- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists

before calling OpenSSL (gh#pyca/pyopenssl#1056). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=84
2021-10-30 19:09:36 +00:00 · 2021-10-30 19:09:36 +00:00 · 76cf59019d
commit 76cf59019d
parent 032b476820
3 changed files with 60 additions and 0 deletions
--- a/check_inv_ALPN_lists.patch
+++ b/check_inv_ALPN_lists.patch
@ -0,0 +1,51 @@
+From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001
+From: "Nathaniel J. Smith" <njs@pobox.com>
+Date: Wed, 27 Oct 2021 11:54:08 -0700
+Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for
+ consistency
+
+Fixes gh-1043
+---
+ src/OpenSSL/SSL.py |   12 ++++++++++++
+ tests/test_ssl.py  |    2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
+@@ -1423,6 +1423,12 @@ class Context(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
+        # Different versions of OpenSSL are inconsistent about how they handle
+        # empty proto lists (see #1043), so we avoid the problem entirely by
+        # rejecting them ourselves.
+        if not protos:
+            raise ValueError("at least one protocol must be specified")
+
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+@@ -2451,6 +2457,12 @@ class Connection(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
+        # Different versions of OpenSSL are inconsistent about how they handle
+        # empty proto lists (see #1043), so we avoid the problem entirely by
+        # rejecting them ourselves.
+        if not protos:
+            raise ValueError("at least one protocol must be specified")
+
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
+@@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati
+         protocols list. Ensure that we produce a user-visible error.
+         """
+         context = Context(SSLv23_METHOD)
+-        with pytest.raises(Error):
+        with pytest.raises(ValueError):
+             context.set_alpn_protos([])
+ 
+     def test_alpn_set_on_connection(self):
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
+  before calling OpenSSL (gh#pyca/pyopenssl#1056).
+
 -------------------------------------------------------------------
 Tue Oct 26 20:27:12 UTC 2021 - Dirk Müller <dmueller@suse.com>

--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@ -28,6 +28,9 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 # PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68 mcepl@suse.com
 # Mark tests requiring network access
 Patch0:         skip-networked-test.patch
+# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056 mcepl@suse.com
+#  Check for invalid ALPN lists before calling OpenSSL
+Patch1:         check_inv_ALPN_lists.patch
 BuildRequires:  %{python_module cffi}
 BuildRequires:  %{python_module cryptography >= 3.3}
 BuildRequires:  %{python_module flaky}