pool/python-pyOpenSSL
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists

Browse Source 
before calling OpenSSL (gh#pyca/pyopenssl#1056).

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=84
This commit is contained in:
Matej Cepl 2021-10-30 19:09:36 +00:00 committed by Git OBS Bridge
parent 032b476820
commit 76cf59019d
3 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
check_inv_ALPN_lists.patch Normal file
View File

@ -0,0 +1,51 @@
From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001
From: "Nathaniel J. Smith" <njs@pobox.com>
Date: Wed, 27 Oct 2021 11:54:08 -0700
Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for
consistency
Fixes gh-1043
---
src/OpenSSL/SSL.py | 12 ++++++++++++
tests/test_ssl.py | 2 +-
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1423,6 +1423,12 @@ class Context(object):
This list should be a Python list of bytestrings representing the
protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
"""
+ # Different versions of OpenSSL are inconsistent about how they handle
+ # empty proto lists (see #1043), so we avoid the problem entirely by
+ # rejecting them ourselves.
+ if not protos:
+ raise ValueError("at least one protocol must be specified")
+
# Take the list of protocols and join them together, prefixing them
# with their lengths.
protostr = b"".join(
@@ -2451,6 +2457,12 @@ class Connection(object):
This list should be a Python list of bytestrings representing the
protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
"""
+ # Different versions of OpenSSL are inconsistent about how they handle
+ # empty proto lists (see #1043), so we avoid the problem entirely by
+ # rejecting them ourselves.
+ if not protos:
+ raise ValueError("at least one protocol must be specified")
+
# Take the list of protocols and join them together, prefixing them
# with their lengths.
protostr = b"".join(
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati
protocols list. Ensure that we produce a user-visible error.
"""
context = Context(SSLv23_METHOD)
- with pytest.raises(Error):
+ with pytest.raises(ValueError):
context.set_alpn_protos([])
def test_alpn_set_on_connection(self):

6
python-pyOpenSSL.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <mcepl@suse.com>
- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
before calling OpenSSL (gh#pyca/pyopenssl#1056).
-------------------------------------------------------------------
Tue Oct 26 20:27:12 UTC 2021 - Dirk Müller <dmueller@suse.com>

3
python-pyOpenSSL.spec
View File

@ -28,6 +28,9 @@ Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
# PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68 mcepl@suse.com
# Mark tests requiring network access
Patch0: skip-networked-test.patch
# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056 mcepl@suse.com
# Check for invalid ALPN lists before calling OpenSSL
Patch1: check_inv_ALPN_lists.patch
BuildRequires: %{python_module cffi}
BuildRequires: %{python_module cryptography >= 3.3}
BuildRequires: %{python_module flaky}