Hello community, here is the log from the commit of package python-pyOpenSSL for openSUSE:Factory checked in at 2019-01-15 09:15:02 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyOpenSSL (Old) and /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-pyOpenSSL" Tue Jan 15 09:15:02 2019 rev:31 rq:645638 version:18.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyOpenSSL/python-pyOpenSSL.changes 2018-03-24 16:12:20.594065935 +0100 +++ /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.28833/python-pyOpenSSL.changes 2019-01-15 09:15:04.870307691 +0100 @@ -1,0 +2,34 @@ +Tue Oct 30 13:41:43 UTC 2018 - Vítězslav Čížek <vci...@suse.com> + +- handle that renegotiation is forbidden in TLS 1.3 + * add tls13-renegotiation.patch + +------------------------------------------------------------------- +Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal <tchva...@suse.com> + +- Add patch to fix issues with openssl 1.1.1: + * openssl-1.1.1.patch +- Drop the downstream fix_test_suite.patch + +------------------------------------------------------------------- +Tue Oct 30 01:06:28 CET 2018 - mc...@suse.com + +- Add patch fix_test_suite.patch to allow test suite to pass with + OpenSSL 1.1.1. + +------------------------------------------------------------------- +Fri Aug 24 09:08:36 UTC 2018 - tchva...@suse.com + +- Add patch to work with openssl 1.1.0i+: + * openssl-1.1.0i.patch + +------------------------------------------------------------------- +Thu Aug 16 15:48:21 UTC 2018 - tchva...@suse.com + +- Update to 18.0.0: + * Update for new openssl 1.1.1 +- Remove not needed patches: + * bug-lp-1265482.diff + * rsa128-i586.patch + +------------------------------------------------------------------- Old: ---- bug-lp-1265482.diff pyOpenSSL-17.5.0.tar.gz rsa128-i586.patch New: ---- openssl-1.1.0i.patch openssl-1.1.1.patch pyOpenSSL-18.0.0.tar.gz tls13-renegotiation.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyOpenSSL.spec ++++++ --- /var/tmp/diff_new_pack.BlFRAJ/_old 2019-01-15 09:15:05.642306974 +0100 +++ /var/tmp/diff_new_pack.BlFRAJ/_new 2019-01-15 09:15:05.642306974 +0100 @@ -12,34 +12,33 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-pyOpenSSL -Version: 17.5.0 +Version: 18.0.0 Release: 0 Summary: Python wrapper module around the OpenSSL library License: Apache-2.0 Group: Development/Languages/Python -Url: https://github.com/pyca/pyopenssl +URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz -Patch0: bug-lp-1265482.diff Patch1: skip-networked-test.patch -Patch2: rsa128-i586.patch -BuildRequires: %{python_module cryptography >= 2.1.4} -BuildRequires: %{python_module devel} +Patch2: openssl-1.1.0i.patch +Patch3: openssl-1.1.1.patch +Patch4: tls13-renegotiation.patch +BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module setuptools} BuildRequires: fdupes -BuildRequires: openssl-devel BuildRequires: python-rpm-macros BuildRequires: python3-Sphinx -Requires: python-cryptography >= 2.1.4 +Requires: python-cryptography >= 2.3.0 Requires: python-six >= 1.5.2 Provides: pyOpenSSL = %{version} BuildArch: noarch @@ -67,9 +66,7 @@ %prep %setup -q -n pyOpenSSL-%{version} -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 +%autopatch -p1 %build %python_build @@ -77,7 +74,7 @@ %install %python_install %python_expand %fdupes %{buildroot}%{$python_sitelib} -PYTHONPATH="%{buildroot}%{python3_sitelib}" %__python3 setup.py build_sphinx && rm build/sphinx/html/.buildinfo +PYTHONPATH="%{buildroot}%{python3_sitelib}" python3 setup.py build_sphinx && rm build/sphinx/html/.buildinfo %check export LC_ALL=en_US.UTF-8 @@ -86,7 +83,8 @@ } %files %{python_files} -%doc LICENSE *.rst +%license LICENSE +%doc *.rst %{python_sitelib}/OpenSSL/ %{python_sitelib}/pyOpenSSL-%{version}-py*.egg-info ++++++ openssl-1.1.0i.patch ++++++ >From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001 From: Paul Kehrer <paul.l.keh...@gmail.com> Date: Thu, 23 Aug 2018 10:52:15 -0500 Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate cert (#787) * X509Store.add_cert no longer raises an error on duplicate cert --- src/OpenSSL/crypto.py | 11 ++++++++++- tests/test_crypto.py | 9 ++++----- 3 files changed, 16 insertions(+), 7 deletions(-) Deprecations: diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index d40f23c2..ea7b354b 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1607,7 +1607,16 @@ def add_cert(self, cert): if not isinstance(cert, X509): raise TypeError() - _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0) + # As of OpenSSL 1.1.0i adding the same cert to the store more than + # once doesn't cause an error. Accordingly, this code now silences + # the error for OpenSSL < 1.1.0i as well. + if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: + code = _lib.ERR_peek_error() + err_reason = _lib.ERR_GET_REASON(code) + _openssl_assert( + err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE + ) + _lib.ERR_clear_error() def add_crl(self, crl): """ diff --git a/tests/test_crypto.py b/tests/test_crypto.py index d1c261b8..eb4590d0 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert): with pytest.raises(TypeError): store.add_cert(cert) - def test_add_cert_rejects_duplicate(self): + def test_add_cert_accepts_duplicate(self): """ - `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is - made to add the same certificate to the store more than once. + `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt + is made to add the same certificate to the store more than once. """ cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) store = X509Store() store.add_cert(cert) - with pytest.raises(Error): - store.add_cert(cert) + store.add_cert(cert) class TestPKCS12(object): ++++++ openssl-1.1.1.patch ++++++ >From 4725d76eb4a1c0e7b7b6de6e4a8e95d6f076b50b Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 17:35:31 -0400 Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 --- tests/test_crypto.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/test_crypto.py b/tests/test_crypto.py index eb4590d0..4983d6ac 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -3161,10 +3161,10 @@ def test_export_pem(self): dumped_crl = crl.export( self.cert, self.pkey, days=20, digest=b"sha256" ) - text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") + text = _runopenssl( + dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", "" + ) - # These magic values are based on the way the CRL above was constructed - # and with what certificate it was exported. text.index(b'Serial Number: 03AB') text.index(b'Superseded') text.index( @@ -3184,7 +3184,8 @@ def test_export_der(self): self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" ) text = _runopenssl( - dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" + dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", + b"-nameopt", "" ) text.index(b'Serial Number: 03AB') text.index(b'Superseded') @@ -3207,7 +3208,8 @@ def test_export_text(self): self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" ) text = _runopenssl( - dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" + dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", + b"-nameopt", "" ) # text format >From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 17:54:22 -0400 Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly --- tests/test_crypto.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/tests/test_crypto.py b/tests/test_crypto.py index 4983d6ac..c08f81c3 100644 --- a/tests/test_crypto.py +++ b/tests/test_crypto.py @@ -3167,9 +3167,9 @@ def test_export_pem(self): text.index(b'Serial Number: 03AB') text.index(b'Superseded') - text.index( - b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' - ) + text.index(b'Issuer:') + text.index(b'C=US') + text.index(b'CN=Testing Root CA') def test_export_der(self): """ @@ -3189,9 +3189,9 @@ def test_export_der(self): ) text.index(b'Serial Number: 03AB') text.index(b'Superseded') - text.index( - b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' - ) + text.index(b'Issuer:') + text.index(b'C=US') + text.index(b'CN=Testing Root CA') # Flaky because we compare the output of running commands which sometimes # varies by 1 second >From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 18:09:49 -0400 Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3 TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it. --- tests/test_ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index fbf07603..4845eca3 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -2539,7 +2539,7 @@ def test_client_set_session(self): """ key = load_privatekey(FILETYPE_PEM, server_key_pem) cert = load_certificate(FILETYPE_PEM, server_cert_pem) - ctx = Context(SSLv23_METHOD) + ctx = Context(TLSv1_2_METHOD) ctx.use_privatekey(key) ctx.use_certificate(cert) ctx.set_session_id("unity-test") >From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 19:42:38 -0400 Subject: [PATCH 4/7] Make this always behave like 1.1.1 --- src/OpenSSL/SSL.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 5cf39c0d..910ce680 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list): if not isinstance(cipher_list, bytes): raise TypeError("cipher_list must be a byte string.") - _openssl_assert( - _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 - ) + # This can return an error if there's no ciphersuites, but we don't care. + _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) def set_client_ca_list(self, certificate_authorities): """ >From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 19:43:49 -0400 Subject: [PATCH 5/7] Update tests for the new behavior --- tests/test_ssl.py | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index 4845eca3..a5fb4df9 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string): conn = Connection(context, None) assert "AES128-SHA" in conn.get_cipher_list() + + def test_set_cipher_list_imaginary(self, context): + # Doesn't raise an exception + context.set_cipher_list(b"gibberish") - @pytest.mark.parametrize("cipher_list,error", [ - (object(), TypeError), - ("imaginary-cipher", Error), - ]) - def test_set_cipher_list_wrong_args(self, context, cipher_list, error): + def test_set_cipher_list_wrong_args(self, context): """ `Context.set_cipher_list` raises `TypeError` when passed a non-string - argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher - list string. + argument. """ - with pytest.raises(error): - context.set_cipher_list(cipher_list) + with pytest.raises(TypeError): + context.set_cipher_list(object()) def test_load_client_ca(self, context, ca_file): """ >From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 19:48:07 -0400 Subject: [PATCH 6/7] flake8 --- src/OpenSSL/SSL.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index 910ce680..a0469f10 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list): if not isinstance(cipher_list, bytes): raise TypeError("cipher_list must be a byte string.") - # This can return an error if there's no ciphersuites, but we don't care. + # This can return an error if there's no ciphersuites, but we don't + # care. _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) def set_client_ca_list(self, certificate_authorities): >From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001 From: Alex Gaynor <alex.gay...@gmail.com> Date: Tue, 11 Sep 2018 20:01:26 -0400 Subject: [PATCH 7/7] flake8 --- tests/test_ssl.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py index a5fb4df9..39e76500 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string): conn = Connection(context, None) assert "AES128-SHA" in conn.get_cipher_list() - + def test_set_cipher_list_imaginary(self, context): # Doesn't raise an exception context.set_cipher_list(b"gibberish") ++++++ pyOpenSSL-17.5.0.tar.gz -> pyOpenSSL-18.0.0.tar.gz ++++++ ++++ 2642 lines of diff (skipped) ++++++ tls13-renegotiation.patch ++++++ Index: pyOpenSSL-18.0.0/tests/test_ssl.py =================================================================== --- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 +++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 @@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): """ Tests for SSL renegotiation APIs. """ + def test_total_renegotiations(self): """ `Connection.total_renegotiations` returns `0` before any renegotiations @@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): """ Go through a complete renegotiation cycle. """ - server, client = loopback() + # renegotiation works with TLS version <= 1.2 + def makeServer12(socket): + ctx = Context(TLSv1_2_METHOD) + ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) + ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) + server = Connection(ctx, socket) + server.set_accept_state() + return server + + server, client = loopback(server_factory=makeServer12) server.send(b"hello world") @@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object): while False is server.renegotiate_pending(): pass + # renegotiation is forbidden in TLS 1.3 + server, client = loopback() + + server.send(b"hello world") + + assert b"hello world" == client.recv(len(b"hello world")) + + assert 0 == server.total_renegotiations() + assert False is server.renegotiate_pending() + + # renegotian under TLS 1.3 must fail + + if client.get_protocol_version_name() == "TLSv1.3": + try: + assert False is server.renegotiate() + #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version') + except SSL.Error: + pass + class TestError(object): """