Accepting request 645594 from home:vitezslav_cizek:branches:devel:languages:python

- handle that renegotiation is forbidden in TLS 1.3 * add tls13-renegotiation.patch OBS-URL: https://build.opensuse.org/request/show/645594 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=52
2018-10-31 05:46:13 +00:00 · 2018-10-31 05:46:13 +00:00 · 96bb8c5656
commit 96bb8c5656
parent 70eff89ff9
3 changed files with 63 additions and 0 deletions
--- a/python-pyOpenSSL.changes
+++ b/python-pyOpenSSL.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Oct 30 13:41:43 UTC 2018 - Vítězslav Čížek <vcizek@suse.com>
+
+- handle that renegotiation is forbidden in TLS 1.3
+  * add tls13-renegotiation.patch
+
 -------------------------------------------------------------------
 Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com>

--- a/python-pyOpenSSL.spec
+++ b/python-pyOpenSSL.spec
@ -29,6 +29,7 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 Patch1:         skip-networked-test.patch
 Patch2:         openssl-1.1.0i.patch
 Patch3:         openssl-1.1.1.patch
+Patch4:         tls13-renegotiation.patch
 BuildRequires:  %{python_module cryptography >= 2.3.0}
 BuildRequires:  %{python_module flaky}
 BuildRequires:  %{python_module pretend}
--- a/tls13-renegotiation.patch
+++ b/tls13-renegotiation.patch
@ -0,0 +1,56 @@
+Index: pyOpenSSL-18.0.0/tests/test_ssl.py
+===================================================================
+--- pyOpenSSL-18.0.0.orig/tests/test_ssl.py	2018-10-30 20:43:38.806954080 +0100
+++ pyOpenSSL-18.0.0/tests/test_ssl.py	2018-10-30 20:58:46.133504622 +0100
+@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object):
+     """
+     Tests for SSL renegotiation APIs.
+     """
+
+     def test_total_renegotiations(self):
+         """
+         `Connection.total_renegotiations` returns `0` before any renegotiations
+@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object):
+         """
+         Go through a complete renegotiation cycle.
+         """
+-        server, client = loopback()
+        # renegotiation works with TLS version <= 1.2
+        def makeServer12(socket):
+            ctx = Context(TLSv1_2_METHOD)
+            ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem))
+            ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem))
+            server = Connection(ctx, socket)
+            server.set_accept_state()
+            return server
+
+        server, client = loopback(server_factory=makeServer12)
+ 
+         server.send(b"hello world")
+ 
+@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object):
+         while False is server.renegotiate_pending():
+             pass
+ 
+        # renegotiation is forbidden in TLS 1.3
+        server, client = loopback()
+
+        server.send(b"hello world")
+
+        assert b"hello world" == client.recv(len(b"hello world"))
+
+        assert 0 == server.total_renegotiations()
+        assert False is server.renegotiate_pending()
+
+        # renegotian under TLS 1.3 must fail
+
+        if client.get_protocol_version_name() == "TLSv1.3":
+            try:
+                assert False is server.renegotiate()
+            #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version')
+            except SSL.Error:
+                pass
+
+ 
+ class TestError(object):
+     """