From 071b74d8a2c4646d0a360b21f4d079bd9f4141e9f61d3fa2404c661b62e083a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Thu, 16 Aug 2018 15:55:53 +0000 Subject: [PATCH 1/6] - Update to 18.0.0: * Update for new openssl 1.1.1 - Remove not needed patches: * bug-lp-1265482.diff * rsa128-i586.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=47 --- bug-lp-1265482.diff | 13 ------------- pyOpenSSL-17.5.0.tar.gz | 3 --- pyOpenSSL-18.0.0.tar.gz | 3 +++ python-pyOpenSSL.changes | 9 +++++++++ python-pyOpenSSL.spec | 19 +++++++------------ rsa128-i586.patch | 31 ------------------------------- 6 files changed, 19 insertions(+), 59 deletions(-) delete mode 100644 bug-lp-1265482.diff delete mode 100644 pyOpenSSL-17.5.0.tar.gz create mode 100644 pyOpenSSL-18.0.0.tar.gz delete mode 100644 rsa128-i586.patch diff --git a/bug-lp-1265482.diff b/bug-lp-1265482.diff deleted file mode 100644 index 629c8e7..0000000 --- a/bug-lp-1265482.diff +++ /dev/null @@ -1,13 +0,0 @@ -Index: OpenSSL/test/test_crypto.py -=================================================================== ---- OpenSSL/tests/test_crypto.py.orig -+++ OpenSSL/tests/test_crypto.py -@@ -627,7 +627,7 @@ - `PKey.generate_key` generates an RSA key when passed `TYPE_RSA` as a - type and a reasonable number of bits. - """ -- bits = 128 -+ bits = 2048 - key = PKey() - key.generate_key(TYPE_RSA, bits) - assert key.type() == TYPE_RSA diff --git a/pyOpenSSL-17.5.0.tar.gz b/pyOpenSSL-17.5.0.tar.gz deleted file mode 100644 index 344f7ac..0000000 --- a/pyOpenSSL-17.5.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2c10cfba46a52c0b0950118981d61e72c1e5b1aac451ca1bc77de1a679456773 -size 170870 diff --git a/pyOpenSSL-18.0.0.tar.gz b/pyOpenSSL-18.0.0.tar.gz new file mode 100644 index 0000000..a59479b --- /dev/null +++ b/pyOpenSSL-18.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580 +size 167296 diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 42e317e..4dd053f 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Aug 16 15:48:21 UTC 2018 - tchvatal@suse.com + +- Update to 18.0.0: + * Update for new openssl 1.1.1 +- Remove not needed patches: + * bug-lp-1265482.diff + * rsa128-i586.patch + ------------------------------------------------------------------- Tue Feb 27 19:20:19 UTC 2018 - aplanas@suse.com diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 6d7108a..6c82dc1 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -19,27 +19,23 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-pyOpenSSL -Version: 17.5.0 +Version: 18.0.0 Release: 0 Summary: Python wrapper module around the OpenSSL library License: Apache-2.0 Group: Development/Languages/Python -Url: https://github.com/pyca/pyopenssl +URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz -Patch0: bug-lp-1265482.diff Patch1: skip-networked-test.patch -Patch2: rsa128-i586.patch -BuildRequires: %{python_module cryptography >= 2.1.4} -BuildRequires: %{python_module devel} +BuildRequires: %{python_module cryptography >= 2.2.1} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module setuptools} BuildRequires: fdupes -BuildRequires: openssl-devel BuildRequires: python-rpm-macros BuildRequires: python3-Sphinx -Requires: python-cryptography >= 2.1.4 +Requires: python-cryptography >= 2.2.1 Requires: python-six >= 1.5.2 Provides: pyOpenSSL = %{version} BuildArch: noarch @@ -67,9 +63,7 @@ Provides documentation for %{name}. %prep %setup -q -n pyOpenSSL-%{version} -%patch0 -p1 %patch1 -p1 -%patch2 -p1 %build %python_build @@ -77,7 +71,7 @@ Provides documentation for %{name}. %install %python_install %python_expand %fdupes %{buildroot}%{$python_sitelib} -PYTHONPATH="%{buildroot}%{python3_sitelib}" %__python3 setup.py build_sphinx && rm build/sphinx/html/.buildinfo +PYTHONPATH="%{buildroot}%{python3_sitelib}" python3 setup.py build_sphinx && rm build/sphinx/html/.buildinfo %check export LC_ALL=en_US.UTF-8 @@ -86,7 +80,8 @@ py.test-%{$python_bin_suffix} -m "not network" -k "not test_export_text" } %files %{python_files} -%doc LICENSE *.rst +%license LICENSE +%doc *.rst %{python_sitelib}/OpenSSL/ %{python_sitelib}/pyOpenSSL-%{version}-py*.egg-info diff --git a/rsa128-i586.patch b/rsa128-i586.patch deleted file mode 100644 index 3b3821f..0000000 --- a/rsa128-i586.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: pyOpenSSL-17.0.0/tests/test_ssl.py -=================================================================== ---- pyOpenSSL-17.0.0.orig/tests/test_ssl.py -+++ pyOpenSSL-17.0.0/tests/test_ssl.py -@@ -525,7 +525,7 @@ - `Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance. - """ - key = PKey() -- key.generate_key(TYPE_RSA, 128) -+ key.generate_key(TYPE_RSA, 2048) - ctx = Context(TLSv1_METHOD) - ctx.use_privatekey(key) - with pytest.raises(TypeError): -@@ -546,7 +546,7 @@ - arguments does not raise an exception. - """ - key = PKey() -- key.generate_key(TYPE_RSA, 128) -+ key.generate_key(TYPE_RSA, 2048) - - with open(pemfile, "wt") as pem: - pem.write( -@@ -849,7 +849,7 @@ - passphrase. Return the path to the new file. - """ - key = PKey() -- key.generate_key(TYPE_RSA, 128) -+ key.generate_key(TYPE_RSA, 2048) - pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase) - with open(tmpfile, 'w') as fObj: - fObj.write(pem.decode('ascii')) From a508fd04addf0fa3f0d2516c33c9da4bddaae24313d3ee09bf810d0d803066be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Fri, 24 Aug 2018 09:10:42 +0000 Subject: [PATCH 2/6] - Add patch to work with openssl 1.1.0i+: * openssl-1.1.0i.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=48 --- openssl-1.1.0i.patch | 61 ++++++++++++++++++++++++++++++++++++++++ python-pyOpenSSL.changes | 6 ++++ python-pyOpenSSL.spec | 7 +++-- 3 files changed, 71 insertions(+), 3 deletions(-) create mode 100644 openssl-1.1.0i.patch diff --git a/openssl-1.1.0i.patch b/openssl-1.1.0i.patch new file mode 100644 index 0000000..4127551 --- /dev/null +++ b/openssl-1.1.0i.patch @@ -0,0 +1,61 @@ +From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 23 Aug 2018 10:52:15 -0500 +Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate + cert (#787) + +* X509Store.add_cert no longer raises an error on duplicate cert + +--- + src/OpenSSL/crypto.py | 11 ++++++++++- + tests/test_crypto.py | 9 ++++----- + 3 files changed, 16 insertions(+), 7 deletions(-) + + Deprecations: +diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py +index d40f23c2..ea7b354b 100644 +--- a/src/OpenSSL/crypto.py ++++ b/src/OpenSSL/crypto.py +@@ -1607,7 +1607,16 @@ def add_cert(self, cert): + if not isinstance(cert, X509): + raise TypeError() + +- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0) ++ # As of OpenSSL 1.1.0i adding the same cert to the store more than ++ # once doesn't cause an error. Accordingly, this code now silences ++ # the error for OpenSSL < 1.1.0i as well. ++ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: ++ code = _lib.ERR_peek_error() ++ err_reason = _lib.ERR_GET_REASON(code) ++ _openssl_assert( ++ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE ++ ) ++ _lib.ERR_clear_error() + + def add_crl(self, crl): + """ +diff --git a/tests/test_crypto.py b/tests/test_crypto.py +index d1c261b8..eb4590d0 100644 +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert): + with pytest.raises(TypeError): + store.add_cert(cert) + +- def test_add_cert_rejects_duplicate(self): ++ def test_add_cert_accepts_duplicate(self): + """ +- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is +- made to add the same certificate to the store more than once. ++ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt ++ is made to add the same certificate to the store more than once. + """ + cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) + store = X509Store() + store.add_cert(cert) +- with pytest.raises(Error): +- store.add_cert(cert) ++ store.add_cert(cert) + + + class TestPKCS12(object): diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 4dd053f..9b22064 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Aug 24 09:08:36 UTC 2018 - tchvatal@suse.com + +- Add patch to work with openssl 1.1.0i+: + * openssl-1.1.0i.patch + ------------------------------------------------------------------- Thu Aug 16 15:48:21 UTC 2018 - tchvatal@suse.com diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 6c82dc1..2cc52f6 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -27,7 +27,8 @@ Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch -BuildRequires: %{python_module cryptography >= 2.2.1} +Patch2: openssl-1.1.0i.patch +BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} @@ -35,7 +36,7 @@ BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros BuildRequires: python3-Sphinx -Requires: python-cryptography >= 2.2.1 +Requires: python-cryptography >= 2.3.0 Requires: python-six >= 1.5.2 Provides: pyOpenSSL = %{version} BuildArch: noarch @@ -63,7 +64,7 @@ Provides documentation for %{name}. %prep %setup -q -n pyOpenSSL-%{version} -%patch1 -p1 +%autopatch -p1 %build %python_build From d8c9bd5a3eea064f497887daab431461b97d90823caad5f9c0364a102d0f214c Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Mon, 29 Oct 2018 18:26:05 +0000 Subject: [PATCH 3/6] Fix copyright line OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=49 --- python-pyOpenSSL.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 2cc52f6..fdaaa33 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # From d244c67d99e9f42811f2a566625269f04fb49add40325def94f1042dec9903f6 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Tue, 30 Oct 2018 00:07:19 +0000 Subject: [PATCH 4/6] - Add patch fix_test_suite.patch to allow test suite to pass with OpenSSL 1.1.1. OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=50 --- fix_test_suite.patch | 29 +++++++++++++++++++++++++++++ python-pyOpenSSL.changes | 6 ++++++ python-pyOpenSSL.spec | 1 + 3 files changed, 36 insertions(+) create mode 100644 fix_test_suite.patch diff --git a/fix_test_suite.patch b/fix_test_suite.patch new file mode 100644 index 0000000..589b03d --- /dev/null +++ b/fix_test_suite.patch @@ -0,0 +1,29 @@ +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -13,7 +13,7 @@ from datetime import datetime, timedelta + + import pytest + +-from six import binary_type ++from six import binary_type, PY3 + + from cryptography import x509 + from cryptography.hazmat.backends.openssl.backend import backend +@@ -3167,9 +3167,14 @@ class TestCRL(object): + # and with what certificate it was exported. + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +- text.index( +- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' +- ) ++ if PY3: ++ text.decode().translate(str.maketrans('','',',/ ')).index( ++ 'Issuer:C=USST=ILL=ChicagoO=TestingCN=TestingRootCA' ++ ) ++ else: ++ text.translate(None, ',/ ').index( ++ 'Issuer:C=USST=ILL=ChicagoO=TestingCN=TestingRootCA' ++ ) + + def test_export_der(self): + """ diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 9b22064..e8f02cf 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 30 01:06:28 CET 2018 - mcepl@suse.com + +- Add patch fix_test_suite.patch to allow test suite to pass with + OpenSSL 1.1.1. + ------------------------------------------------------------------- Fri Aug 24 09:08:36 UTC 2018 - tchvatal@suse.com diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index fdaaa33..bdb66a1 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -28,6 +28,7 @@ URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch Patch2: openssl-1.1.0i.patch +Patch3: fix_test_suite.patch BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} From 70eff89ff98a9fa8bd7d60f4aa77efa5892763962ae680027365af2dc2ed20f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 30 Oct 2018 11:24:49 +0000 Subject: [PATCH 5/6] - Add patch to fix issues with openssl 1.1.1: * openssl-1.1.1.patch OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=51 --- fix_test_suite.patch | 29 ----- openssl-1.1.1.patch | 226 +++++++++++++++++++++++++++++++++++++++ python-pyOpenSSL.changes | 7 ++ python-pyOpenSSL.spec | 2 +- 4 files changed, 234 insertions(+), 30 deletions(-) delete mode 100644 fix_test_suite.patch create mode 100644 openssl-1.1.1.patch diff --git a/fix_test_suite.patch b/fix_test_suite.patch deleted file mode 100644 index 589b03d..0000000 --- a/fix_test_suite.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -13,7 +13,7 @@ from datetime import datetime, timedelta - - import pytest - --from six import binary_type -+from six import binary_type, PY3 - - from cryptography import x509 - from cryptography.hazmat.backends.openssl.backend import backend -@@ -3167,9 +3167,14 @@ class TestCRL(object): - # and with what certificate it was exported. - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ if PY3: -+ text.decode().translate(str.maketrans('','',',/ ')).index( -+ 'Issuer:C=USST=ILL=ChicagoO=TestingCN=TestingRootCA' -+ ) -+ else: -+ text.translate(None, ',/ ').index( -+ 'Issuer:C=USST=ILL=ChicagoO=TestingCN=TestingRootCA' -+ ) - - def test_export_der(self): - """ diff --git a/openssl-1.1.1.patch b/openssl-1.1.1.patch new file mode 100644 index 0000000..d03f0a3 --- /dev/null +++ b/openssl-1.1.1.patch @@ -0,0 +1,226 @@ +From 4725d76eb4a1c0e7b7b6de6e4a8e95d6f076b50b Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 17:35:31 -0400 +Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 + +--- + tests/test_crypto.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/tests/test_crypto.py b/tests/test_crypto.py +index eb4590d0..4983d6ac 100644 +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -3161,10 +3161,10 @@ def test_export_pem(self): + dumped_crl = crl.export( + self.cert, self.pkey, days=20, digest=b"sha256" + ) +- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") ++ text = _runopenssl( ++ dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", "" ++ ) + +- # These magic values are based on the way the CRL above was constructed +- # and with what certificate it was exported. + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') + text.index( +@@ -3184,7 +3184,8 @@ def test_export_der(self): + self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" + ) + text = _runopenssl( +- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" ++ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", ++ b"-nameopt", "" + ) + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +@@ -3207,7 +3208,8 @@ def test_export_text(self): + self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" + ) + text = _runopenssl( +- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" ++ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", ++ b"-nameopt", "" + ) + + # text format + +From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 17:54:22 -0400 +Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly + +--- + tests/test_crypto.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/test_crypto.py b/tests/test_crypto.py +index 4983d6ac..c08f81c3 100644 +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -3167,9 +3167,9 @@ def test_export_pem(self): + + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +- text.index( +- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' +- ) ++ text.index(b'Issuer:') ++ text.index(b'C=US') ++ text.index(b'CN=Testing Root CA') + + def test_export_der(self): + """ +@@ -3189,9 +3189,9 @@ def test_export_der(self): + ) + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +- text.index( +- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' +- ) ++ text.index(b'Issuer:') ++ text.index(b'C=US') ++ text.index(b'CN=Testing Root CA') + + # Flaky because we compare the output of running commands which sometimes + # varies by 1 second + +From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 18:09:49 -0400 +Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3 + +TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it. +--- + tests/test_ssl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index fbf07603..4845eca3 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -2539,7 +2539,7 @@ def test_client_set_session(self): + """ + key = load_privatekey(FILETYPE_PEM, server_key_pem) + cert = load_certificate(FILETYPE_PEM, server_cert_pem) +- ctx = Context(SSLv23_METHOD) ++ ctx = Context(TLSv1_2_METHOD) + ctx.use_privatekey(key) + ctx.use_certificate(cert) + ctx.set_session_id("unity-test") + +From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 19:42:38 -0400 +Subject: [PATCH 4/7] Make this always behave like 1.1.1 + +--- + src/OpenSSL/SSL.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 5cf39c0d..910ce680 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list): + if not isinstance(cipher_list, bytes): + raise TypeError("cipher_list must be a byte string.") + +- _openssl_assert( +- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 +- ) ++ # This can return an error if there's no ciphersuites, but we don't care. ++ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + + def set_client_ca_list(self, certificate_authorities): + """ + +From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 19:43:49 -0400 +Subject: [PATCH 5/7] Update tests for the new behavior + +--- + tests/test_ssl.py | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 4845eca3..a5fb4df9 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string): + conn = Connection(context, None) + + assert "AES128-SHA" in conn.get_cipher_list() ++ ++ def test_set_cipher_list_imaginary(self, context): ++ # Doesn't raise an exception ++ context.set_cipher_list(b"gibberish") + +- @pytest.mark.parametrize("cipher_list,error", [ +- (object(), TypeError), +- ("imaginary-cipher", Error), +- ]) +- def test_set_cipher_list_wrong_args(self, context, cipher_list, error): ++ def test_set_cipher_list_wrong_args(self, context): + """ + `Context.set_cipher_list` raises `TypeError` when passed a non-string +- argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher +- list string. ++ argument. + """ +- with pytest.raises(error): +- context.set_cipher_list(cipher_list) ++ with pytest.raises(TypeError): ++ context.set_cipher_list(object()) + + def test_load_client_ca(self, context, ca_file): + """ + +From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 19:48:07 -0400 +Subject: [PATCH 6/7] flake8 + +--- + src/OpenSSL/SSL.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 910ce680..a0469f10 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list): + if not isinstance(cipher_list, bytes): + raise TypeError("cipher_list must be a byte string.") + +- # This can return an error if there's no ciphersuites, but we don't care. ++ # This can return an error if there's no ciphersuites, but we don't ++ # care. + _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + + def set_client_ca_list(self, certificate_authorities): + +From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 20:01:26 -0400 +Subject: [PATCH 7/7] flake8 + +--- + tests/test_ssl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index a5fb4df9..39e76500 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string): + conn = Connection(context, None) + + assert "AES128-SHA" in conn.get_cipher_list() +- ++ + def test_set_cipher_list_imaginary(self, context): + # Doesn't raise an exception + context.set_cipher_list(b"gibberish") diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index e8f02cf..8a68b42 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal + +- Add patch to fix issues with openssl 1.1.1: + * openssl-1.1.1.patch +- Drop the downstream fix_test_suite.patch + ------------------------------------------------------------------- Tue Oct 30 01:06:28 CET 2018 - mcepl@suse.com diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index bdb66a1..f3db6db 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -28,7 +28,7 @@ URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch Patch2: openssl-1.1.0i.patch -Patch3: fix_test_suite.patch +Patch3: openssl-1.1.1.patch BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} From 96bb8c56563a0ea0e6a9c0b5c6c5b899f9e11324ab6936dd3812b2dca7c513c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Wed, 31 Oct 2018 05:46:13 +0000 Subject: [PATCH 6/6] Accepting request 645594 from home:vitezslav_cizek:branches:devel:languages:python - handle that renegotiation is forbidden in TLS 1.3 * add tls13-renegotiation.patch OBS-URL: https://build.opensuse.org/request/show/645594 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=52 --- python-pyOpenSSL.changes | 6 +++++ python-pyOpenSSL.spec | 1 + tls13-renegotiation.patch | 56 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+) create mode 100644 tls13-renegotiation.patch diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 8a68b42..a8d2e20 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 30 13:41:43 UTC 2018 - Vítězslav Čížek + +- handle that renegotiation is forbidden in TLS 1.3 + * add tls13-renegotiation.patch + ------------------------------------------------------------------- Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index f3db6db..b198f14 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -29,6 +29,7 @@ Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpe Patch1: skip-networked-test.patch Patch2: openssl-1.1.0i.patch Patch3: openssl-1.1.1.patch +Patch4: tls13-renegotiation.patch BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch new file mode 100644 index 0000000..8bb360c --- /dev/null +++ b/tls13-renegotiation.patch @@ -0,0 +1,56 @@ +Index: pyOpenSSL-18.0.0/tests/test_ssl.py +=================================================================== +--- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 ++++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 +@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): + """ + Tests for SSL renegotiation APIs. + """ ++ + def test_total_renegotiations(self): + """ + `Connection.total_renegotiations` returns `0` before any renegotiations +@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): + """ + Go through a complete renegotiation cycle. + """ +- server, client = loopback() ++ # renegotiation works with TLS version <= 1.2 ++ def makeServer12(socket): ++ ctx = Context(TLSv1_2_METHOD) ++ ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) ++ ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) ++ server = Connection(ctx, socket) ++ server.set_accept_state() ++ return server ++ ++ server, client = loopback(server_factory=makeServer12) + + server.send(b"hello world") + +@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object): + while False is server.renegotiate_pending(): + pass + ++ # renegotiation is forbidden in TLS 1.3 ++ server, client = loopback() ++ ++ server.send(b"hello world") ++ ++ assert b"hello world" == client.recv(len(b"hello world")) ++ ++ assert 0 == server.total_renegotiations() ++ assert False is server.renegotiate_pending() ++ ++ # renegotian under TLS 1.3 must fail ++ ++ if client.get_protocol_version_name() == "TLSv1.3": ++ try: ++ assert False is server.renegotiate() ++ #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version') ++ except SSL.Error: ++ pass ++ + + class TestError(object): + """