2021-09-29 00:58:24.000000000
+0200
@@ -149,7 +149,6 @@
.. data:: INHIBIT_MAP
.. data:: NOTIFY_POLICY
.. data:: CHECK_SS_SIGNATURE
- .. data:: CB_ISSUER_CHECK
.. _openssl-x509storeflags:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/doc/api/ssl.rst
new/pyOpenSSL-21.0.0/doc/api/ssl.rst
--- old/pyOpenSSL-20.0.1/doc/api/ssl.rst 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/doc/api/ssl.rst 2021-09-29 00:58:24.000000000
+0200
@@ -10,7 +10,10 @@
This module handles things specific to SSL. There are two objects defined:
Context, Connection.
-.. py:data:: SSLv2_METHOD
+.. py:data:: TLS_METHOD
+ TLS_SERVER_METHOD
+ TLS_CLIENT_METHOD
+ SSLv2_METHOD
SSLv3_METHOD
SSLv23_METHOD
TLSv1_METHOD
@@ -18,11 +21,21 @@
TLSv1_2_METHOD
These constants represent the different SSL methods to use when creating a
- context object. If the underlying OpenSSL build is missing support for any
- of these protocols, constructing a :py:class:`Context` using the
+ context object. New code should only use ``TLS_METHOD``,
``TLS_SERVER_METHOD``,
+ or ``TLS_CLIENT_METHOD``. If the underlying OpenSSL build is missing
support
+ for any of these protocols, constructing a :py:class:`Context` using the
corresponding :py:const:`*_METHOD` will raise an exception.
+.. py:data:: SSL3_VERSION
+ TLS1_VERSION
+ TLS1_1_VERSION
+ TLS1_2_VERSION
+ TLS1_3_VERSION
+
+ These constants represent the different TLS versions to use when
+ setting the minimum or maximum TLS version.
+
.. py:data:: VERIFY_NONE
VERIFY_PEER
VERIFY_FAIL_IF_NO_PEER_CERT
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/doc/introduction.rst
new/pyOpenSSL-21.0.0/doc/introduction.rst
--- old/pyOpenSSL-20.0.1/doc/introduction.rst 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/doc/introduction.rst 2021-09-29 00:58:24.000000000
+0200
@@ -14,7 +14,7 @@
Later it was maintained by `Jean-Paul Calderone`_ who among other things
managed to make pyOpenSSL a pure Python project which the current maintainers
are *very* grateful for.
Over the time the standard library's ``ssl`` module improved, never reaching
the completeness of pyOpenSSL's API coverage.
-Despite `PEP 466`_ many useful features remain Python 3-only and pyOpenSSL
remains the only alternative for full-featured TLS code across all noteworthy
Python versions from 2.7 through 3.5 and PyPy_.
+Despite `PEP 466`_ many useful features remain Python 3-only and pyOpenSSL
remains the only alternative for full-featured TLS code across all noteworthy
Python versions from 2.7 through 3.6 and PyPy_.
Development
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/pyproject.toml
new/pyOpenSSL-21.0.0/pyproject.toml
--- old/pyOpenSSL-20.0.1/pyproject.toml 1970-01-01 01:00:00.000000000 +0100
+++ new/pyOpenSSL-21.0.0/pyproject.toml 2021-09-29 00:58:24.000000000 +0200
@@ -0,0 +1,4 @@
+[tool.black]
+line-length = 79
+target-version = ["py27"]
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/setup.py
new/pyOpenSSL-21.0.0/setup.py
--- old/pyOpenSSL-20.0.1/setup.py 2020-12-15 16:30:54.000000000 +0100
+++ new/pyOpenSSL-21.0.0/setup.py 2021-09-29 00:58:24.000000000 +0200
@@ -79,7 +79,6 @@
"Programming Language :: Python :: 2",
"Programming Language :: Python :: 2.7",
"Programming Language :: Python :: 3",
- "Programming Language :: Python :: 3.5",
"Programming Language :: Python :: 3.6",
"Programming Language :: Python :: 3.7",
"Programming Language :: Python :: 3.8",
@@ -90,12 +89,14 @@
"Topic :: Software Development :: Libraries :: Python Modules",
"Topic :: System :: Networking",
],
- python_requires=">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*",
+ python_requires=(
+ ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*"
+ ),
packages=find_packages(where="src"),
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
- "cryptography>=3.2",
+ "cryptography>=3.3",
"six>=1.5.2",
],
extras_require={
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/SSL.py
new/pyOpenSSL-21.0.0/src/OpenSSL/SSL.py
--- old/pyOpenSSL-20.0.1/src/OpenSSL/SSL.py 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/src/OpenSSL/SSL.py 2021-09-29 00:58:24.000000000
+0200
@@ -12,7 +12,6 @@
UNSPECIFIED as _UNSPECIFIED,
exception_from_error_queue as _exception_from_error_queue,
ffi as _ffi,
- from_buffer as _from_buffer,
lib as _lib,
make_assert as _make_assert,
native as _native,
@@ -45,6 +44,14 @@
"TLSv1_METHOD",
"TLSv1_1_METHOD",
"TLSv1_2_METHOD",
+ "TLS_METHOD",
+ "TLS_SERVER_METHOD",
+ "TLS_CLIENT_METHOD",
+ "SSL3_VERSION",
+ "TLS1_VERSION",
+ "TLS1_1_VERSION",
+ "TLS1_2_VERSION",
+ "TLS1_3_VERSION",
"OP_NO_SSLv2",
"OP_NO_SSLv3",
"OP_NO_TLSv1",
@@ -110,6 +117,7 @@
"WantX509LookupError",
"ZeroReturnError",
"SysCallError",
+ "NO_OVERLAPPING_PROTOCOLS",
"SSLeay_version",
"Session",
"Context",
@@ -140,6 +148,24 @@
TLSv1_METHOD = 4
TLSv1_1_METHOD = 5
TLSv1_2_METHOD = 6
+TLS_METHOD = 7
+TLS_SERVER_METHOD = 8
+TLS_CLIENT_METHOD = 9
+
+try:
+ SSL3_VERSION = _lib.SSL3_VERSION
+ TLS1_VERSION = _lib.TLS1_VERSION
+ TLS1_1_VERSION = _lib.TLS1_1_VERSION
+ TLS1_2_VERSION = _lib.TLS1_2_VERSION
+ TLS1_3_VERSION = _lib.TLS1_3_VERSION
+except AttributeError:
+ # Hardcode constants for cryptography < 3.4, see
+ # https://github.com/pyca/pyopenssl/pull/985#issuecomment-775186682
+ SSL3_VERSION = 768
+ TLS1_VERSION = 769
+ TLS1_1_VERSION = 770
+ TLS1_2_VERSION = 771
+ TLS1_3_VERSION = 772
OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2
OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3
@@ -604,8 +630,9 @@
:class:`OpenSSL.SSL.Context` instances define the parameters for setting
up new SSL connections.
- :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or
- TLSv1_METHOD.
+ :param method: One of TLS_METHOD, TLS_CLIENT_METHOD, or TLS_SERVER_METHOD.
+ SSLv23_METHOD, TLSv1_METHOD, etc. are deprecated and should
+ not be used.
"""
_methods = {
@@ -615,6 +642,9 @@
TLSv1_METHOD: "TLSv1_method",
TLSv1_1_METHOD: "TLSv1_1_method",
TLSv1_2_METHOD: "TLSv1_2_method",
+ TLS_METHOD: "TLS_method",
+ TLS_SERVER_METHOD: "TLS_server_method",
+ TLS_CLIENT_METHOD: "TLS_client_method",
}
_methods = dict(
(identifier, getattr(_lib, name))
@@ -662,6 +692,32 @@
self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE)
+ def set_min_proto_version(self, version):
+ """
+ Set the minimum supported protocol version. Setting the minimum
+ version to 0 will enable protocol versions down to the lowest version
+ supported by the library.
+
+ If the underlying OpenSSL build is missing support for the selected
+ version, this method will raise an exception.
+ """
+ _openssl_assert(
+ _lib.SSL_CTX_set_min_proto_version(self._context, version) == 1
+ )
+
+ def set_max_proto_version(self, version):
+ """
+ Set the maximum supported protocol version. Setting the maximum
+ version to 0 will enable protocol versions up to the highest version
+ supported by the library.
+
+ If the underlying OpenSSL build is missing support for the selected
+ version, this method will raise an exception.
+ """
+ _openssl_assert(
+ _lib.SSL_CTX_set_max_proto_version(self._context, version) == 1
+ )
+
def load_verify_locations(self, cafile, capath=None):
"""
Let SSL know where we can find trusted certificates for the certificate
@@ -1376,7 +1432,17 @@
# Build a C string from the list. We don't need to save this off
# because OpenSSL immediately copies the data out.
input_str = _ffi.new("unsigned char[]", protostr)
- _lib.SSL_CTX_set_alpn_protos(self._context, input_str, len(protostr))
+
+ #
https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_alpn_protos.html:
+ # SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos()
+ # return 0 on success, and non-0 on failure.
+ # WARNING: these functions reverse the return value convention.
+ _openssl_assert(
+ _lib.SSL_CTX_set_alpn_protos(
+ self._context, input_str, len(protostr)
+ )
+ == 0
+ )
@_requires_alpn
def set_alpn_select_callback(self, callback):
@@ -1641,7 +1707,7 @@
# Backward compatibility
buf = _text_to_bytes_and_warn("buf", buf)
- with _from_buffer(buf) as data:
+ with _ffi.from_buffer(buf) as data:
# check len(buf) instead of len(data) for testability
if len(buf) > 2147483647:
raise ValueError(
@@ -1668,7 +1734,7 @@
"""
buf = _text_to_bytes_and_warn("buf", buf)
- with _from_buffer(buf) as data:
+ with _ffi.from_buffer(buf) as data:
left_to_send = len(buf)
total_sent = 0
@@ -1798,7 +1864,7 @@
if self._into_ssl is None:
raise TypeError("Connection sock was not None")
- with _from_buffer(buf) as data:
+ with _ffi.from_buffer(buf) as data:
result = _lib.BIO_write(self._into_ssl, data, len(data))
if result <= 0:
self._handle_bio_errors(self._into_ssl, result)
@@ -2394,7 +2460,14 @@
# Build a C string from the list. We don't need to save this off
# because OpenSSL immediately copies the data out.
input_str = _ffi.new("unsigned char[]", protostr)
- _lib.SSL_set_alpn_protos(self._ssl, input_str, len(protostr))
+
+ #
https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_alpn_protos.html:
+ # SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos()
+ # return 0 on success, and non-0 on failure.
+ # WARNING: these functions reverse the return value convention.
+ _openssl_assert(
+ _lib.SSL_set_alpn_protos(self._ssl, input_str, len(protostr)) == 0
+ )
@_requires_alpn
def get_alpn_proto_negotiated(self):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/_util.py
new/pyOpenSSL-21.0.0/src/OpenSSL/_util.py
--- old/pyOpenSSL-20.0.1/src/OpenSSL/_util.py 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/src/OpenSSL/_util.py 2021-09-29 00:58:24.000000000
+0200
@@ -153,6 +153,3 @@
)
return obj.encode("utf-8")
return obj
-
-
-from_buffer = ffi.from_buffer
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/crypto.py
new/pyOpenSSL-21.0.0/src/OpenSSL/crypto.py
--- old/pyOpenSSL-20.0.1/src/OpenSSL/crypto.py 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/src/OpenSSL/crypto.py 2021-09-29 00:58:24.000000000
+0200
@@ -244,11 +244,18 @@
.. versionadded:: 16.1.0
"""
+ from cryptography.hazmat.primitives.serialization import (
+ load_der_private_key,
+ load_der_public_key,
+ )
+
backend = _get_backend()
if self._only_public:
- return backend._evp_pkey_to_public_key(self._pkey)
+ der = dump_publickey(FILETYPE_ASN1, self)
+ return load_der_public_key(der, backend)
else:
- return backend._evp_pkey_to_private_key(self._pkey)
+ der = dump_privatekey(FILETYPE_ASN1, self)
+ return load_der_private_key(der, None, backend)
@classmethod
def from_cryptography_key(cls, crypto_key):
@@ -262,7 +269,6 @@
.. versionadded:: 16.1.0
"""
- pkey = cls()
if not isinstance(
crypto_key,
(
@@ -274,11 +280,25 @@
):
raise TypeError("Unsupported key type")
- pkey._pkey = crypto_key._evp_pkey
+ from cryptography.hazmat.primitives.serialization import (
+ Encoding,
+ NoEncryption,
+ PrivateFormat,
+ PublicFormat,
+ )
+
if isinstance(crypto_key, (rsa.RSAPublicKey, dsa.DSAPublicKey)):
- pkey._only_public = True
- pkey._initialized = True
- return pkey
+ return load_publickey(
+ FILETYPE_ASN1,
+ crypto_key.public_bytes(
+ Encoding.DER, PublicFormat.SubjectPublicKeyInfo
+ ),
+ )
+ else:
+ der = crypto_key.private_bytes(
+ Encoding.DER, PrivateFormat.PKCS8, NoEncryption()
+ )
+ return load_privatekey(FILETYPE_ASN1, der)
def generate_key(self, type, bits):
"""
@@ -888,12 +908,12 @@
.. versionadded:: 17.1.0
"""
- from cryptography.hazmat.backends.openssl.x509 import (
- _CertificateSigningRequest,
- )
+ from cryptography.x509 import load_der_x509_csr
+
+ der = dump_certificate_request(FILETYPE_ASN1, self)
backend = _get_backend()
- return _CertificateSigningRequest(backend, self._req)
+ return load_der_x509_csr(der, backend)
@classmethod
def from_cryptography(cls, crypto_req):
@@ -910,9 +930,10 @@
if not isinstance(crypto_req, x509.CertificateSigningRequest):
raise TypeError("Must be a certificate signing request")
- req = cls()
- req._req = crypto_req._x509_req
- return req
+ from cryptography.hazmat.primitives.serialization import Encoding
+
+ der = crypto_req.public_bytes(Encoding.DER)
+ return load_certificate_request(FILETYPE_ASN1, der)
def set_pubkey(self, pkey):
"""
@@ -1109,10 +1130,11 @@
.. versionadded:: 17.1.0
"""
- from cryptography.hazmat.backends.openssl.x509 import _Certificate
+ from cryptography.x509 import load_der_x509_certificate
+ der = dump_certificate(FILETYPE_ASN1, self)
backend = _get_backend()
- return _Certificate(backend, self._x509)
+ return load_der_x509_certificate(der, backend)
@classmethod
def from_cryptography(cls, crypto_cert):
@@ -1129,9 +1151,10 @@
if not isinstance(crypto_cert, x509.Certificate):
raise TypeError("Must be a certificate")
- cert = cls()
- cert._x509 = crypto_cert._x509
- return cert
+ from cryptography.hazmat.primitives.serialization import Encoding
+
+ der = crypto_cert.public_bytes(Encoding.DER)
+ return load_certificate(FILETYPE_ASN1, der)
def set_version(self, version):
"""
@@ -1574,7 +1597,6 @@
INHIBIT_MAP = _lib.X509_V_FLAG_INHIBIT_MAP
NOTIFY_POLICY = _lib.X509_V_FLAG_NOTIFY_POLICY
CHECK_SS_SIGNATURE = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE
- CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
class X509Store(object):
@@ -2260,12 +2282,12 @@
.. versionadded:: 17.1.0
"""
- from cryptography.hazmat.backends.openssl.x509 import (
- _CertificateRevocationList,
- )
+ from cryptography.x509 import load_der_x509_crl
+
+ der = dump_crl(FILETYPE_ASN1, self)
backend = _get_backend()
- return _CertificateRevocationList(backend, self._crl)
+ return load_der_x509_crl(der, backend)
@classmethod
def from_cryptography(cls, crypto_crl):
@@ -2282,9 +2304,10 @@
if not isinstance(crypto_crl, x509.CertificateRevocationList):
raise TypeError("Must be a certificate revocation list")
- crl = cls()
- crl._crl = crypto_crl._x509_crl
- return crl
+ from cryptography.hazmat.primitives.serialization import Encoding
+
+ der = crypto_crl.public_bytes(Encoding.DER)
+ return load_crl(FILETYPE_ASN1, der)
def get_revoked(self):
"""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/version.py
new/pyOpenSSL-21.0.0/src/OpenSSL/version.py
--- old/pyOpenSSL-20.0.1/src/OpenSSL/version.py 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/src/OpenSSL/version.py 2021-09-29 00:58:24.000000000
+0200
@@ -17,7 +17,7 @@
"__version__",
]
-__version__ = "20.0.1"
+__version__ = "21.0.0"
__title__ = "pyOpenSSL"
__uri__ = "https://pyopenssl.org/";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/PKG-INFO
new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/PKG-INFO
--- old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/PKG-INFO 2020-12-15
16:31:35.000000000 +0100
+++ new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/PKG-INFO 2021-09-29
00:59:59.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 2.1
Name: pyOpenSSL
-Version: 20.0.1
+Version: 21.0.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: The pyOpenSSL developers
@@ -14,16 +14,15 @@
:target: https://pyopenssl.org/en/stable/
:alt: Stable Docs
- .. image:: https://travis-ci.com/pyca/pyopenssl.svg?branch=master
- :target: https://travis-ci.com/pyca/pyopenssl
- :alt: Build status
+ .. image::
https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main
+ :target:
https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain
- .. image::
https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg
+ .. image::
https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg
:target: https://codecov.io/github/pyca/pyopenssl
:alt: Test coverage
**Note:** The Python Cryptographic Authority **strongly suggests** the
use of `pyca/cryptography`_
- where possible. If you are using pyOpenSSL for anything other than
making a TLS connection
+ where possible. If you are using pyOpenSSL for anything other than
making a TLS connection
**you should move to cryptography and drop your pyOpenSSL dependency**.
High-level wrapper around a subset of the OpenSSL library. Includes
@@ -58,6 +57,28 @@
Release Information
===================
+ 21.0.0 (2020-09-28)
+ -------------------
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ - The minimum ``cryptography`` version is now 3.3.
+ - Drop support for Python 3.5
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+
+ Changes:
+ ^^^^^^^^
+
+ - Raise an error when an invalid ALPN value is set.
+ `#993 <https://github.com/pyca/pyopenssl/pull/993>`_
+ - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and
``OpenSSL.SSL.Context.set_max_proto_version``
+ to set the minimum and maximum supported TLS version `#985
<https://github.com/pyca/pyopenssl/pull/985>`_.
+ - Updated ``to_cryptography`` and ``from_cryptography`` methods to
support an upcoming release of ``cryptography`` without raising deprecation
warnings.
+ `#1030 <https://github.com/pyca/pyopenssl/pull/1030>`_
+
20.0.1 (2020-12-15)
-------------------
@@ -154,7 +175,6 @@
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
@@ -164,6 +184,6 @@
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Networking
-Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*
-Provides-Extra: docs
+Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*
Provides-Extra: test
+Provides-Extra: docs
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/SOURCES.txt
new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/SOURCES.txt
--- old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/SOURCES.txt 2020-12-15
16:31:35.000000000 +0100
+++ new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/SOURCES.txt 2021-09-29
00:59:59.000000000 +0200
@@ -6,6 +6,7 @@
LICENSE
MANIFEST.in
README.rst
+pyproject.toml
setup.cfg
setup.py
tox.ini
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/requires.txt
new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/requires.txt
--- old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/requires.txt 2020-12-15
16:31:35.000000000 +0100
+++ new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/requires.txt 2021-09-29
00:59:59.000000000 +0200
@@ -1,4 +1,4 @@
-cryptography>=3.2
+cryptography>=3.3
six>=1.5.2
[docs]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/tests/test_crypto.py
new/pyOpenSSL-21.0.0/tests/test_crypto.py
--- old/pyOpenSSL-20.0.1/tests/test_crypto.py 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/tests/test_crypto.py 2021-09-29 00:58:24.000000000
+0200
@@ -1468,7 +1468,7 @@
def signable(self):
"""
- Return something with a `set_pubkey`, `set_pubkey`, and `sign` method.
+ Return something with `set_pubkey` and `sign` methods.
"""
raise NotImplementedError()
@@ -1668,6 +1668,7 @@
"""
request = X509Req()
pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+ request.set_pubkey(pkey)
request.sign(pkey, GOOD_DIGEST)
another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem)
with pytest.raises(Error):
@@ -1680,6 +1681,7 @@
"""
request = X509Req()
pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+ request.set_pubkey(pkey)
request.sign(pkey, GOOD_DIGEST)
assert request.verify(pkey)
@@ -1713,7 +1715,12 @@
"""
Create and return a new `X509`.
"""
- return X509()
+ certificate = X509()
+ # Fill in placeholder validity values. signable only expects to call
+ # set_pubkey and sign.
+ certificate.gmtime_adj_notBefore(-24 * 60 * 60)
+ certificate.gmtime_adj_notAfter(24 * 60 * 60)
+ return certificate
def test_type(self):
"""
@@ -3373,6 +3380,9 @@
`NetscapeSPKI.b64_encode` encodes the certificate to a base64 blob.
"""
nspki = NetscapeSPKI()
+ pkey = load_privatekey(FILETYPE_PEM, root_key_pem)
+ nspki.set_pubkey(pkey)
+ nspki.sign(pkey, GOOD_DIGEST)
blob = nspki.b64_encode()
assert isinstance(blob, bytes)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/tests/test_ssl.py
new/pyOpenSSL-21.0.0/tests/test_ssl.py
--- old/pyOpenSSL-20.0.1/tests/test_ssl.py 2020-12-15 16:30:54.000000000
+0100
+++ new/pyOpenSSL-21.0.0/tests/test_ssl.py 2021-09-29 00:58:24.000000000
+0200
@@ -48,7 +48,15 @@
from OpenSSL.crypto import dump_certificate, load_certificate
from OpenSSL.crypto import get_elliptic_curves
-from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS
+from OpenSSL.SSL import (
+ OPENSSL_VERSION_NUMBER,
+ SSLEAY_VERSION,
+ SSLEAY_CFLAGS,
+ TLS_METHOD,
+ TLS1_3_VERSION,
+ TLS1_2_VERSION,
+ TLS1_1_VERSION,
+)
from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON
from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN
from OpenSSL.SSL import (
@@ -129,6 +137,11 @@
except ImportError:
SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None
+try:
+ from OpenSSL.SSL import OP_NO_TLSv1_3
+except ImportError:
+ OP_NO_TLSv1_3 = None
+
from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type
from .test_crypto import (
client_cert_pem,
@@ -1039,6 +1052,32 @@
assert all(isinstance(conn, Connection) for conn, line in called)
assert all(b"CLIENT_RANDOM" in line for conn, line in called)
+ def test_set_proto_version(self):
+ if OP_NO_TLSv1_3 is None:
+ high_version = TLS1_2_VERSION
+ low_version = TLS1_1_VERSION
+ else:
+ high_version = TLS1_3_VERSION
+ low_version = TLS1_2_VERSION
+
+ server_context = Context(TLS_METHOD)
+ server_context.use_certificate(
+ load_certificate(FILETYPE_PEM, root_cert_pem)
+ )
+ server_context.use_privatekey(
+ load_privatekey(FILETYPE_PEM, root_key_pem)
+ )
+ server_context.set_min_proto_version(high_version)
+
+ client_context = Context(TLS_METHOD)
+ client_context.set_max_proto_version(low_version)
+
+ with pytest.raises(Error, match="unsupported protocol"):
+ self._handshake_test(server_context, client_context)
+
+ client_context.set_max_proto_version(0)
+ self._handshake_test(server_context, client_context)
+
def _load_verify_locations_test(self, *args):
"""
Create a client context which will verify the peer certificate and call
@@ -1888,6 +1927,15 @@
assert server.get_alpn_proto_negotiated() == b"spdy/2"
assert client.get_alpn_proto_negotiated() == b"spdy/2"
+ def test_alpn_call_failure(self):
+ """
+ SSL_CTX_set_alpn_protos does not like to be called with an empty
+ protocols list. Ensure that we produce a user-visible error.
+ """
+ context = Context(SSLv23_METHOD)
+ with pytest.raises(Error):
+ context.set_alpn_protos([])
+
def test_alpn_set_on_connection(self):
"""
The same as test_alpn_success, but setting the ALPN protocols on
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-20.0.1/tox.ini new/pyOpenSSL-21.0.0/tox.ini
--- old/pyOpenSSL-20.0.1/tox.ini 2020-12-15 16:30:54.000000000 +0100
+++ new/pyOpenSSL-21.0.0/tox.ini 2021-09-29 00:58:24.000000000 +0200
@@ -1,5 +1,5 @@
[tox]
-envlist =
{pypy,pypy3,py27,py35,py36,py37,py38,py39}{,-cryptographyMaster,-cryptographyMinimum}{,-randomorder},py37-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report
+envlist =
{pypy,pypy3,py27,py36,py37,py38,py39}{,-cryptographyMaster,-cryptographyMinimum}{,-randomorder},py37-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report
[testenv]
whitelist_externals =
@@ -10,7 +10,7 @@
deps =
coverage>=4.2
cryptographyMaster: git+https://github.com/pyca/cryptography.git
- cryptographyMinimum: cryptography==3.2
+ cryptographyMinimum: cryptography==3.3
randomorder: pytest-randomly
setenv =
# Do not allow the executing environment to pollute the test environment
