From 96bb8c56563a0ea0e6a9c0b5c6c5b899f9e11324ab6936dd3812b2dca7c513c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 31 Oct 2018 05:46:13 +0000 Subject: [PATCH] Accepting request 645594 from home:vitezslav_cizek:branches:devel:languages:python - handle that renegotiation is forbidden in TLS 1.3 * add tls13-renegotiation.patch OBS-URL: https://build.opensuse.org/request/show/645594 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=52 --- python-pyOpenSSL.changes | 6 +++++ python-pyOpenSSL.spec | 1 + tls13-renegotiation.patch | 56 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 tls13-renegotiation.patch diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 8a68b42..a8d2e20 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 30 13:41:43 UTC 2018 - Vítězslav Čížek + +- handle that renegotiation is forbidden in TLS 1.3 + * add tls13-renegotiation.patch + ------------------------------------------------------------------- Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index f3db6db..b198f14 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -29,6 +29,7 @@ Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe Patch1: skip-networked-test.patch Patch2: openssl-1.1.0i.patch Patch3: openssl-1.1.1.patch +Patch4: tls13-renegotiation.patch BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch new file mode 100644 index 0000000..8bb360c --- /dev/null +++ b/tls13-renegotiation.patch @@ -0,0 +1,56 @@ +Index: pyOpenSSL-18.0.0/tests/test_ssl.py +=================================================================== +--- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 ++++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 +@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): + """ + Tests for SSL renegotiation APIs. + """ ++ + def test_total_renegotiations(self): + """ + `Connection.total_renegotiations` returns `0` before any renegotiations +@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): + """ + Go through a complete renegotiation cycle. + """ +- server, client = loopback() ++ # renegotiation works with TLS version <= 1.2 ++ def makeServer12(socket): ++ ctx = Context(TLSv1_2_METHOD) ++ ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) ++ server = Connection(ctx, socket) ++ server.set_accept_state() ++ return server ++ ++ server, client = loopback(server_factory=makeServer12) + + server.send(b"hello world") + +@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object): + while False is server.renegotiate_pending(): + pass + ++ # renegotiation is forbidden in TLS 1.3 ++ server, client = loopback() ++ ++ server.send(b"hello world") ++ ++ assert b"hello world" == client.recv(len(b"hello world")) ++ ++ assert 0 == server.total_renegotiations() ++ assert False is server.renegotiate_pending() ++ ++ # renegotian under TLS 1.3 must fail ++ ++ if client.get_protocol_version_name() == "TLSv1.3": ++ try: ++ assert False is server.renegotiate() ++ #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version') ++ except SSL.Error: ++ pass ++ + + class TestError(object): + """