diff --git a/.gitattributes b/.gitattributes index e6096f7..9b03811 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,6 +21,3 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text -## Specific LFS patterns -crypto.inv filter=lfs diff=lfs merge=lfs -text -python3.inv filter=lfs diff=lfs merge=lfs -text diff --git a/crypto.inv b/crypto.inv deleted file mode 100644 index 264442d..0000000 --- a/crypto.inv +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:41ce8ae745441735db7d7745cc412146c483377c44cda20d7844e0e1141e19a2 -size 9076 diff --git a/fetch-intersphinx-inventories.sh b/fetch-intersphinx-inventories.sh deleted file mode 100644 index 8ccb9af..0000000 --- a/fetch-intersphinx-inventories.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -wget -O python3.inv https://docs.python.org/3/objects.inv -wget -O crypto.inv https://cryptography.io/en/latest/objects.inv - diff --git a/local-intersphinx-inventories.patch b/local-intersphinx-inventories.patch deleted file mode 100644 index 8d4f5f1..0000000 --- a/local-intersphinx-inventories.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: b/doc/conf.py -=================================================================== ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -254,6 +254,6 @@ man_pages = [ - ] - - intersphinx_mapping = { -- "https://docs.python.org/3": None, -- "https://cryptography.io/en/latest/": None, -+ "https://docs.python.org/3": "python3.inv", -+ "https://cryptography.io/en/latest/": "crypto.inv", - } diff --git a/openssl-1.1.0i.patch b/openssl-1.1.0i.patch deleted file mode 100644 index 4127551..0000000 --- a/openssl-1.1.0i.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 23 Aug 2018 10:52:15 -0500 -Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate - cert (#787) - -* X509Store.add_cert no longer raises an error on duplicate cert - ---- - src/OpenSSL/crypto.py | 11 ++++++++++- - tests/test_crypto.py | 9 ++++----- - 3 files changed, 16 insertions(+), 7 deletions(-) - - Deprecations: -diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py -index d40f23c2..ea7b354b 100644 ---- a/src/OpenSSL/crypto.py -+++ b/src/OpenSSL/crypto.py -@@ -1607,7 +1607,16 @@ def add_cert(self, cert): - if not isinstance(cert, X509): - raise TypeError() - -- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0) -+ # As of OpenSSL 1.1.0i adding the same cert to the store more than -+ # once doesn't cause an error. Accordingly, this code now silences -+ # the error for OpenSSL < 1.1.0i as well. -+ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: -+ code = _lib.ERR_peek_error() -+ err_reason = _lib.ERR_GET_REASON(code) -+ _openssl_assert( -+ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE -+ ) -+ _lib.ERR_clear_error() - - def add_crl(self, crl): - """ -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index d1c261b8..eb4590d0 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert): - with pytest.raises(TypeError): - store.add_cert(cert) - -- def test_add_cert_rejects_duplicate(self): -+ def test_add_cert_accepts_duplicate(self): - """ -- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is -- made to add the same certificate to the store more than once. -+ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt -+ is made to add the same certificate to the store more than once. - """ - cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) - store = X509Store() - store.add_cert(cert) -- with pytest.raises(Error): -- store.add_cert(cert) -+ store.add_cert(cert) - - - class TestPKCS12(object): diff --git a/openssl-1.1.1.patch b/openssl-1.1.1.patch deleted file mode 100644 index d03f0a3..0000000 --- a/openssl-1.1.1.patch +++ /dev/null @@ -1,226 +0,0 @@ -From 4725d76eb4a1c0e7b7b6de6e4a8e95d6f076b50b Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 17:35:31 -0400 -Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 - ---- - tests/test_crypto.py | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index eb4590d0..4983d6ac 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -3161,10 +3161,10 @@ def test_export_pem(self): - dumped_crl = crl.export( - self.cert, self.pkey, days=20, digest=b"sha256" - ) -- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") -+ text = _runopenssl( -+ dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", "" -+ ) - -- # These magic values are based on the way the CRL above was constructed -- # and with what certificate it was exported. - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') - text.index( -@@ -3184,7 +3184,8 @@ def test_export_der(self): - self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" - ) - text = _runopenssl( -- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" -+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", -+ b"-nameopt", "" - ) - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -@@ -3207,7 +3208,8 @@ def test_export_text(self): - self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" - ) - text = _runopenssl( -- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" -+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", -+ b"-nameopt", "" - ) - - # text format - -From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 17:54:22 -0400 -Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly - ---- - tests/test_crypto.py | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index 4983d6ac..c08f81c3 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -3167,9 +3167,9 @@ def test_export_pem(self): - - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ text.index(b'Issuer:') -+ text.index(b'C=US') -+ text.index(b'CN=Testing Root CA') - - def test_export_der(self): - """ -@@ -3189,9 +3189,9 @@ def test_export_der(self): - ) - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ text.index(b'Issuer:') -+ text.index(b'C=US') -+ text.index(b'CN=Testing Root CA') - - # Flaky because we compare the output of running commands which sometimes - # varies by 1 second - -From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 18:09:49 -0400 -Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3 - -TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it. ---- - tests/test_ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index fbf07603..4845eca3 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -2539,7 +2539,7 @@ def test_client_set_session(self): - """ - key = load_privatekey(FILETYPE_PEM, server_key_pem) - cert = load_certificate(FILETYPE_PEM, server_cert_pem) -- ctx = Context(SSLv23_METHOD) -+ ctx = Context(TLSv1_2_METHOD) - ctx.use_privatekey(key) - ctx.use_certificate(cert) - ctx.set_session_id("unity-test") - -From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:42:38 -0400 -Subject: [PATCH 4/7] Make this always behave like 1.1.1 - ---- - src/OpenSSL/SSL.py | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index 5cf39c0d..910ce680 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list): - if not isinstance(cipher_list, bytes): - raise TypeError("cipher_list must be a byte string.") - -- _openssl_assert( -- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 -- ) -+ # This can return an error if there's no ciphersuites, but we don't care. -+ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - - def set_client_ca_list(self, certificate_authorities): - """ - -From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:43:49 -0400 -Subject: [PATCH 5/7] Update tests for the new behavior - ---- - tests/test_ssl.py | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index 4845eca3..a5fb4df9 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string): - conn = Connection(context, None) - - assert "AES128-SHA" in conn.get_cipher_list() -+ -+ def test_set_cipher_list_imaginary(self, context): -+ # Doesn't raise an exception -+ context.set_cipher_list(b"gibberish") - -- @pytest.mark.parametrize("cipher_list,error", [ -- (object(), TypeError), -- ("imaginary-cipher", Error), -- ]) -- def test_set_cipher_list_wrong_args(self, context, cipher_list, error): -+ def test_set_cipher_list_wrong_args(self, context): - """ - `Context.set_cipher_list` raises `TypeError` when passed a non-string -- argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher -- list string. -+ argument. - """ -- with pytest.raises(error): -- context.set_cipher_list(cipher_list) -+ with pytest.raises(TypeError): -+ context.set_cipher_list(object()) - - def test_load_client_ca(self, context, ca_file): - """ - -From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:48:07 -0400 -Subject: [PATCH 6/7] flake8 - ---- - src/OpenSSL/SSL.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index 910ce680..a0469f10 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list): - if not isinstance(cipher_list, bytes): - raise TypeError("cipher_list must be a byte string.") - -- # This can return an error if there's no ciphersuites, but we don't care. -+ # This can return an error if there's no ciphersuites, but we don't -+ # care. - _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - - def set_client_ca_list(self, certificate_authorities): - -From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 20:01:26 -0400 -Subject: [PATCH 7/7] flake8 - ---- - tests/test_ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index a5fb4df9..39e76500 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string): - conn = Connection(context, None) - - assert "AES128-SHA" in conn.get_cipher_list() -- -+ - def test_set_cipher_list_imaginary(self, context): - # Doesn't raise an exception - context.set_cipher_list(b"gibberish") diff --git a/pyOpenSSL-18.0.0.tar.gz b/pyOpenSSL-18.0.0.tar.gz deleted file mode 100644 index a59479b..0000000 --- a/pyOpenSSL-18.0.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580 -size 167296 diff --git a/pyOpenSSL-19.0.0.tar.gz b/pyOpenSSL-19.0.0.tar.gz new file mode 100644 index 0000000..ab5b2dc --- /dev/null +++ b/pyOpenSSL-19.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200 +size 168551 diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 72836db..ad0ceb2 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Sat Mar 2 16:29:39 UTC 2019 - Ondřej Súkup + +- update to 19.0 +- fixed build deps. +- drop patches: openssl-1.1.0i.patch + openssl-1.1.1.patch + opensuse_ca.patch + tls13-renegotiation.patch + * X509Store.add_cert no longer raises an error if you add a duplicate cert. + * pyOpenSSL now works with OpenSSL 1.1.1. + * pyOpenSSL now handles NUL bytes in X509Name.get_components() + +------------------------------------------------------------------- +Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen + +- remove everything to build docs: + - local-intersphinx-inventories.patch + - fetch-intersphinx-inventories.sh + - python3.inv + - crypto.inv + ------------------------------------------------------------------- Mon Feb 25 19:56:35 UTC 2019 - Todd R diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 0fcc20a..e695916 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -19,30 +19,25 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-pyOpenSSL -Version: 18.0.0 +Version: 19.0.0 Release: 0 Summary: Python wrapper module around the OpenSSL library License: Apache-2.0 Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz -Source1: python3.inv -Source2: crypto.inv -Source3: fetch-intersphinx-inventories.sh Patch1: skip-networked-test.patch -Patch2: openssl-1.1.0i.patch -Patch3: openssl-1.1.1.patch -Patch4: tls13-renegotiation.patch -Patch5: local-intersphinx-inventories.patch BuildRequires: %{python_module cffi} BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module six} +BuildRequires: ca-certificates-mozilla BuildRequires: fdupes +BuildRequires: openssl BuildRequires: python-rpm-macros -BuildRequires: python3-Sphinx Requires: python-cffi Requires: python-cryptography >= 2.3.0 Requires: python-six >= 1.5.2 @@ -63,28 +58,16 @@ pyOpenSSL is now a pure-Python project with a dependency on a new project, cryptography (), which provides (among other things) a cffi-based interface to OpenSSL. -%package -n %{name}-doc -Summary: Documentation for %{name} -Group: Documentation/HTML - -%description -n %{name}-doc -Provides documentation for %{name}. - %prep %setup -q -n pyOpenSSL-%{version} %autopatch -p1 -# prepare local intersphinx inventories, fetch with fetch-intersphinx-inventories.sh -cp -v %{S:1} doc/ -cp -v %{S:2} doc/ - %build %python_build %install %python_install %python_expand %fdupes %{buildroot}%{$python_sitelib} -PYTHONPATH="%{buildroot}%{python3_sitelib}" python3 setup.py build_sphinx && rm build/sphinx/html/.buildinfo %check export LC_ALL=en_US.UTF-8 @@ -98,8 +81,4 @@ py.test-%{$python_bin_suffix} -m "not network" -k "not test_export_text" %{python_sitelib}/OpenSSL/ %{python_sitelib}/pyOpenSSL-%{version}-py*.egg-info -%files -n %{name}-doc -%doc build/sphinx/html/ -%doc examples/ - %changelog diff --git a/python3.inv b/python3.inv deleted file mode 100644 index 99ffcde..0000000 --- a/python3.inv +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0c8b6fe404be5534e725ad69abf2a0f7deb6a2972b6500584df61102ce20d7fd -size 102981 diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch deleted file mode 100644 index 8bb360c..0000000 --- a/tls13-renegotiation.patch +++ /dev/null @@ -1,56 +0,0 @@ -Index: pyOpenSSL-18.0.0/tests/test_ssl.py -=================================================================== ---- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 -+++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 -@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): - """ - Tests for SSL renegotiation APIs. - """ -+ - def test_total_renegotiations(self): - """ - `Connection.total_renegotiations` returns `0` before any renegotiations -@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): - """ - Go through a complete renegotiation cycle. - """ -- server, client = loopback() -+ # renegotiation works with TLS version <= 1.2 -+ def makeServer12(socket): -+ ctx = Context(TLSv1_2_METHOD) -+ ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) -+ ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) -+ server = Connection(ctx, socket) -+ server.set_accept_state() -+ return server -+ -+ server, client = loopback(server_factory=makeServer12) - - server.send(b"hello world") - -@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object): - while False is server.renegotiate_pending(): - pass - -+ # renegotiation is forbidden in TLS 1.3 -+ server, client = loopback() -+ -+ server.send(b"hello world") -+ -+ assert b"hello world" == client.recv(len(b"hello world")) -+ -+ assert 0 == server.total_renegotiations() -+ assert False is server.renegotiate_pending() -+ -+ # renegotian under TLS 1.3 must fail -+ -+ if client.get_protocol_version_name() == "TLSv1.3": -+ try: -+ assert False is server.renegotiate() -+ #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version') -+ except SSL.Error: -+ pass -+ - - class TestError(object): - """