From 032b476820e2969f6aaa217216d8f07d954f4e25cecb555e8f8f313f311c87fa Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dmueller@suse.com>
Date: Tue, 26 Oct 2021 20:28:09 +0000
Subject: [PATCH 1/2] - update to 21.0.0:   - The minimum ``cryptography``
 version is now 3.3.   - Drop support for Python 3.5   - Raise an error when
 an invalid ALPN value is set.   - Added
 ``OpenSSL.SSL.Context.set_min_proto_version`` and
 ``OpenSSL.SSL.Context.set_max_proto_version``   - Updated ``to_cryptography``
 and ``from_cryptography`` methods to support an     upcoming release of
 ``cryptography`` without raising deprecation warnings.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=83
---
 pyOpenSSL-20.0.1.tar.gz  |  3 ---
 pyOpenSSL-21.0.0.tar.gz  |  3 +++
 python-pyOpenSSL.changes | 11 +++++++++++
 python-pyOpenSSL.spec    |  6 +++---
 4 files changed, 17 insertions(+), 6 deletions(-)
 delete mode 100644 pyOpenSSL-20.0.1.tar.gz
 create mode 100644 pyOpenSSL-21.0.0.tar.gz

diff --git a/pyOpenSSL-20.0.1.tar.gz b/pyOpenSSL-20.0.1.tar.gz
deleted file mode 100644
index 4fcc637..0000000
--- a/pyOpenSSL-20.0.1.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51
-size 173736
diff --git a/pyOpenSSL-21.0.0.tar.gz b/pyOpenSSL-21.0.0.tar.gz
new file mode 100644
index 0000000..557f390
--- /dev/null
+++ b/pyOpenSSL-21.0.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3
+size 175652
diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes
index 72dd87a..15ddbdd 100644
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Tue Oct 26 20:27:12 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 21.0.0:
+  - The minimum ``cryptography`` version is now 3.3.
+  - Drop support for Python 3.5
+  - Raise an error when an invalid ALPN value is set.
+  - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version``
+  - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an
+    upcoming release of ``cryptography`` without raising deprecation warnings.
+
 -------------------------------------------------------------------
 Mon Feb  1 18:07:21 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec
index 4411689..03c73a5 100644
--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@@ -19,7 +19,7 @@
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 %define oldpython python
 Name:           python-pyOpenSSL
-Version:        20.0.1
+Version:        21.0.0
 Release:        0
 Summary:        Python wrapper module around the OpenSSL library
 License:        Apache-2.0
@@ -29,7 +29,7 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 # Mark tests requiring network access
 Patch0:         skip-networked-test.patch
 BuildRequires:  %{python_module cffi}
-BuildRequires:  %{python_module cryptography >= 2.8}
+BuildRequires:  %{python_module cryptography >= 3.3}
 BuildRequires:  %{python_module flaky}
 BuildRequires:  %{python_module pretend}
 BuildRequires:  %{python_module pytest >= 3.0.1}
@@ -40,7 +40,7 @@ BuildRequires:  fdupes
 BuildRequires:  openssl
 BuildRequires:  python-rpm-macros
 Requires:       python-cffi
-Requires:       python-cryptography >= 2.8
+Requires:       python-cryptography >= 3.3
 Requires:       python-six >= 1.5.2
 Provides:       pyOpenSSL = %{version}
 BuildArch:      noarch

From 76cf59019de559c8470d6d669a21f16d04540c0b8cca6b0ddc8debaacd3820b1 Mon Sep 17 00:00:00 2001
From: Matej Cepl <mcepl@suse.com>
Date: Sat, 30 Oct 2021 19:09:36 +0000
Subject: [PATCH 2/2] - Add check_inv_ALPN_lists.patch checks for invalid ALPN
 lists   before calling OpenSSL (gh#pyca/pyopenssl#1056).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=84
---
 check_inv_ALPN_lists.patch | 51 ++++++++++++++++++++++++++++++++++++++
 python-pyOpenSSL.changes   |  6 +++++
 python-pyOpenSSL.spec      |  3 +++
 3 files changed, 60 insertions(+)
 create mode 100644 check_inv_ALPN_lists.patch

diff --git a/check_inv_ALPN_lists.patch b/check_inv_ALPN_lists.patch
new file mode 100644
index 0000000..e76d16e
--- /dev/null
+++ b/check_inv_ALPN_lists.patch
@@ -0,0 +1,51 @@
+From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001
+From: "Nathaniel J. Smith" <njs@pobox.com>
+Date: Wed, 27 Oct 2021 11:54:08 -0700
+Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for
+ consistency
+
+Fixes gh-1043
+---
+ src/OpenSSL/SSL.py |   12 ++++++++++++
+ tests/test_ssl.py  |    2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1423,6 +1423,12 @@ class Context(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
++        # Different versions of OpenSSL are inconsistent about how they handle
++        # empty proto lists (see #1043), so we avoid the problem entirely by
++        # rejecting them ourselves.
++        if not protos:
++            raise ValueError("at least one protocol must be specified")
++
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+@@ -2451,6 +2457,12 @@ class Connection(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
++        # Different versions of OpenSSL are inconsistent about how they handle
++        # empty proto lists (see #1043), so we avoid the problem entirely by
++        # rejecting them ourselves.
++        if not protos:
++            raise ValueError("at least one protocol must be specified")
++
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati
+         protocols list. Ensure that we produce a user-visible error.
+         """
+         context = Context(SSLv23_METHOD)
+-        with pytest.raises(Error):
++        with pytest.raises(ValueError):
+             context.set_alpn_protos([])
+ 
+     def test_alpn_set_on_connection(self):
diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes
index 15ddbdd..c68bc8b 100644
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
+  before calling OpenSSL (gh#pyca/pyopenssl#1056).
+
 -------------------------------------------------------------------
 Tue Oct 26 20:27:12 UTC 2021 - Dirk Müller <dmueller@suse.com>
 
diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec
index 03c73a5..ea18da2 100644
--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@@ -28,6 +28,9 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 # PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68 mcepl@suse.com
 # Mark tests requiring network access
 Patch0:         skip-networked-test.patch
+# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056 mcepl@suse.com
+#  Check for invalid ALPN lists before calling OpenSSL
+Patch1:         check_inv_ALPN_lists.patch
 BuildRequires:  %{python_module cffi}
 BuildRequires:  %{python_module cryptography >= 3.3}
 BuildRequires:  %{python_module flaky}