Hello community,
here is the log from the commit of package python-pyOpenSSL for
openSUSE:Factory checked in at 2018-02-05 10:46:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-pyOpenSSL (Old)
and /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyOpenSSL"
Mon Feb 5 10:46:51 2018 rev:29 rq:572003 version:17.5.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-pyOpenSSL/python-pyOpenSSL.changes
2017-09-22 21:32:54.693120404 +0200
+++ /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new/python-pyOpenSSL.changes
2018-02-05 10:47:02.753060226 +0100
@@ -1,0 +2,9 @@
+Fri Feb 2 11:36:18 UTC 2018 - tchva...@suse.com
+
+- Update to 17.5.0:
+ * The minimum cryptography version is now 2.1.4.
+ * Fixed various memory leaks
+ * Various fuzz fixes
+ * See CHANGELOG.rst
+
+-------------------------------------------------------------------
Old:
----
pyOpenSSL-17.2.0.tar.gz
New:
----
pyOpenSSL-17.5.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-pyOpenSSL.spec ++++++
--- /var/tmp/diff_new_pack.cvISWg/_old 2018-02-05 10:47:03.441028017 +0100
+++ /var/tmp/diff_new_pack.cvISWg/_new 2018-02-05 10:47:03.441028017 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-pyOpenSSL
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -16,42 +16,37 @@
#
-%bcond_without tests
-
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define oldpython python
Name: python-pyOpenSSL
-Version: 17.2.0
+Version: 17.5.0
Release: 0
-Url: https://github.com/pyca/pyopenssl
Summary: Python wrapper module around the OpenSSL library
License: Apache-2.0
Group: Development/Languages/Python
+Url: https://github.com/pyca/pyopenssl
Source:
https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz
Patch0: bug-lp-1265482.diff
Patch1: skip-networked-test.patch
Patch2: rsa128-i586.patch
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-BuildRequires: %{python_module cryptography >= 1.9}
+BuildRequires: %{python_module cryptography >= 2.1.4}
BuildRequires: %{python_module devel}
+BuildRequires: %{python_module flaky}
+BuildRequires: %{python_module pretend}
+BuildRequires: %{python_module pytest >= 3.0.1}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: openssl-devel
BuildRequires: python-rpm-macros
BuildRequires: python3-Sphinx
-%if %{with tests}
-BuildRequires: %{python_module flaky}
-BuildRequires: %{python_module pretend}
-BuildRequires: %{python_module pytest >= 3.0.1}
-%endif
-Requires: python-cryptography >= 1.9
+Requires: python-cryptography >= 2.1.4
Requires: python-six >= 1.5.2
Provides: pyOpenSSL = %{version}
+BuildArch: noarch
%ifpython2
Obsoletes: %{oldpython}-openssl < %{version}
Provides: %{oldpython}-openssl = %{version}
%endif
-BuildArch: noarch
%python_subpackages
%description
@@ -84,22 +79,18 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
PYTHONPATH="%{buildroot}%{python3_sitelib}" python3 setup.py build_sphinx &&
rm build/sphinx/html/.buildinfo
-%if %{with tests}
%check
export LC_ALL=en_US.UTF-8
%{python_expand export PYTHONPATH=%{buildroot}%{$python_sitelib}
py.test-%{$python_bin_suffix} -m "not network" -k "not test_export_text"
}
-%endif
%files %{python_files}
-%defattr(-,root,root)
%doc LICENSE *.rst
%{python_sitelib}/OpenSSL/
%{python_sitelib}/pyOpenSSL-%{version}-py*.egg-info
%files -n %{name}-doc
-%defattr(-,root,root)
%doc build/sphinx/html/
%doc examples/
++++++ pyOpenSSL-17.2.0.tar.gz -> pyOpenSSL-17.5.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/CHANGELOG.rst
new/pyOpenSSL-17.5.0/CHANGELOG.rst
--- old/pyOpenSSL-17.2.0/CHANGELOG.rst 2017-07-20 10:53:07.000000000 +0200
+++ new/pyOpenSSL-17.5.0/CHANGELOG.rst 2017-12-01 03:16:17.000000000 +0100
@@ -4,6 +4,95 @@
Versions are year-based with a strict backward-compatibility policy.
The third digit is only for regressions.
+17.5.0 (2017-11-30)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The minimum ``cryptography`` version is now 2.1.4.
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+*none*
+
+
+Changes:
+^^^^^^^^
+
+- Fixed a potential use-after-free in the verify callback and resolved a
memory leak when loading PKCS12 files with ``cacerts``.
+ `#723 <https://github.com/pyca/pyopenssl/pull/723>`_
+- Added ``Connection.export_keying_material`` for RFC 5705 compatible export
of keying material.
+ `#725 <https://github.com/pyca/pyopenssl/pull/725>`_
+
+----
+
+
+
+17.4.0 (2017-11-21)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+*none*
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+*none*
+
+
+Changes:
+^^^^^^^^
+
+
+- Re-added a subset of the ``OpenSSL.rand`` module.
+ This subset allows conscientious users to reseed the OpenSSL CSPRNG after
fork.
+ `#708 <https://github.com/pyca/pyopenssl/pull/708>`_
+- Corrected a use-after-free when reusing an issuer or subject from an
``X509`` object after the underlying object has been mutated.
+ `#709 <https://github.com/pyca/pyopenssl/pull/709>`_
+
+----
+
+
+17.3.0 (2017-09-14)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Dropped support for Python 3.3.
+ `#677 <https://github.com/pyca/pyopenssl/pull/677>`_
+- Removed the deprecated ``OpenSSL.rand`` module.
+ This is being done ahead of our normal deprecation schedule due to its lack
of use and the fact that it was becoming a maintenance burden.
+ ``os.urandom()`` should be used instead.
+ `#675 <https://github.com/pyca/pyopenssl/pull/675>`_
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+- Deprecated ``OpenSSL.tsafe``.
+ `#673 <https://github.com/pyca/pyopenssl/pull/673>`_
+
+Changes:
+^^^^^^^^
+
+- Fixed a memory leak in ``OpenSSL.crypto.CRL``.
+ `#690 <https://github.com/pyca/pyopenssl/pull/690>`_
+- Fixed a memory leak when verifying certificates with
``OpenSSL.crypto.X509StoreContext``.
+ `#691 <https://github.com/pyca/pyopenssl/pull/691>`_
+
+
+----
+
17.2.0 (2017-07-20)
-------------------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/PKG-INFO
new/pyOpenSSL-17.5.0/PKG-INFO
--- old/pyOpenSSL-17.2.0/PKG-INFO 2017-07-20 11:50:07.000000000 +0200
+++ new/pyOpenSSL-17.5.0/PKG-INFO 2017-12-01 03:17:48.000000000 +0100
@@ -1,11 +1,12 @@
Metadata-Version: 1.1
Name: pyOpenSSL
-Version: 17.2.0
+Version: 17.5.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: Hynek Schlawack
Author-email: h...@ox.cx
License: Apache License, Version 2.0
+Description-Content-Type: UNKNOWN
Description: ========================================================
pyOpenSSL -- A Python wrapper around the OpenSSL library
========================================================
@@ -54,7 +55,35 @@
Release Information
===================
- 17.2.0 (2017-07-20)
+ 17.5.0 (2017-11-30)
+ -------------------
+
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ * The minimum ``cryptography`` version is now 2.1.4.
+
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+
+ *none*
+
+
+ Changes:
+ ^^^^^^^^
+
+ - Fixed a potential use-after-free in the verify callback and resolved
a memory leak when loading PKCS12 files with ``cacerts``.
+ `#723 <https://github.com/pyca/pyopenssl/pull/723>`_
+ - Added ``Connection.export_keying_material`` for RFC 5705 compatible
export of keying material.
+ `#725 <https://github.com/pyca/pyopenssl/pull/725>`_
+
+ ----
+
+
+
+ 17.4.0 (2017-11-21)
-------------------
@@ -67,17 +96,50 @@
Deprecations:
^^^^^^^^^^^^^
- - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()``
instead.
- `#658 <https://github.com/pyca/pyopenssl/pull/658>`_
+ *none*
+
+
+ Changes:
+ ^^^^^^^^
+
+
+ - Re-added a subset of the ``OpenSSL.rand`` module.
+ This subset allows conscientious users to reseed the OpenSSL CSPRNG
after fork.
+ `#708 <https://github.com/pyca/pyopenssl/pull/708>`_
+ - Corrected a use-after-free when reusing an issuer or subject from an
``X509`` object after the underlying object has been mutated.
+ `#709 <https://github.com/pyca/pyopenssl/pull/709>`_
+
+ ----
+
+
+ 17.3.0 (2017-09-14)
+ -------------------
+
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ - Dropped support for Python 3.3.
+ `#677 <https://github.com/pyca/pyopenssl/pull/677>`_
+ - Removed the deprecated ``OpenSSL.rand`` module.
+ This is being done ahead of our normal deprecation schedule due to
its lack of use and the fact that it was becoming a maintenance burden.
+ ``os.urandom()`` should be used instead.
+ `#675 <https://github.com/pyca/pyopenssl/pull/675>`_
+
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+ - Deprecated ``OpenSSL.tsafe``.
+ `#673 <https://github.com/pyca/pyopenssl/pull/673>`_
Changes:
^^^^^^^^
- - Fixed a bug causing ``Context.set_default_verify_paths()`` to not
work with cryptography ``manylinux1`` wheels on Python 3.x.
- `#665 <https://github.com/pyca/pyopenssl/pull/665>`_
- - Fixed a crash with (EC)DSA signatures in some cases.
- `#670 <https://github.com/pyca/pyopenssl/pull/670>`_
+ - Fixed a memory leak in ``OpenSSL.crypto.CRL``.
+ `#690 <https://github.com/pyca/pyopenssl/pull/690>`_
+ - Fixed a memory leak when verifying certificates with
``OpenSSL.crypto.X509StoreContext``.
+ `#691 <https://github.com/pyca/pyopenssl/pull/691>`_
`Full changelog <https://pyopenssl.org/en/stable/changelog.html>`_.
@@ -93,7 +155,6 @@
Classifier: Programming Language :: Python :: 2.6
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/doc/api/ssl.rst
new/pyOpenSSL-17.5.0/doc/api/ssl.rst
--- old/pyOpenSSL-17.2.0/doc/api/ssl.rst 2017-07-20 09:59:44.000000000
+0200
+++ new/pyOpenSSL-17.5.0/doc/api/ssl.rst 2017-12-01 03:16:17.000000000
+0100
@@ -369,8 +369,9 @@
this, it will be truncated. Second, a boolean value which will be true if
the user should be prompted for the passphrase twice and the callback
should
verify that the two values supplied are equal. Third, the value given as
the
- *userdata* parameter to :py:meth:`set_passwd_cb`. If an error occurs,
- *callback* should return a false value (e.g. an empty string).
+ *userdata* parameter to :py:meth:`set_passwd_cb`. The *callback* must
return
+ a byte string. If an error occurs, *callback* should return a false value
+ (e.g. an empty string).
.. py:method:: Context.set_session_cache_mode(mode)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/examples/simple/server.py
new/pyOpenSSL-17.5.0/examples/simple/server.py
--- old/pyOpenSSL-17.2.0/examples/simple/server.py 2016-12-05
09:53:29.000000000 +0100
+++ new/pyOpenSSL-17.5.0/examples/simple/server.py 2017-12-01
03:16:17.000000000 +0100
@@ -73,7 +73,7 @@
r, w, _ = select.select(
[server] + list(clients.keys()), list(writers.keys()), []
)
- except:
+ except Exception:
break
for cli in r:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/setup.py
new/pyOpenSSL-17.5.0/setup.py
--- old/pyOpenSSL-17.2.0/setup.py 2017-07-20 09:50:42.000000000 +0200
+++ new/pyOpenSSL-17.5.0/setup.py 2017-12-01 03:16:17.000000000 +0100
@@ -80,7 +80,6 @@
'Programming Language :: Python :: 2.6',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3',
- 'Programming Language :: Python :: 3.3',
'Programming Language :: Python :: 3.4',
'Programming Language :: Python :: 3.5',
'Programming Language :: Python :: 3.6',
@@ -96,14 +95,16 @@
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
- "cryptography>=1.9",
+ "cryptography>=2.1.4",
"six>=1.5.2"
],
extras_require={
"test": [
"flaky",
"pretend",
- "pytest>=3.0.1",
+ # pytest 3.3 doesn't support Python 2.6 anymore.
+ # Remove this pin once we drop Python 2.6 too.
+ "pytest>=3.0.1,<3.3.0",
],
"docs": [
"sphinx",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/OpenSSL/SSL.py
new/pyOpenSSL-17.5.0/src/OpenSSL/SSL.py
--- old/pyOpenSSL-17.2.0/src/OpenSSL/SSL.py 2017-07-20 09:50:42.000000000
+0200
+++ new/pyOpenSSL-17.5.0/src/OpenSSL/SSL.py 2017-12-01 03:16:17.000000000
+0100
@@ -27,6 +27,95 @@
from OpenSSL.crypto import (
FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)
+__all__ = [
+ 'OPENSSL_VERSION_NUMBER',
+ 'SSLEAY_VERSION',
+ 'SSLEAY_CFLAGS',
+ 'SSLEAY_PLATFORM',
+ 'SSLEAY_DIR',
+ 'SSLEAY_BUILT_ON',
+ 'SENT_SHUTDOWN',
+ 'RECEIVED_SHUTDOWN',
+ 'SSLv2_METHOD',
+ 'SSLv3_METHOD',
+ 'SSLv23_METHOD',
+ 'TLSv1_METHOD',
+ 'TLSv1_1_METHOD',
+ 'TLSv1_2_METHOD',
+ 'OP_NO_SSLv2',
+ 'OP_NO_SSLv3',
+ 'OP_NO_TLSv1',
+ 'OP_NO_TLSv1_1',
+ 'OP_NO_TLSv1_2',
+ 'MODE_RELEASE_BUFFERS',
+ 'OP_SINGLE_DH_USE',
+ 'OP_SINGLE_ECDH_USE',
+ 'OP_EPHEMERAL_RSA',
+ 'OP_MICROSOFT_SESS_ID_BUG',
+ 'OP_NETSCAPE_CHALLENGE_BUG',
+ 'OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG',
+ 'OP_SSLREF2_REUSE_CERT_TYPE_BUG',
+ 'OP_MICROSOFT_BIG_SSLV3_BUFFER',
+ 'OP_MSIE_SSLV2_RSA_PADDING',
+ 'OP_SSLEAY_080_CLIENT_DH_BUG',
+ 'OP_TLS_D5_BUG',
+ 'OP_TLS_BLOCK_PADDING_BUG',
+ 'OP_DONT_INSERT_EMPTY_FRAGMENTS',
+ 'OP_CIPHER_SERVER_PREFERENCE',
+ 'OP_TLS_ROLLBACK_BUG',
+ 'OP_PKCS1_CHECK_1',
+ 'OP_PKCS1_CHECK_2',
+ 'OP_NETSCAPE_CA_DN_BUG',
+ 'OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG',
+ 'OP_NO_COMPRESSION',
+ 'OP_NO_QUERY_MTU',
+ 'OP_COOKIE_EXCHANGE',
+ 'OP_NO_TICKET',
+ 'OP_ALL',
+ 'VERIFY_PEER',
+ 'VERIFY_FAIL_IF_NO_PEER_CERT',
+ 'VERIFY_CLIENT_ONCE',
+ 'VERIFY_NONE',
+ 'SESS_CACHE_OFF',
+ 'SESS_CACHE_CLIENT',
+ 'SESS_CACHE_SERVER',
+ 'SESS_CACHE_BOTH',
+ 'SESS_CACHE_NO_AUTO_CLEAR',
+ 'SESS_CACHE_NO_INTERNAL_LOOKUP',
+ 'SESS_CACHE_NO_INTERNAL_STORE',
+ 'SESS_CACHE_NO_INTERNAL',
+ 'SSL_ST_CONNECT',
+ 'SSL_ST_ACCEPT',
+ 'SSL_ST_MASK',
+ 'SSL_ST_INIT',
+ 'SSL_ST_BEFORE',
+ 'SSL_ST_OK',
+ 'SSL_ST_RENEGOTIATE',
+ 'SSL_CB_LOOP',
+ 'SSL_CB_EXIT',
+ 'SSL_CB_READ',
+ 'SSL_CB_WRITE',
+ 'SSL_CB_ALERT',
+ 'SSL_CB_READ_ALERT',
+ 'SSL_CB_WRITE_ALERT',
+ 'SSL_CB_ACCEPT_LOOP',
+ 'SSL_CB_ACCEPT_EXIT',
+ 'SSL_CB_CONNECT_LOOP',
+ 'SSL_CB_CONNECT_EXIT',
+ 'SSL_CB_HANDSHAKE_START',
+ 'SSL_CB_HANDSHAKE_DONE',
+ 'Error',
+ 'WantReadError',
+ 'WantWriteError',
+ 'WantX509LookupError',
+ 'ZeroReturnError',
+ 'SysCallError',
+ 'SSLeay_version',
+ 'Session',
+ 'Context',
+ 'Connection'
+]
+
try:
_memoryview = memoryview
except NameError:
@@ -220,8 +309,9 @@
@wraps(callback)
def wrapper(ok, store_ctx):
- cert = X509.__new__(X509)
- cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)
+ x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)
+ _lib.X509_up_ref(x509)
+ cert = X509._from_raw_x509_ptr(x509)
error_number = _lib.X509_STORE_CTX_get_error(store_ctx)
error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)
@@ -307,10 +397,10 @@
instr = _ffi.buffer(in_, inlen)[:]
protolist = []
while instr:
- l = indexbytes(instr, 0)
- proto = instr[1:l + 1]
+ length = indexbytes(instr, 0)
+ proto = instr[1:length + 1]
protolist.append(proto)
- instr = instr[l + 1:]
+ instr = instr[length + 1:]
# Call the callback
outstr = callback(conn, protolist)
@@ -695,7 +785,7 @@
"""
Set the passphrase callback
- :param callback: The Python callback to use
+ :param callback: The Python callback to use; must return a byte string
:param userdata: (optional) A Python object which will be given as
argument to the callback
:return: None
@@ -1080,7 +1170,7 @@
if not push_result:
_lib.X509_NAME_free(copy)
_raise_current_error()
- except:
+ except Exception:
_lib.sk_X509_NAME_free(name_stack)
raise
@@ -1941,6 +2031,30 @@
_lib.SSL_SESSION_get_master_key(session, outp, length)
return _ffi.buffer(outp, length)[:]
+ def export_keying_material(self, label, olen, context=None):
+ """
+ Obtain keying material for application use.
+
+ :param label - a disambiguating label string as described in RFC 5705
+ :param olen - the length of the exported key material in bytes
+ :param context - a per-association context value
+ :return the exported key material bytes or None
+ """
+ outp = _no_zero_allocator("unsigned char[]", olen)
+ context_buf = _ffi.NULL
+ context_len = 0
+ use_context = 0
+ if context is not None:
+ context_buf = context
+ context_len = len(context)
+ use_context = 1
+ success = _lib.SSL_export_keying_material(self._ssl, outp, olen,
+ label, len(label),
+ context_buf, context_len,
+ use_context)
+ _openssl_assert(success == 1)
+ return _ffi.buffer(outp, olen)[:]
+
def sock_shutdown(self, *args, **kwargs):
"""
See shutdown(2)
@@ -1957,9 +2071,7 @@
"""
cert = _lib.SSL_get_peer_certificate(self._ssl)
if cert != _ffi.NULL:
- pycert = X509.__new__(X509)
- pycert._x509 = _ffi.gc(cert, _lib.X509_free)
- return pycert
+ return X509._from_raw_x509_ptr(cert)
return None
def get_peer_cert_chain(self):
@@ -1977,8 +2089,7 @@
for i in range(_lib.sk_X509_num(cert_stack)):
# TODO could incref instead of dup here
cert = _lib.X509_dup(_lib.sk_X509_value(cert_stack, i))
- pycert = X509.__new__(X509)
- pycert._x509 = _ffi.gc(cert, _lib.X509_free)
+ pycert = X509._from_raw_x509_ptr(cert)
result.append(pycert)
return result
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/OpenSSL/__init__.py
new/pyOpenSSL-17.5.0/src/OpenSSL/__init__.py
--- old/pyOpenSSL-17.2.0/src/OpenSSL/__init__.py 2016-02-15
11:25:58.000000000 +0100
+++ new/pyOpenSSL-17.5.0/src/OpenSSL/__init__.py 2017-12-01
03:16:17.000000000 +0100
@@ -5,7 +5,7 @@
pyOpenSSL - A simple wrapper around the OpenSSL library
"""
-from OpenSSL import rand, crypto, SSL
+from OpenSSL import crypto, SSL
from OpenSSL.version import (
__author__, __copyright__, __email__, __license__, __summary__, __title__,
__uri__, __version__,
@@ -13,7 +13,7 @@
__all__ = [
- "SSL", "crypto", "rand",
+ "SSL", "crypto",
"__author__", "__copyright__", "__email__", "__license__", "__summary__",
"__title__", "__uri__", "__version__",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/OpenSSL/crypto.py
new/pyOpenSSL-17.5.0/src/OpenSSL/crypto.py
--- old/pyOpenSSL-17.2.0/src/OpenSSL/crypto.py 2017-07-20 10:46:45.000000000
+0200
+++ new/pyOpenSSL-17.5.0/src/OpenSSL/crypto.py 2017-12-01 03:16:17.000000000
+0100
@@ -24,6 +24,45 @@
make_assert as _make_assert,
)
+__all__ = [
+ 'FILETYPE_PEM',
+ 'FILETYPE_ASN1',
+ 'FILETYPE_TEXT',
+ 'TYPE_RSA',
+ 'TYPE_DSA',
+ 'Error',
+ 'PKey',
+ 'get_elliptic_curves',
+ 'get_elliptic_curve',
+ 'X509Name',
+ 'X509Extension',
+ 'X509Req',
+ 'X509',
+ 'X509StoreFlags',
+ 'X509Store',
+ 'X509StoreContextError',
+ 'X509StoreContext',
+ 'load_certificate',
+ 'dump_certificate',
+ 'dump_publickey',
+ 'dump_privatekey',
+ 'Revoked',
+ 'CRL',
+ 'PKCS7',
+ 'PKCS12',
+ 'NetscapeSPKI',
+ 'load_publickey',
+ 'load_privatekey',
+ 'dump_certificate_request',
+ 'load_certificate_request',
+ 'sign',
+ 'verify',
+ 'dump_crl',
+ 'load_crl',
+ 'load_pkcs7_data',
+ 'load_pkcs12'
+]
+
FILETYPE_PEM = _lib.SSL_FILETYPE_PEM
FILETYPE_ASN1 = _lib.SSL_FILETYPE_ASN1
@@ -162,6 +201,19 @@
return string_result
+class _X509NameInvalidator(object):
+ def __init__(self):
+ self._names = []
+
+ def add(self, name):
+ self._names.append(name)
+
+ def clear(self):
+ for name in self._names:
+ # Breaks the object, but also prevents UAF!
+ del name._name
+
+
class PKey(object):
"""
A class representing an DSA or RSA public key or key pair.
@@ -1032,6 +1084,17 @@
_openssl_assert(x509 != _ffi.NULL)
self._x509 = _ffi.gc(x509, _lib.X509_free)
+ self._issuer_invalidator = _X509NameInvalidator()
+ self._subject_invalidator = _X509NameInvalidator()
+
+ @classmethod
+ def _from_raw_x509_ptr(cls, x509):
+ cert = cls.__new__(cls)
+ cert._x509 = _ffi.gc(x509, _lib.X509_free)
+ cert._issuer_invalidator = _X509NameInvalidator()
+ cert._subject_invalidator = _X509NameInvalidator()
+ return cert
+
def to_cryptography(self):
"""
Export as a ``cryptography`` certificate.
@@ -1382,7 +1445,9 @@
:return: The issuer of this certificate.
:rtype: :class:`X509Name`
"""
- return self._get_name(_lib.X509_get_issuer_name)
+ name = self._get_name(_lib.X509_get_issuer_name)
+ self._issuer_invalidator.add(name)
+ return name
def set_issuer(self, issuer):
"""
@@ -1393,7 +1458,8 @@
:return: ``None``
"""
- return self._set_name(_lib.X509_set_issuer_name, issuer)
+ self._set_name(_lib.X509_set_issuer_name, issuer)
+ self._issuer_invalidator.clear()
def get_subject(self):
"""
@@ -1407,7 +1473,9 @@
:return: The subject of this certificate.
:rtype: :class:`X509Name`
"""
- return self._get_name(_lib.X509_get_subject_name)
+ name = self._get_name(_lib.X509_get_subject_name)
+ self._subject_invalidator.add(name)
+ return name
def set_subject(self, subject):
"""
@@ -1418,7 +1486,8 @@
:return: ``None``
"""
- return self._set_name(_lib.X509_set_subject_name, subject)
+ self._set_name(_lib.X509_set_subject_name, subject)
+ self._subject_invalidator.clear()
def get_extension_count(self):
"""
@@ -1655,6 +1724,9 @@
def _init(self):
"""
Set up the store context for a subsequent verification operation.
+
+ Calling this method more than once without first calling
+ :meth:`_cleanup` will leak memory.
"""
ret = _lib.X509_STORE_CTX_init(
self._store_ctx, self._store._store, self._cert._x509, _ffi.NULL
@@ -1688,8 +1760,7 @@
# expect this call to never return :class:`None`.
_x509 = _lib.X509_STORE_CTX_get_current_cert(self._store_ctx)
_cert = _lib.X509_dup(_x509)
- pycert = X509.__new__(X509)
- pycert._x509 = _ffi.gc(_cert, _lib.X509_free)
+ pycert = X509._from_raw_x509_ptr(_cert)
return X509StoreContextError(errors, pycert)
def set_store(self, store):
@@ -1715,6 +1786,10 @@
"""
# Always re-initialize the store context in case
# :meth:`verify_certificate` is called multiple times.
+ #
+ # :meth:`_init` is called in :meth:`__init__` so _cleanup is called
+ # before _init to ensure memory is not leaked.
+ self._cleanup()
self._init()
ret = _lib.X509_verify_cert(self._store_ctx)
self._cleanup()
@@ -1748,9 +1823,7 @@
if x509 == _ffi.NULL:
_raise_current_error()
- cert = X509.__new__(X509)
- cert._x509 = _ffi.gc(x509, _lib.X509_free)
- return cert
+ return X509._from_raw_x509_ptr(x509)
def dump_certificate(type, cert):
@@ -2898,7 +2971,7 @@
_raise_current_error()
result = CRL.__new__(CRL)
- result._crl = crl
+ result._crl = _ffi.gc(crl, _lib.X509_CRL_free)
return result
@@ -2985,8 +3058,7 @@
pycert = None
friendlyname = None
else:
- pycert = X509.__new__(X509)
- pycert._x509 = _ffi.gc(cert[0], _lib.X509_free)
+ pycert = X509._from_raw_x509_ptr(cert[0])
friendlyname_length = _ffi.new("int*")
friendlyname_buffer = _lib.X509_alias_get0(
@@ -3000,8 +3072,8 @@
pycacerts = []
for i in range(_lib.sk_X509_num(cacerts)):
- pycacert = X509.__new__(X509)
- pycacert._x509 = _lib.sk_X509_value(cacerts, i)
+ x509 = _lib.sk_X509_value(cacerts, i)
+ pycacert = X509._from_raw_x509_ptr(x509)
pycacerts.append(pycacert)
if not pycacerts:
pycacerts = None
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/OpenSSL/rand.py
new/pyOpenSSL-17.5.0/src/OpenSSL/rand.py
--- old/pyOpenSSL-17.2.0/src/OpenSSL/rand.py 2017-07-20 09:50:42.000000000
+0200
+++ new/pyOpenSSL-17.5.0/src/OpenSSL/rand.py 2017-12-01 03:16:17.000000000
+0100
@@ -2,71 +2,7 @@
PRNG management routines, thin wrappers.
"""
-import warnings
-from functools import partial
-
-from six import integer_types as _integer_types
-
-from OpenSSL._util import (
- ffi as _ffi,
- lib as _lib,
- exception_from_error_queue as _exception_from_error_queue,
- path_string as _path_string)
-
-
-warnings.warn(
- "OpenSSL.rand is deprecated - you should use os.urandom instead",
- DeprecationWarning, stacklevel=3
-)
-
-
-class Error(Exception):
- """
- An error occurred in an :mod:`OpenSSL.rand` API.
-
- If the current RAND method supports any errors, this is raised when needed.
- The default method does not raise this when the entropy pool is depleted.
-
- Whenever this exception is raised directly, it has a list of error messages
- from the OpenSSL error queue, where each item is a tuple *(lib, function,
- reason)*. Here *lib*, *function* and *reason* are all strings, describing
- where and what the problem is.
-
- See :manpage:`err(3)` for more information.
- """
-
-
-_raise_current_error = partial(_exception_from_error_queue, Error)
-
-_unspecified = object()
-
-_builtin_bytes = bytes
-
-
-def bytes(num_bytes):
- """
- Get some random bytes from the PRNG as a string.
-
- This is a wrapper for the C function ``RAND_bytes``.
-
- :param num_bytes: The number of bytes to fetch.
-
- :return: A string of random bytes.
- """
- if not isinstance(num_bytes, _integer_types):
- raise TypeError("num_bytes must be an integer")
-
- if num_bytes < 0:
- raise ValueError("num_bytes must not be negative")
-
- result_buffer = _ffi.new("unsigned char[]", num_bytes)
- result_code = _lib.RAND_bytes(result_buffer, num_bytes)
- if result_code == -1:
- # TODO: No tests for this code path. Triggering a RAND_bytes failure
- # might involve supplying a custom ENGINE? That's hard.
- _raise_current_error()
-
- return _ffi.buffer(result_buffer)[:]
+from OpenSSL._util import lib as _lib
def add(buffer, entropy):
@@ -78,36 +14,23 @@
For more information, see e.g. :rfc:`1750`.
+ This function is only relevant if you are forking Python processes and
+ need to reseed the CSPRNG after fork.
+
:param buffer: Buffer with random data.
:param entropy: The entropy (in bytes) measurement of the buffer.
:return: :obj:`None`
"""
- if not isinstance(buffer, _builtin_bytes):
+ if not isinstance(buffer, bytes):
raise TypeError("buffer must be a byte string")
if not isinstance(entropy, int):
raise TypeError("entropy must be an integer")
- # TODO Nothing tests this call actually being made, or made properly.
_lib.RAND_add(buffer, len(buffer), entropy)
-def seed(buffer):
- """
- Equivalent to calling :func:`add` with *entropy* as the length of *buffer*.
-
- :param buffer: Buffer with random data
-
- :return: :obj:`None`
- """
- if not isinstance(buffer, _builtin_bytes):
- raise TypeError("buffer must be a byte string")
-
- # TODO Nothing tests this call actually being made, or made properly.
- _lib.RAND_seed(buffer, len(buffer))
-
-
def status():
"""
Check whether the PRNG has been seeded with enough data.
@@ -115,55 +38,3 @@
:return: 1 if the PRNG is seeded enough, 0 otherwise.
"""
return _lib.RAND_status()
-
-
-def cleanup():
- """
- Erase the memory used by the PRNG.
-
- This is a wrapper for the C function ``RAND_cleanup``.
-
- :return: :obj:`None`
- """
- # TODO Nothing tests this call actually being made, or made properly.
- _lib.RAND_cleanup()
-
-
-def load_file(filename, maxbytes=_unspecified):
- """
- Read *maxbytes* of data from *filename* and seed the PRNG with it.
-
- Read the whole file if *maxbytes* is not specified or negative.
-
- :param filename: The file to read data from (``bytes`` or ``unicode``).
- :param maxbytes: (optional) The number of bytes to read. Default is to
- read the entire file.
-
- :return: The number of bytes read
- """
- filename = _path_string(filename)
-
- if maxbytes is _unspecified:
- maxbytes = -1
- elif not isinstance(maxbytes, int):
- raise TypeError("maxbytes must be an integer")
-
- return _lib.RAND_load_file(filename, maxbytes)
-
-
-def write_file(filename):
- """
- Write a number of random bytes (currently 1024) to the file *path*. This
- file can then be used with :func:`load_file` to seed the PRNG again.
-
- :param filename: The file to write data to (``bytes`` or ``unicode``).
-
- :return: The number of bytes written.
- """
- filename = _path_string(filename)
- return _lib.RAND_write_file(filename)
-
-
-# TODO There are no tests for the RAND strings being loaded, whatever that
-# means.
-_lib.ERR_load_RAND_strings()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/OpenSSL/tsafe.py
new/pyOpenSSL-17.5.0/src/OpenSSL/tsafe.py
--- old/pyOpenSSL-17.2.0/src/OpenSSL/tsafe.py 2016-02-15 11:25:58.000000000
+0100
+++ new/pyOpenSSL-17.5.0/src/OpenSSL/tsafe.py 2017-12-01 03:16:17.000000000
+0100
@@ -1,8 +1,15 @@
+import warnings
from threading import RLock as _RLock
from OpenSSL import SSL as _ssl
+warnings.warn(
+ "OpenSSL.tsafe is deprecated and will be removed",
+ DeprecationWarning, stacklevel=3
+)
+
+
class Connection:
def __init__(self, *args):
self._ssl_conn = _ssl.Connection(*args)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/OpenSSL/version.py
new/pyOpenSSL-17.5.0/src/OpenSSL/version.py
--- old/pyOpenSSL-17.2.0/src/OpenSSL/version.py 2017-07-20 10:53:07.000000000
+0200
+++ new/pyOpenSSL-17.5.0/src/OpenSSL/version.py 2017-12-01 03:16:17.000000000
+0100
@@ -11,7 +11,7 @@
"__title__", "__uri__", "__version__",
]
-__version__ = "17.2.0"
+__version__ = "17.5.0"
__title__ = "pyOpenSSL"
__uri__ = "https://pyopenssl.org/";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/pyOpenSSL.egg-info/PKG-INFO
new/pyOpenSSL-17.5.0/src/pyOpenSSL.egg-info/PKG-INFO
--- old/pyOpenSSL-17.2.0/src/pyOpenSSL.egg-info/PKG-INFO 2017-07-20
11:50:07.000000000 +0200
+++ new/pyOpenSSL-17.5.0/src/pyOpenSSL.egg-info/PKG-INFO 2017-12-01
03:17:48.000000000 +0100
@@ -1,11 +1,12 @@
Metadata-Version: 1.1
Name: pyOpenSSL
-Version: 17.2.0
+Version: 17.5.0
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: Hynek Schlawack
Author-email: h...@ox.cx
License: Apache License, Version 2.0
+Description-Content-Type: UNKNOWN
Description: ========================================================
pyOpenSSL -- A Python wrapper around the OpenSSL library
========================================================
@@ -54,7 +55,35 @@
Release Information
===================
- 17.2.0 (2017-07-20)
+ 17.5.0 (2017-11-30)
+ -------------------
+
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ * The minimum ``cryptography`` version is now 2.1.4.
+
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+
+ *none*
+
+
+ Changes:
+ ^^^^^^^^
+
+ - Fixed a potential use-after-free in the verify callback and resolved
a memory leak when loading PKCS12 files with ``cacerts``.
+ `#723 <https://github.com/pyca/pyopenssl/pull/723>`_
+ - Added ``Connection.export_keying_material`` for RFC 5705 compatible
export of keying material.
+ `#725 <https://github.com/pyca/pyopenssl/pull/725>`_
+
+ ----
+
+
+
+ 17.4.0 (2017-11-21)
-------------------
@@ -67,17 +96,50 @@
Deprecations:
^^^^^^^^^^^^^
- - Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()``
instead.
- `#658 <https://github.com/pyca/pyopenssl/pull/658>`_
+ *none*
+
+
+ Changes:
+ ^^^^^^^^
+
+
+ - Re-added a subset of the ``OpenSSL.rand`` module.
+ This subset allows conscientious users to reseed the OpenSSL CSPRNG
after fork.
+ `#708 <https://github.com/pyca/pyopenssl/pull/708>`_
+ - Corrected a use-after-free when reusing an issuer or subject from an
``X509`` object after the underlying object has been mutated.
+ `#709 <https://github.com/pyca/pyopenssl/pull/709>`_
+
+ ----
+
+
+ 17.3.0 (2017-09-14)
+ -------------------
+
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ - Dropped support for Python 3.3.
+ `#677 <https://github.com/pyca/pyopenssl/pull/677>`_
+ - Removed the deprecated ``OpenSSL.rand`` module.
+ This is being done ahead of our normal deprecation schedule due to
its lack of use and the fact that it was becoming a maintenance burden.
+ ``os.urandom()`` should be used instead.
+ `#675 <https://github.com/pyca/pyopenssl/pull/675>`_
+
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+ - Deprecated ``OpenSSL.tsafe``.
+ `#673 <https://github.com/pyca/pyopenssl/pull/673>`_
Changes:
^^^^^^^^
- - Fixed a bug causing ``Context.set_default_verify_paths()`` to not
work with cryptography ``manylinux1`` wheels on Python 3.x.
- `#665 <https://github.com/pyca/pyopenssl/pull/665>`_
- - Fixed a crash with (EC)DSA signatures in some cases.
- `#670 <https://github.com/pyca/pyopenssl/pull/670>`_
+ - Fixed a memory leak in ``OpenSSL.crypto.CRL``.
+ `#690 <https://github.com/pyca/pyopenssl/pull/690>`_
+ - Fixed a memory leak when verifying certificates with
``OpenSSL.crypto.X509StoreContext``.
+ `#691 <https://github.com/pyca/pyopenssl/pull/691>`_
`Full changelog <https://pyopenssl.org/en/stable/changelog.html>`_.
@@ -93,7 +155,6 @@
Classifier: Programming Language :: Python :: 2.6
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/src/pyOpenSSL.egg-info/requires.txt
new/pyOpenSSL-17.5.0/src/pyOpenSSL.egg-info/requires.txt
--- old/pyOpenSSL-17.2.0/src/pyOpenSSL.egg-info/requires.txt 2017-07-20
11:50:07.000000000 +0200
+++ new/pyOpenSSL-17.5.0/src/pyOpenSSL.egg-info/requires.txt 2017-12-01
03:17:48.000000000 +0100
@@ -1,4 +1,4 @@
-cryptography>=1.9
+cryptography>=2.1.4
six>=1.5.2
[docs]
@@ -8,4 +8,4 @@
[test]
flaky
pretend
-pytest>=3.0.1
+pytest<3.3.0,>=3.0.1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/tests/test_crypto.py
new/pyOpenSSL-17.5.0/tests/test_crypto.py
--- old/pyOpenSSL-17.2.0/tests/test_crypto.py 2017-07-20 10:46:45.000000000
+0200
+++ new/pyOpenSSL-17.5.0/tests/test_crypto.py 2017-12-01 03:16:17.000000000
+0100
@@ -8,8 +8,6 @@
from warnings import simplefilter
import base64
-import os
-import re
from subprocess import PIPE, Popen
from datetime import datetime, timedelta
@@ -46,7 +44,6 @@
from OpenSSL.crypto import NetscapeSPKI, NetscapeSPKIType
from OpenSSL.crypto import (
sign, verify, get_elliptic_curve, get_elliptic_curves)
-from OpenSSL._util import native
from .util import EqualityTestsMixin, is_consistent_type, WARNING_TYPE_EXPECTED
@@ -1664,6 +1661,7 @@
with pytest.raises(TypeError):
cert.gmtime_adj_notAfter(None)
+ @flaky.flaky
def test_gmtime_adj_notAfter(self):
"""
`X509.gmtime_adj_notAfter` changes the not-after timestamp
@@ -1848,11 +1846,11 @@
cert = X509()
name = cert.get_subject()
name.C = 'AU'
- name.O = 'Unit Tests'
+ name.OU = 'Unit Tests'
cert.set_subject(name)
assert (
cert.get_subject().get_components() ==
- [(b'C', b'AU'), (b'O', b'Unit Tests')])
+ [(b'C', b'AU'), (b'OU', b'Unit Tests')])
def test_get_issuer(self):
"""
@@ -1884,11 +1882,11 @@
cert = X509()
name = cert.get_issuer()
name.C = 'AU'
- name.O = 'Unit Tests'
+ name.OU = 'Unit Tests'
cert.set_issuer(name)
assert (
cert.get_issuer().get_components() ==
- [(b'C', b'AU'), (b'O', b'Unit Tests')])
+ [(b'C', b'AU'), (b'OU', b'Unit Tests')])
def test_get_pubkey_uninitialized(self):
"""
@@ -2446,58 +2444,12 @@
p12.export()
-# These quoting functions taken directly from Twisted's twisted.python.win32.
-_cmdLineQuoteRe = re.compile(br'(\\*)"')
-_cmdLineQuoteRe2 = re.compile(br'(\\+)\Z')
-
-
-def cmdLineQuote(s):
- """
- Internal method for quoting a single command-line argument.
-
- See http://www.perlmonks.org/?node_id=764004
-
- :type: :py:obj:`str`
- :param s: A single unquoted string to quote for something that is expecting
- cmd.exe-style quoting
-
- :rtype: :py:obj:`str`
- :return: A cmd.exe-style quoted string
- """
- s = _cmdLineQuoteRe2.sub(br"\1\1", _cmdLineQuoteRe.sub(br'\1\1\\"', s))
- return b'"' + s + b'"'
-
-
-def quoteArguments(arguments):
- """
- Quote an iterable of command-line arguments for passing to CreateProcess or
- a similar API. This allows the list passed to
- :py:obj:`reactor.spawnProcess` to match the child process's
- :py:obj:`sys.argv` properly.
-
- :type arguments: :py:obj:`iterable` of :py:obj:`str`
- :param arguments: An iterable of unquoted arguments to quote
-
- :rtype: :py:obj:`str`
- :return: A space-delimited string containing quoted versions of
- :py:obj:`arguments`
- """
- return b' '.join(map(cmdLineQuote, arguments))
-
-
def _runopenssl(pem, *args):
"""
Run the command line openssl tool with the given arguments and write
the given PEM to its stdin. Not safe for quotes.
"""
- if os.name == 'posix':
- command = b"openssl " + b" ".join([
- (b"'" + arg.replace(b"'", b"'\\''") + b"'")
- for arg in args
- ])
- else:
- command = b"openssl " + quoteArguments(args)
- proc = Popen(native(command), shell=True, stdin=PIPE, stdout=PIPE)
+ proc = Popen([b"openssl"] + list(args), stdin=PIPE, stdout=PIPE)
proc.stdin.write(pem)
proc.stdin.close()
output = proc.stdout.read()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/tests/test_rand.py
new/pyOpenSSL-17.5.0/tests/test_rand.py
--- old/pyOpenSSL-17.2.0/tests/test_rand.py 2017-07-20 09:50:42.000000000
+0200
+++ new/pyOpenSSL-17.5.0/tests/test_rand.py 2017-12-01 03:16:17.000000000
+0100
@@ -5,56 +5,14 @@
Unit tests for `OpenSSL.rand`.
"""
-import os
-import stat
-import sys
-
import pytest
from OpenSSL import rand
-from .util import NON_ASCII
-
class TestRand(object):
@pytest.mark.parametrize('args', [
- (None,),
- (b"foo",),
- ])
- def test_bytes_wrong_args(self, args):
- """
- `OpenSSL.rand.bytes` raises `TypeError` if called with a non-`int`
- argument.
- """
- with pytest.raises(TypeError):
- rand.bytes(*args)
-
- def test_insufficient_memory(self):
- """
- `OpenSSL.rand.bytes` raises `MemoryError` or `OverflowError` if more
- bytes are requested than will fit in memory.
- """
- with pytest.raises((MemoryError, OverflowError)):
- rand.bytes(sys.maxsize + 1)
-
- def test_bytes(self):
- """
- Verify that we can obtain bytes from rand_bytes() and that they are
- different each time. Test the parameter of rand_bytes() for
- bad values.
- """
- b1 = rand.bytes(50)
- assert len(b1) == 50
- b2 = rand.bytes(num_bytes=50) # parameter by name
- assert b1 != b2 # Hip, Hip, Horay! FIPS complaince
- b3 = rand.bytes(num_bytes=0)
- assert len(b3) == 0
- with pytest.raises(ValueError) as exc:
- rand.bytes(-1)
- assert str(exc.value) == "num_bytes must not be negative"
-
- @pytest.mark.parametrize('args', [
(b"foo", None),
(None, 3),
])
@@ -72,101 +30,9 @@
"""
rand.add(b'hamburger', 3)
- @pytest.mark.parametrize('args', [
- (None,),
- (42,),
- ])
- def test_seed_wrong_args(self, args):
- """
- `OpenSSL.rand.seed` raises `TypeError` if called with
- a non-`str` argument.
- """
- with pytest.raises(TypeError):
- rand.seed(*args)
-
- def test_seed(self):
- """
- `OpenSSL.rand.seed` adds entropy to the PRNG.
- """
- rand.seed(b'milk shake')
-
def test_status(self):
"""
`OpenSSL.rand.status` returns `1` if the PRNG has sufficient entropy,
`0` otherwise.
"""
- # It's hard to know what it is actually going to return. Different
- # OpenSSL random engines decide differently whether they have enough
- # entropy or not.
- assert rand.status() in (0, 1)
-
- def test_cleanup(self):
- """
- `OpenSSL.rand.cleanup` releases the memory used by the PRNG and
- returns `None`.
- """
- assert rand.cleanup() is None
-
- @pytest.mark.parametrize('args', [
- ("foo", None),
- (None, 1),
- ])
- def test_load_file_wrong_args(self, args):
- """
- `OpenSSL.rand.load_file` raises `TypeError` when with arguments
- not of type `str` and `int`.
- """
- with pytest.raises(TypeError):
- rand.load_file(*args)
-
- @pytest.mark.parametrize('args', [
- None,
- 1,
- ])
- def test_write_file_wrong_args(self, args):
- """
- `OpenSSL.rand.write_file` raises `TypeError` when called with
- a non-`str` argument.
- """
- with pytest.raises(TypeError):
- rand.write_file(*args)
-
- def _read_write_test(self, path):
- """
- Verify that ``rand.write_file`` and ``rand.load_file`` can be used.
- """
- # Create the file so cleanup is more straightforward
- with open(path, "w"):
- pass
-
- try:
- # Write random bytes to a file
- rand.write_file(path)
-
- # Verify length of written file
- size = os.stat(path)[stat.ST_SIZE]
- assert size == 1024
-
- # Read random bytes from file
- rand.load_file(path)
- rand.load_file(path, 4) # specify a length
- finally:
- # Cleanup
- os.unlink(path)
-
- def test_bytes_paths(self, tmpfile):
- """
- Random data can be saved and loaded to files with paths specified as
- bytes.
- """
- path = tmpfile
- path += NON_ASCII.encode(sys.getfilesystemencoding())
- self._read_write_test(path)
-
- def test_unicode_paths(self, tmpfile):
- """
- Random data can be saved and loaded to files with paths specified as
- unicode.
- """
- path = tmpfile.decode('utf-8') + NON_ASCII
- self._read_write_test(path)
+ assert rand.status() == 1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/tests/test_ssl.py
new/pyOpenSSL-17.5.0/tests/test_ssl.py
--- old/pyOpenSSL-17.2.0/tests/test_ssl.py 2017-06-30 16:00:34.000000000
+0200
+++ new/pyOpenSSL-17.5.0/tests/test_ssl.py 2017-12-01 03:16:17.000000000
+0100
@@ -221,13 +221,13 @@
def loopback_client_factory(socket):
- client = Connection(Context(TLSv1_METHOD), socket)
+ client = Connection(Context(SSLv23_METHOD), socket)
client.set_connect_state()
return client
def loopback_server_factory(socket):
- ctx = Context(TLSv1_METHOD)
+ ctx = Context(SSLv23_METHOD)
ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
server = Connection(ctx, socket)
@@ -1279,6 +1279,31 @@
assert verify.connection is clientConnection
+ def test_x509_in_verify_works(self):
+ """
+ We had a bug where the X509 cert instantiated in the callback wrapper
+ didn't __init__ so it was missing objects needed when calling
+ get_subject. This test sets up a handshake where we call get_subject
+ on the cert provided to the verify callback.
+ """
+ serverContext = Context(TLSv1_METHOD)
+ serverContext.use_privatekey(
+ load_privatekey(FILETYPE_PEM, cleartextPrivateKeyPEM))
+ serverContext.use_certificate(
+ load_certificate(FILETYPE_PEM, cleartextCertificatePEM))
+ serverConnection = Connection(serverContext, None)
+
+ def verify_cb_get_subject(conn, cert, errnum, depth, ok):
+ assert cert.get_subject()
+ return 1
+
+ clientContext = Context(TLSv1_METHOD)
+ clientContext.set_verify(VERIFY_PEER, verify_cb_get_subject)
+ clientConnection = Connection(clientContext, None)
+ clientConnection.set_connect_state()
+
+ handshake_in_memory(clientConnection, serverConnection)
+
def test_set_verify_callback_exception(self):
"""
If the verify callback passed to `Context.set_verify` raises an
@@ -2463,7 +2488,7 @@
"""
key = load_privatekey(FILETYPE_PEM, server_key_pem)
cert = load_certificate(FILETYPE_PEM, server_cert_pem)
- ctx = Context(TLSv1_METHOD)
+ ctx = Context(SSLv23_METHOD)
ctx.use_privatekey(key)
ctx.use_certificate(cert)
ctx.set_session_id("unity-test")
@@ -3354,6 +3379,28 @@
assert server_conn.client_random() != server_conn.server_random()
assert client_conn.client_random() != client_conn.server_random()
+ # Export key material for other uses.
+ cekm = client_conn.export_keying_material(b'LABEL', 32)
+ sekm = server_conn.export_keying_material(b'LABEL', 32)
+ assert cekm is not None
+ assert sekm is not None
+ assert cekm == sekm
+ assert len(sekm) == 32
+
+ # Export key material for other uses with additional context.
+ cekmc = client_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')
+ sekmc = server_conn.export_keying_material(b'LABEL', 32, b'CONTEXT')
+ assert cekmc is not None
+ assert sekmc is not None
+ assert cekmc == sekmc
+ assert cekmc != cekm
+ assert sekmc != sekm
+ # Export with alternate label
+ cekmt = client_conn.export_keying_material(b'test', 32, b'CONTEXT')
+ sekmt = server_conn.export_keying_material(b'test', 32, b'CONTEXT')
+ assert cekmc != cekmt
+ assert sekmc != sekmt
+
# Here are the bytes we'll try to send.
important_message = b'One if by land, two if by sea.'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/pyOpenSSL-17.2.0/tox.ini new/pyOpenSSL-17.5.0/tox.ini
--- old/pyOpenSSL-17.2.0/tox.ini 2017-07-20 09:50:42.000000000 +0200
+++ new/pyOpenSSL-17.5.0/tox.ini 2017-12-01 03:16:17.000000000 +0100
@@ -1,5 +1,5 @@
[tox]
-envlist =
{pypy,py26,py27,py33,py34,py35,py36}{,-cryptographyMaster,-cryptographyMinimum},py27-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report
+envlist =
{pypy,py26,py27,py34,py35,py36}{,-cryptographyMaster,-cryptographyMinimum},py27-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report
[testenv]
whitelist_externals =
@@ -10,7 +10,7 @@
deps =
coverage>=4.2
cryptographyMaster: git+https://github.com/pyca/cryptography.git
- cryptographyMinimum: cryptography<=1.9
+ cryptographyMinimum: cryptography==2.1.4
setenv =
# Do not allow the executing environment to pollute the test environment
# with extra packages.
