Accepting request 928309 from devel:languages:python

- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
  before calling OpenSSL (gh#pyca/pyopenssl#1056).
- update to 21.0.0:
  - The minimum ``cryptography`` version is now 3.3.
  - Drop support for Python 3.5
  - Raise an error when an invalid ALPN value is set.
  - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version``
  - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an
    upcoming release of ``cryptography`` without raising deprecation warnings.

OBS-URL: https://build.opensuse.org/request/show/928309
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-pyOpenSSL?expand=0&rev=41

check_inv_ALPN_lists.patch

@@ -0,0 +1,51 @@
+From cc5c00ae5fd3c19d07fff79b5c4a08f5e58697ad Mon Sep 17 00:00:00 2001
+From: "Nathaniel J. Smith" <njs@pobox.com>
+Date: Wed, 27 Oct 2021 11:54:08 -0700
+Subject: [PATCH 1/2] Check for invalid ALPN lists before calling OpenSSL, for
+ consistency
+
+Fixes gh-1043
+---
+ src/OpenSSL/SSL.py |   12 ++++++++++++
+ tests/test_ssl.py  |    2 +-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/src/OpenSSL/SSL.py
++++ b/src/OpenSSL/SSL.py
+@@ -1423,6 +1423,12 @@ class Context(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
++        # Different versions of OpenSSL are inconsistent about how they handle
++        # empty proto lists (see #1043), so we avoid the problem entirely by
++        # rejecting them ourselves.
++        if not protos:
++            raise ValueError("at least one protocol must be specified")
++
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+@@ -2451,6 +2457,12 @@ class Connection(object):
+             This list should be a Python list of bytestrings representing the
+             protocols to offer, e.g. ``[b'http/1.1', b'spdy/2']``.
+         """
++        # Different versions of OpenSSL are inconsistent about how they handle
++        # empty proto lists (see #1043), so we avoid the problem entirely by
++        # rejecting them ourselves.
++        if not protos:
++            raise ValueError("at least one protocol must be specified")
++
+         # Take the list of protocols and join them together, prefixing them
+         # with their lengths.
+         protostr = b"".join(
+--- a/tests/test_ssl.py
++++ b/tests/test_ssl.py
+@@ -1934,7 +1934,7 @@ class TestApplicationLayerProtoNegotiati
+         protocols list. Ensure that we produce a user-visible error.
+         """
+         context = Context(SSLv23_METHOD)
+-        with pytest.raises(Error):
++        with pytest.raises(ValueError):
+             context.set_alpn_protos([])
+ 
+     def test_alpn_set_on_connection(self):

pyOpenSSL-20.0.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4c231c759543ba02560fcd2480c48dcec4dae34c9da7d3747c508227e0624b51
-size 173736

pyOpenSSL-21.0.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5e2d8c5e46d0d865ae933bef5230090bdaf5506281e9eec60fa250ee80600cb3
+size 175652

python-pyOpenSSL.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Sat Oct 30 19:08:35 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add check_inv_ALPN_lists.patch checks for invalid ALPN lists
+  before calling OpenSSL (gh#pyca/pyopenssl#1056).
+
+-------------------------------------------------------------------
+Tue Oct 26 20:27:12 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 21.0.0:
+  - The minimum ``cryptography`` version is now 3.3.
+  - Drop support for Python 3.5
+  - Raise an error when an invalid ALPN value is set.
+  - Added ``OpenSSL.SSL.Context.set_min_proto_version`` and ``OpenSSL.SSL.Context.set_max_proto_version``
+  - Updated ``to_cryptography`` and ``from_cryptography`` methods to support an
+    upcoming release of ``cryptography`` without raising deprecation warnings.
+
 -------------------------------------------------------------------
 Mon Feb  1 18:07:21 UTC 2021 - Dirk Müller <dmueller@suse.com>
 

python-pyOpenSSL.spec

@@ -19,7 +19,7 @@
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 %define oldpython python
 Name:           python-pyOpenSSL
-Version:        20.0.1
+Version:        21.0.0
 Release:        0
 Summary:        Python wrapper module around the OpenSSL library
 License:        Apache-2.0
@@ -28,8 +28,11 @@ Source:         https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe
 # PATCH-FIX-UPSTREAM skip-networked-test.patch gh#pyca/pyopenssl#68 mcepl@suse.com
 # Mark tests requiring network access
 Patch0:         skip-networked-test.patch
+# PATCH-FIX-UPSTREAM check_inv_ALPN_lists.patch gh#pyca/pyopenssl#1056 mcepl@suse.com
+#  Check for invalid ALPN lists before calling OpenSSL
+Patch1:         check_inv_ALPN_lists.patch
 BuildRequires:  %{python_module cffi}
-BuildRequires:  %{python_module cryptography >= 2.8}
+BuildRequires:  %{python_module cryptography >= 3.3}
 BuildRequires:  %{python_module flaky}
 BuildRequires:  %{python_module pretend}
 BuildRequires:  %{python_module pytest >= 3.0.1}
@@ -40,7 +43,7 @@ BuildRequires:  fdupes
 BuildRequires:  openssl
 BuildRequires:  python-rpm-macros
 Requires:       python-cffi
-Requires:       python-cryptography >= 2.8
+Requires:       python-cryptography >= 3.3
 Requires:       python-six >= 1.5.2
 Provides:       pyOpenSSL = %{version}
 BuildArch:      noarch