Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-pyOpenSSL for openSUSE:Factory checked in at 2021-11-03 17:25:25 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-pyOpenSSL (Old) and /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-pyOpenSSL" Wed Nov 3 17:25:25 2021 rev:41 rq:928309 version:21.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-pyOpenSSL/python-pyOpenSSL.changes 2021-02-04 20:23:51.054805865 +0100 +++ /work/SRC/openSUSE:Factory/.python-pyOpenSSL.new.1890/python-pyOpenSSL.changes 2021-11-03 17:26:13.589335929 +0100 @@ -1,0 +2,17 @@ +Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <mcepl@suse.com> + +- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists + before calling OpenSSL (gh#pyca/pyopenssl#1056). + +------------------------------------------------------------------- +Tue Oct 26 20:27:12 UTC 2021 - Dirk M��ller <dmueller@suse.com> + +- update to 21.0.0: + - The minimum ``cryptography`` version is now 3.3. + - Drop support for Python 3.5 + - Raise an error when an invalid ALPN value is set. + - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version`` + - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an + upcoming release of ``cryptography`` without raising deprecation warnings. + +------------------------------------------------------------------- Old: ---- pyOpenSSL-20.0.1.tar.gz New: ---- check_inv_ALPN_lists.patch pyOpenSSL-21.0.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-pyOpenSSL.spec ++++++ --- /var/tmp/diff_new_pack.pBulzv/_old 2021-11-03 17:26:14.037336175 +0100 +++ /var/tmp/diff_new_pack.pBulzv/_new 2021-11-03 17:26:14.041336176 +0100 @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-pyOpenSSL -Version: 20.0.1 +Version: 21.0.0 Release: 0 Summary: Python wrapper module around the OpenSSL library License: Apache-2.0 @@ -28,8 +28,11 @@ # PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68 mcepl@suse.com # Mark tests requiring network access Patch0: skip-networked-test.patch +# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056 mcepl@suse.com +# Check for invalid ALPN lists before calling OpenSSL +Patch1: check_inv_ALPN_lists.patch BuildRequires: %{python_module cffi} -BuildRequires: %{python_module cryptography >= 2.8} +BuildRequires: %{python_module cryptography >= 3.3} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} @@ -40,7 +43,7 @@ BuildRequires: openssl BuildRequires: python-rpm-macros Requires: python-cffi -Requires: python-cryptography >= 2.8 +Requires: python-cryptography >= 3.3 Requires: python-six >= 1.5.2 Provides: pyOpenSSL = %{version} BuildArch: noarch ++++++ check_inv_ALPN_lists.patch ++++++ From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001 From: "Nathaniel J. Smith" <njs@pobox.com> Date: Wed, 27 Oct 2021 11:54:08 -0700 Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for consistency Fixes gh-1043 --- src/OpenSSL/SSL.py | 12 ++++++++++++ tests/test_ssl.py | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -1423,6 +1423,12 @@ class Context(object): This list should be a Python list of bytestrings representing the protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``. """ + # Different versions of OpenSSL are inconsistent about how they handle + # empty proto lists (see #1043), so we avoid the problem entirely by + # rejecting them ourselves. + if not protos: + raise ValueError("at least one protocol must be specified") + # Take the list of protocols and join them together, prefixing them # with their lengths. protostr = b"".join( @@ -2451,6 +2457,12 @@ class Connection(object): This list should be a Python list of bytestrings representing the protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``. """ + # Different versions of OpenSSL are inconsistent about how they handle + # empty proto lists (see #1043), so we avoid the problem entirely by + # rejecting them ourselves. + if not protos: + raise ValueError("at least one protocol must be specified") + # Take the list of protocols and join them together, prefixing them # with their lengths. protostr = b"".join( --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati protocols list. Ensure that we produce a user-visible error. """ context = Context(SSLv23_METHOD) - with pytest.raises(Error): + with pytest.raises(ValueError): context.set_alpn_protos([]) def test_alpn_set_on_connection(self): ++++++ pyOpenSSL-20.0.1.tar.gz -> pyOpenSSL-21.0.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/CHANGELOG.rst new/pyOpenSSL-21.0.0/CHANGELOG.rst --- old/pyOpenSSL-20.0.1/CHANGELOG.rst 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/CHANGELOG.rst 2021-09-29 00:58:24.000000000 +0200 @@ -4,6 +4,28 @@ Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions. +21.0.0 (2020-09-28) +------------------- + +Backward-incompatible changes: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- The minimum ``cryptography`` version is now 3.3. +- Drop support for Python 3.5 + +Deprecations: +^^^^^^^^^^^^^ + +Changes: +^^^^^^^^ + +- Raise an error when an invalid ALPN value is set. + `#993 <https://github.com/pyca/pyopenssl/pull/993>`_ +- Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version`` + to set the minimum and maximum supported TLS version `#985 <https://github.com/pyca/pyopenssl/pull/985>`_. +- Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings. + `#1030 <https://github.com/pyca/pyopenssl/pull/1030>`_ + 20.0.1 (2020-12-15) ------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/CONTRIBUTING.rst new/pyOpenSSL-21.0.0/CONTRIBUTING.rst --- old/pyOpenSSL-20.0.1/CONTRIBUTING.rst 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/CONTRIBUTING.rst 2021-09-29 00:58:24.000000000 +0200 @@ -116,5 +116,5 @@ .. _members of PyCA: https://github.com/orgs/pyca/people .. _semantic newlines: http://rhodesmill.org/brandon/2012/one-sentence-per-line/ .. _reStructuredText: http://sphinx-doc.org/rest.html -.. _CHANGELOG.rst: https://github.com/pyca/pyopenssl/blob/master/CHANGELOG.rst -.. _`Code of Conduct`: https://github.com/pyca/pyopenssl/blob/master/CODE_OF_CONDUCT.rst +.. _CHANGELOG.rst: https://github.com/pyca/pyopenssl/blob/main/CHANGELOG.rst +.. _`Code of Conduct`: https://github.com/pyca/pyopenssl/blob/main/CODE_OF_CONDUCT.rst diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/MANIFEST.in new/pyOpenSSL-21.0.0/MANIFEST.in --- old/pyOpenSSL-20.0.1/MANIFEST.in 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/MANIFEST.in 2021-09-29 00:58:24.000000000 +0200 @@ -1,6 +1,5 @@ include LICENSE MANIFEST.in *.rst tox.ini .coveragerc -exclude codecov.yml +exclude codecov.yml .readthedocs.yml recursive-include tests *.py recursive-include doc * prune doc/_build -prune .travis diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/PKG-INFO new/pyOpenSSL-21.0.0/PKG-INFO --- old/pyOpenSSL-20.0.1/PKG-INFO 2020-12-15 16:31:35.327834800 +0100 +++ new/pyOpenSSL-21.0.0/PKG-INFO 2021-09-29 00:59:59.148302300 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyOpenSSL -Version: 20.0.1 +Version: 21.0.0 Summary: Python wrapper module around the OpenSSL library Home-page: https://pyopenssl.org/ Author: The pyOpenSSL developers @@ -14,16 +14,15 @@ :target: https://pyopenssl.org/en/stable/ :alt: Stable Docs - .. image:: https://travis-ci.com/pyca/pyopenssl.svg?branch=master - :target: https://travis-ci.com/pyca/pyopenssl - :alt: Build status + .. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main + :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain - .. image:: https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg + .. image:: https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage **Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ - where possible. If you are using pyOpenSSL for anything other than making a TLS connection + where possible. If you are using pyOpenSSL for anything other than making a TLS connection **you should move to cryptography and drop your pyOpenSSL dependency**. High-level wrapper around a subset of the OpenSSL library. Includes @@ -58,6 +57,28 @@ Release Information =================== + 21.0.0 (2020-09-28) + ------------------- + + Backward-incompatible changes: + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - The minimum ``cryptography`` version is now 3.3. + - Drop support for Python 3.5 + + Deprecations: + ^^^^^^^^^^^^^ + + Changes: + ^^^^^^^^ + + - Raise an error when an invalid ALPN value is set. + `#993 <https://github.com/pyca/pyopenssl/pull/993>`_ + - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version`` + to set the minimum and maximum supported TLS version `#985 <https://github.com/pyca/pyopenssl/pull/985>`_. + - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings. + `#1030 <https://github.com/pyca/pyopenssl/pull/1030>`_ + 20.0.1 (2020-12-15) ------------------- @@ -154,7 +175,6 @@ Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.5 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 @@ -164,6 +184,6 @@ Classifier: Topic :: Security :: Cryptography Classifier: Topic :: Software Development :: Libraries :: Python Modules Classifier: Topic :: System :: Networking -Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.* -Provides-Extra: docs +Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.* Provides-Extra: test +Provides-Extra: docs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/README.rst new/pyOpenSSL-21.0.0/README.rst --- old/pyOpenSSL-20.0.1/README.rst 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/README.rst 2021-09-29 00:58:24.000000000 +0200 @@ -6,16 +6,15 @@ :target: https://pyopenssl.org/en/stable/ :alt: Stable Docs -.. image:: https://travis-ci.com/pyca/pyopenssl.svg?branch=master - :target: https://travis-ci.com/pyca/pyopenssl - :alt: Build status +.. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main + :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain -.. image:: https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg +.. image:: https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage **Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ -where possible. If you are using pyOpenSSL for anything other than making a TLS connection +where possible. If you are using pyOpenSSL for anything other than making a TLS connection **you should move to cryptography and drop your pyOpenSSL dependency**. High-level wrapper around a subset of the OpenSSL library. Includes diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/doc/api/crypto.rst new/pyOpenSSL-21.0.0/doc/api/crypto.rst --- old/pyOpenSSL-20.0.1/doc/api/crypto.rst 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/doc/api/crypto.rst 2021-09-29 00:58:24.000000000 +0200 @@ -149,7 +149,6 @@ .. data:: INHIBIT_MAP .. data:: NOTIFY_POLICY .. data:: CHECK_SS_SIGNATURE - .. data:: CB_ISSUER_CHECK .. _openssl-x509storeflags: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/doc/api/ssl.rst new/pyOpenSSL-21.0.0/doc/api/ssl.rst --- old/pyOpenSSL-20.0.1/doc/api/ssl.rst 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/doc/api/ssl.rst 2021-09-29 00:58:24.000000000 +0200 @@ -10,7 +10,10 @@ This module handles things specific to SSL. There are two objects defined: Context, Connection. -.. py:data:: SSLv2_METHOD +.. py:data:: TLS_METHOD + TLS_SERVER_METHOD + TLS_CLIENT_METHOD + SSLv2_METHOD SSLv3_METHOD SSLv23_METHOD TLSv1_METHOD @@ -18,11 +21,21 @@ TLSv1_2_METHOD These constants represent the different SSL methods to use when creating a - context object. If the underlying OpenSSL build is missing support for any - of these protocols, constructing a :py:class:`Context` using the + context object. New code should only use ``TLS_METHOD``, ``TLS_SERVER_METHOD``, + or ``TLS_CLIENT_METHOD``. If the underlying OpenSSL build is missing support + for any of these protocols, constructing a :py:class:`Context` using the corresponding :py:const:`*_METHOD` will raise an exception. +.. py:data:: SSL3_VERSION + TLS1_VERSION + TLS1_1_VERSION + TLS1_2_VERSION + TLS1_3_VERSION + + These constants represent the different TLS versions to use when + setting the minimum or maximum TLS version. + .. py:data:: VERIFY_NONE VERIFY_PEER VERIFY_FAIL_IF_NO_PEER_CERT diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/doc/introduction.rst new/pyOpenSSL-21.0.0/doc/introduction.rst --- old/pyOpenSSL-20.0.1/doc/introduction.rst 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/doc/introduction.rst 2021-09-29 00:58:24.000000000 +0200 @@ -14,7 +14,7 @@ Later it was maintained by `Jean-Paul Calderone`_ who among other things managed to make pyOpenSSL a pure Python project which the current maintainers are *very* grateful for. Over the time the standard library's ``ssl`` module improved, never reaching the completeness of pyOpenSSL's API coverage. -Despite `PEP 466`_ many useful features remain Python 3-only and pyOpenSSL remains the only alternative for full-featured TLS code across all noteworthy Python versions from 2.7 through 3.5 and PyPy_. +Despite `PEP 466`_ many useful features remain Python 3-only and pyOpenSSL remains the only alternative for full-featured TLS code across all noteworthy Python versions from 2.7 through 3.6 and PyPy_. Development diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/pyproject.toml new/pyOpenSSL-21.0.0/pyproject.toml --- old/pyOpenSSL-20.0.1/pyproject.toml 1970-01-01 01:00:00.000000000 +0100 +++ new/pyOpenSSL-21.0.0/pyproject.toml 2021-09-29 00:58:24.000000000 +0200 @@ -0,0 +1,4 @@ +[tool.black] +line-length = 79 +target-version = ["py27"] + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/setup.py new/pyOpenSSL-21.0.0/setup.py --- old/pyOpenSSL-20.0.1/setup.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/setup.py 2021-09-29 00:58:24.000000000 +0200 @@ -79,7 +79,6 @@ "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", @@ -90,12 +89,14 @@ "Topic :: Software Development :: Libraries :: Python Modules", "Topic :: System :: Networking", ], - python_requires=">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*", + python_requires=( + ">=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*" + ), packages=find_packages(where="src"), package_dir={"": "src"}, install_requires=[ # Fix cryptographyMinimum in tox.ini when changing this! - "cryptography>=3.2", + "cryptography>=3.3", "six>=1.5.2", ], extras_require={ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/SSL.py new/pyOpenSSL-21.0.0/src/OpenSSL/SSL.py --- old/pyOpenSSL-20.0.1/src/OpenSSL/SSL.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/OpenSSL/SSL.py 2021-09-29 00:58:24.000000000 +0200 @@ -12,7 +12,6 @@ UNSPECIFIED as _UNSPECIFIED, exception_from_error_queue as _exception_from_error_queue, ffi as _ffi, - from_buffer as _from_buffer, lib as _lib, make_assert as _make_assert, native as _native, @@ -45,6 +44,14 @@ "TLSv1_METHOD", "TLSv1_1_METHOD", "TLSv1_2_METHOD", + "TLS_METHOD", + "TLS_SERVER_METHOD", + "TLS_CLIENT_METHOD", + "SSL3_VERSION", + "TLS1_VERSION", + "TLS1_1_VERSION", + "TLS1_2_VERSION", + "TLS1_3_VERSION", "OP_NO_SSLv2", "OP_NO_SSLv3", "OP_NO_TLSv1", @@ -110,6 +117,7 @@ "WantX509LookupError", "ZeroReturnError", "SysCallError", + "NO_OVERLAPPING_PROTOCOLS", "SSLeay_version", "Session", "Context", @@ -140,6 +148,24 @@ TLSv1_METHOD = 4 TLSv1_1_METHOD = 5 TLSv1_2_METHOD = 6 +TLS_METHOD = 7 +TLS_SERVER_METHOD = 8 +TLS_CLIENT_METHOD = 9 + +try: + SSL3_VERSION = _lib.SSL3_VERSION + TLS1_VERSION = _lib.TLS1_VERSION + TLS1_1_VERSION = _lib.TLS1_1_VERSION + TLS1_2_VERSION = _lib.TLS1_2_VERSION + TLS1_3_VERSION = _lib.TLS1_3_VERSION +except AttributeError: + # Hardcode constants for cryptography < 3.4, see + # https://github.com/pyca/pyopenssl/pull/985#issuecomment-775186682 + SSL3_VERSION = 768 + TLS1_VERSION = 769 + TLS1_1_VERSION = 770 + TLS1_2_VERSION = 771 + TLS1_3_VERSION = 772 OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2 OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3 @@ -604,8 +630,9 @@ :class:`OpenSSL.SSL.Context` instances define the parameters for setting up new SSL connections. - :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or - TLSv1_METHOD. + :param method: One of TLS_METHOD, TLS_CLIENT_METHOD, or TLS_SERVER_METHOD. + SSLv23_METHOD, TLSv1_METHOD, etc. are deprecated and should + not be used. """ _methods = { @@ -615,6 +642,9 @@ TLSv1_METHOD: "TLSv1_method", TLSv1_1_METHOD: "TLSv1_1_method", TLSv1_2_METHOD: "TLSv1_2_method", + TLS_METHOD: "TLS_method", + TLS_SERVER_METHOD: "TLS_server_method", + TLS_CLIENT_METHOD: "TLS_client_method", } _methods = dict( (identifier, getattr(_lib, name)) @@ -662,6 +692,32 @@ self.set_mode(_lib.SSL_MODE_ENABLE_PARTIAL_WRITE) + def set_min_proto_version(self, version): + """ + Set the minimum supported protocol version. Setting the minimum + version to 0 will enable protocol versions down to the lowest version + supported by the library. + + If the underlying OpenSSL build is missing support for the selected + version, this method will raise an exception. + """ + _openssl_assert( + _lib.SSL_CTX_set_min_proto_version(self._context, version) == 1 + ) + + def set_max_proto_version(self, version): + """ + Set the maximum supported protocol version. Setting the maximum + version to 0 will enable protocol versions up to the highest version + supported by the library. + + If the underlying OpenSSL build is missing support for the selected + version, this method will raise an exception. + """ + _openssl_assert( + _lib.SSL_CTX_set_max_proto_version(self._context, version) == 1 + ) + def load_verify_locations(self, cafile, capath=None): """ Let SSL know where we can find trusted certificates for the certificate @@ -1376,7 +1432,17 @@ # Build a C string from the list. We don't need to save this off # because OpenSSL immediately copies the data out. input_str = _ffi.new("unsigned char[]", protostr) - _lib.SSL_CTX_set_alpn_protos(self._context, input_str, len(protostr)) + + # https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_alpn_protos.html: + # SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() + # return 0 on success, and non-0 on failure. + # WARNING: these functions reverse the return value convention. + _openssl_assert( + _lib.SSL_CTX_set_alpn_protos( + self._context, input_str, len(protostr) + ) + == 0 + ) @_requires_alpn def set_alpn_select_callback(self, callback): @@ -1641,7 +1707,7 @@ # Backward compatibility buf = _text_to_bytes_and_warn("buf", buf) - with _from_buffer(buf) as data: + with _ffi.from_buffer(buf) as data: # check len(buf) instead of len(data) for testability if len(buf) > 2147483647: raise ValueError( @@ -1668,7 +1734,7 @@ """ buf = _text_to_bytes_and_warn("buf", buf) - with _from_buffer(buf) as data: + with _ffi.from_buffer(buf) as data: left_to_send = len(buf) total_sent = 0 @@ -1798,7 +1864,7 @@ if self._into_ssl is None: raise TypeError("Connection sock was not None") - with _from_buffer(buf) as data: + with _ffi.from_buffer(buf) as data: result = _lib.BIO_write(self._into_ssl, data, len(data)) if result <= 0: self._handle_bio_errors(self._into_ssl, result) @@ -2394,7 +2460,14 @@ # Build a C string from the list. We don't need to save this off # because OpenSSL immediately copies the data out. input_str = _ffi.new("unsigned char[]", protostr) - _lib.SSL_set_alpn_protos(self._ssl, input_str, len(protostr)) + + # https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_set_alpn_protos.html: + # SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() + # return 0 on success, and non-0 on failure. + # WARNING: these functions reverse the return value convention. + _openssl_assert( + _lib.SSL_set_alpn_protos(self._ssl, input_str, len(protostr)) == 0 + ) @_requires_alpn def get_alpn_proto_negotiated(self): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/_util.py new/pyOpenSSL-21.0.0/src/OpenSSL/_util.py --- old/pyOpenSSL-20.0.1/src/OpenSSL/_util.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/OpenSSL/_util.py 2021-09-29 00:58:24.000000000 +0200 @@ -153,6 +153,3 @@ ) return obj.encode("utf-8") return obj - - -from_buffer = ffi.from_buffer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/crypto.py new/pyOpenSSL-21.0.0/src/OpenSSL/crypto.py --- old/pyOpenSSL-20.0.1/src/OpenSSL/crypto.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/OpenSSL/crypto.py 2021-09-29 00:58:24.000000000 +0200 @@ -244,11 +244,18 @@ .. versionadded:: 16.1.0 """ + from cryptography.hazmat.primitives.serialization import ( + load_der_private_key, + load_der_public_key, + ) + backend = _get_backend() if self._only_public: - return backend._evp_pkey_to_public_key(self._pkey) + der = dump_publickey(FILETYPE_ASN1, self) + return load_der_public_key(der, backend) else: - return backend._evp_pkey_to_private_key(self._pkey) + der = dump_privatekey(FILETYPE_ASN1, self) + return load_der_private_key(der, None, backend) @classmethod def from_cryptography_key(cls, crypto_key): @@ -262,7 +269,6 @@ .. versionadded:: 16.1.0 """ - pkey = cls() if not isinstance( crypto_key, ( @@ -274,11 +280,25 @@ ): raise TypeError("Unsupported key type") - pkey._pkey = crypto_key._evp_pkey + from cryptography.hazmat.primitives.serialization import ( + Encoding, + NoEncryption, + PrivateFormat, + PublicFormat, + ) + if isinstance(crypto_key, (rsa.RSAPublicKey, dsa.DSAPublicKey)): - pkey._only_public = True - pkey._initialized = True - return pkey + return load_publickey( + FILETYPE_ASN1, + crypto_key.public_bytes( + Encoding.DER, PublicFormat.SubjectPublicKeyInfo + ), + ) + else: + der = crypto_key.private_bytes( + Encoding.DER, PrivateFormat.PKCS8, NoEncryption() + ) + return load_privatekey(FILETYPE_ASN1, der) def generate_key(self, type, bits): """ @@ -888,12 +908,12 @@ .. versionadded:: 17.1.0 """ - from cryptography.hazmat.backends.openssl.x509 import ( - _CertificateSigningRequest, - ) + from cryptography.x509 import load_der_x509_csr + + der = dump_certificate_request(FILETYPE_ASN1, self) backend = _get_backend() - return _CertificateSigningRequest(backend, self._req) + return load_der_x509_csr(der, backend) @classmethod def from_cryptography(cls, crypto_req): @@ -910,9 +930,10 @@ if not isinstance(crypto_req, x509.CertificateSigningRequest): raise TypeError("Must be a certificate signing request") - req = cls() - req._req = crypto_req._x509_req - return req + from cryptography.hazmat.primitives.serialization import Encoding + + der = crypto_req.public_bytes(Encoding.DER) + return load_certificate_request(FILETYPE_ASN1, der) def set_pubkey(self, pkey): """ @@ -1109,10 +1130,11 @@ .. versionadded:: 17.1.0 """ - from cryptography.hazmat.backends.openssl.x509 import _Certificate + from cryptography.x509 import load_der_x509_certificate + der = dump_certificate(FILETYPE_ASN1, self) backend = _get_backend() - return _Certificate(backend, self._x509) + return load_der_x509_certificate(der, backend) @classmethod def from_cryptography(cls, crypto_cert): @@ -1129,9 +1151,10 @@ if not isinstance(crypto_cert, x509.Certificate): raise TypeError("Must be a certificate") - cert = cls() - cert._x509 = crypto_cert._x509 - return cert + from cryptography.hazmat.primitives.serialization import Encoding + + der = crypto_cert.public_bytes(Encoding.DER) + return load_certificate(FILETYPE_ASN1, der) def set_version(self, version): """ @@ -1574,7 +1597,6 @@ INHIBIT_MAP = _lib.X509_V_FLAG_INHIBIT_MAP NOTIFY_POLICY = _lib.X509_V_FLAG_NOTIFY_POLICY CHECK_SS_SIGNATURE = _lib.X509_V_FLAG_CHECK_SS_SIGNATURE - CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK class X509Store(object): @@ -2260,12 +2282,12 @@ .. versionadded:: 17.1.0 """ - from cryptography.hazmat.backends.openssl.x509 import ( - _CertificateRevocationList, - ) + from cryptography.x509 import load_der_x509_crl + + der = dump_crl(FILETYPE_ASN1, self) backend = _get_backend() - return _CertificateRevocationList(backend, self._crl) + return load_der_x509_crl(der, backend) @classmethod def from_cryptography(cls, crypto_crl): @@ -2282,9 +2304,10 @@ if not isinstance(crypto_crl, x509.CertificateRevocationList): raise TypeError("Must be a certificate revocation list") - crl = cls() - crl._crl = crypto_crl._x509_crl - return crl + from cryptography.hazmat.primitives.serialization import Encoding + + der = crypto_crl.public_bytes(Encoding.DER) + return load_crl(FILETYPE_ASN1, der) def get_revoked(self): """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/OpenSSL/version.py new/pyOpenSSL-21.0.0/src/OpenSSL/version.py --- old/pyOpenSSL-20.0.1/src/OpenSSL/version.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/OpenSSL/version.py 2021-09-29 00:58:24.000000000 +0200 @@ -17,7 +17,7 @@ "__version__", ] -__version__ = "20.0.1" +__version__ = "21.0.0" __title__ = "pyOpenSSL" __uri__ = "https://pyopenssl.org/" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/PKG-INFO new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/PKG-INFO --- old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/PKG-INFO 2020-12-15 16:31:35.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/PKG-INFO 2021-09-29 00:59:59.000000000 +0200 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: pyOpenSSL -Version: 20.0.1 +Version: 21.0.0 Summary: Python wrapper module around the OpenSSL library Home-page: https://pyopenssl.org/ Author: The pyOpenSSL developers @@ -14,16 +14,15 @@ :target: https://pyopenssl.org/en/stable/ :alt: Stable Docs - .. image:: https://travis-ci.com/pyca/pyopenssl.svg?branch=master - :target: https://travis-ci.com/pyca/pyopenssl - :alt: Build status + .. image:: https://github.com/pyca/pyopenssl/workflows/CI/badge.svg?branch=main + :target: https://github.com/pyca/pyopenssl/actions?query=workflow%3ACI+branch%3Amain - .. image:: https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg + .. image:: https://codecov.io/github/pyca/pyopenssl/branch/main/graph/badge.svg :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage **Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ - where possible. If you are using pyOpenSSL for anything other than making a TLS connection + where possible. If you are using pyOpenSSL for anything other than making a TLS connection **you should move to cryptography and drop your pyOpenSSL dependency**. High-level wrapper around a subset of the OpenSSL library. Includes @@ -58,6 +57,28 @@ Release Information =================== + 21.0.0 (2020-09-28) + ------------------- + + Backward-incompatible changes: + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + - The minimum ``cryptography`` version is now 3.3. + - Drop support for Python 3.5 + + Deprecations: + ^^^^^^^^^^^^^ + + Changes: + ^^^^^^^^ + + - Raise an error when an invalid ALPN value is set. + `#993 <https://github.com/pyca/pyopenssl/pull/993>`_ + - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version`` + to set the minimum and maximum supported TLS version `#985 <https://github.com/pyca/pyopenssl/pull/985>`_. + - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an upcoming release of ``cryptography`` without raising deprecation warnings. + `#1030 <https://github.com/pyca/pyopenssl/pull/1030>`_ + 20.0.1 (2020-12-15) ------------------- @@ -154,7 +175,6 @@ Classifier: Programming Language :: Python :: 2 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 -Classifier: Programming Language :: Python :: 3.5 Classifier: Programming Language :: Python :: 3.6 Classifier: Programming Language :: Python :: 3.7 Classifier: Programming Language :: Python :: 3.8 @@ -164,6 +184,6 @@ Classifier: Topic :: Security :: Cryptography Classifier: Topic :: Software Development :: Libraries :: Python Modules Classifier: Topic :: System :: Networking -Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.* -Provides-Extra: docs +Requires-Python: >=2.7,!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.* Provides-Extra: test +Provides-Extra: docs diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/SOURCES.txt new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/SOURCES.txt --- old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/SOURCES.txt 2020-12-15 16:31:35.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/SOURCES.txt 2021-09-29 00:59:59.000000000 +0200 @@ -6,6 +6,7 @@ LICENSE MANIFEST.in README.rst +pyproject.toml setup.cfg setup.py tox.ini diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/requires.txt new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/requires.txt --- old/pyOpenSSL-20.0.1/src/pyOpenSSL.egg-info/requires.txt 2020-12-15 16:31:35.000000000 +0100 +++ new/pyOpenSSL-21.0.0/src/pyOpenSSL.egg-info/requires.txt 2021-09-29 00:59:59.000000000 +0200 @@ -1,4 +1,4 @@ -cryptography>=3.2 +cryptography>=3.3 six>=1.5.2 [docs] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/tests/test_crypto.py new/pyOpenSSL-21.0.0/tests/test_crypto.py --- old/pyOpenSSL-20.0.1/tests/test_crypto.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/tests/test_crypto.py 2021-09-29 00:58:24.000000000 +0200 @@ -1468,7 +1468,7 @@ def signable(self): """ - Return something with a `set_pubkey`, `set_pubkey`, and `sign` method. + Return something with `set_pubkey` and `sign` methods. """ raise NotImplementedError() @@ -1668,6 +1668,7 @@ """ request = X509Req() pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + request.set_pubkey(pkey) request.sign(pkey, GOOD_DIGEST) another_pkey = load_privatekey(FILETYPE_PEM, client_key_pem) with pytest.raises(Error): @@ -1680,6 +1681,7 @@ """ request = X509Req() pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + request.set_pubkey(pkey) request.sign(pkey, GOOD_DIGEST) assert request.verify(pkey) @@ -1713,7 +1715,12 @@ """ Create and return a new `X509`. """ - return X509() + certificate = X509() + # Fill in placeholder validity values. signable only expects to call + # set_pubkey and sign. + certificate.gmtime_adj_notBefore(-24 * 60 * 60) + certificate.gmtime_adj_notAfter(24 * 60 * 60) + return certificate def test_type(self): """ @@ -3373,6 +3380,9 @@ `NetscapeSPKI.b64_encode` encodes the certificate to a base64 blob. """ nspki = NetscapeSPKI() + pkey = load_privatekey(FILETYPE_PEM, root_key_pem) + nspki.set_pubkey(pkey) + nspki.sign(pkey, GOOD_DIGEST) blob = nspki.b64_encode() assert isinstance(blob, bytes) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/tests/test_ssl.py new/pyOpenSSL-21.0.0/tests/test_ssl.py --- old/pyOpenSSL-20.0.1/tests/test_ssl.py 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/tests/test_ssl.py 2021-09-29 00:58:24.000000000 +0200 @@ -48,7 +48,15 @@ from OpenSSL.crypto import dump_certificate, load_certificate from OpenSSL.crypto import get_elliptic_curves -from OpenSSL.SSL import OPENSSL_VERSION_NUMBER, SSLEAY_VERSION, SSLEAY_CFLAGS +from OpenSSL.SSL import ( + OPENSSL_VERSION_NUMBER, + SSLEAY_VERSION, + SSLEAY_CFLAGS, + TLS_METHOD, + TLS1_3_VERSION, + TLS1_2_VERSION, + TLS1_1_VERSION, +) from OpenSSL.SSL import SSLEAY_PLATFORM, SSLEAY_DIR, SSLEAY_BUILT_ON from OpenSSL.SSL import SENT_SHUTDOWN, RECEIVED_SHUTDOWN from OpenSSL.SSL import ( @@ -129,6 +137,11 @@ except ImportError: SSL_ST_INIT = SSL_ST_BEFORE = SSL_ST_OK = SSL_ST_RENEGOTIATE = None +try: + from OpenSSL.SSL import OP_NO_TLSv1_3 +except ImportError: + OP_NO_TLSv1_3 = None + from .util import WARNING_TYPE_EXPECTED, NON_ASCII, is_consistent_type from .test_crypto import ( client_cert_pem, @@ -1039,6 +1052,32 @@ assert all(isinstance(conn, Connection) for conn, line in called) assert all(b"CLIENT_RANDOM" in line for conn, line in called) + def test_set_proto_version(self): + if OP_NO_TLSv1_3 is None: + high_version = TLS1_2_VERSION + low_version = TLS1_1_VERSION + else: + high_version = TLS1_3_VERSION + low_version = TLS1_2_VERSION + + server_context = Context(TLS_METHOD) + server_context.use_certificate( + load_certificate(FILETYPE_PEM, root_cert_pem) + ) + server_context.use_privatekey( + load_privatekey(FILETYPE_PEM, root_key_pem) + ) + server_context.set_min_proto_version(high_version) + + client_context = Context(TLS_METHOD) + client_context.set_max_proto_version(low_version) + + with pytest.raises(Error, match="unsupported protocol"): + self._handshake_test(server_context, client_context) + + client_context.set_max_proto_version(0) + self._handshake_test(server_context, client_context) + def _load_verify_locations_test(self, *args): """ Create a client context which will verify the peer certificate and call @@ -1888,6 +1927,15 @@ assert server.get_alpn_proto_negotiated() == b"spdy/2" assert client.get_alpn_proto_negotiated() == b"spdy/2" + def test_alpn_call_failure(self): + """ + SSL_CTX_set_alpn_protos does not like to be called with an empty + protocols list. Ensure that we produce a user-visible error. + """ + context = Context(SSLv23_METHOD) + with pytest.raises(Error): + context.set_alpn_protos([]) + def test_alpn_set_on_connection(self): """ The same as test_alpn_success, but setting the ALPN protocols on diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pyOpenSSL-20.0.1/tox.ini new/pyOpenSSL-21.0.0/tox.ini --- old/pyOpenSSL-20.0.1/tox.ini 2020-12-15 16:30:54.000000000 +0100 +++ new/pyOpenSSL-21.0.0/tox.ini 2021-09-29 00:58:24.000000000 +0200 @@ -1,5 +1,5 @@ [tox] -envlist = {pypy,pypy3,py27,py35,py36,py37,py38,py39}{,-cryptographyMaster,-cryptographyMinimum}{,-randomorder},py37-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report +envlist = {pypy,pypy3,py27,py36,py37,py38,py39}{,-cryptographyMaster,-cryptographyMinimum}{,-randomorder},py37-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report [testenv] whitelist_externals = @@ -10,7 +10,7 @@ deps = coverage>=4.2 cryptographyMaster: git+https://github.com/pyca/cryptography.git - cryptographyMinimum: cryptography==3.2 + cryptographyMinimum: cryptography==3.3 randomorder: pytest-randomly setenv = # Do not allow the executing environment to pollute the test environment