[Pkg-freeipa-devel] python-nss: Changes to 'upstream'

Timo Aaltonen tjaalton at moszumanska.debian.org
Sun Aug 16 18:33:41 UTC 2015


 .hgtags                           |    8 
 MANIFEST                          |    3 
 doc/ChangeLog                     |  203 +++
 doc/examples/cert_trust.py        |  165 ++
 doc/examples/ssl_example.py       |   43 
 doc/examples/ssl_version_range.py |  122 +
 doc/examples/verify_server.py     |   44 
 setup.py                          |    2 
 src/SECerrs.h                     |   12 
 src/SSLerrs.h                     |   29 
 src/__init__.py                   |   14 
 src/py_nspr_common.h              |  153 ++
 src/py_nss.c                      |  486 +++++--
 src/py_nss.h                      |   44 
 src/py_shared_doc.h               |   43 
 src/py_ssl.c                      | 2359 ++++++++++++++++++++++++++++++++++----
 src/py_ssl.h                      |   25 
 test/test_client_server.py        |    9 
 18 files changed, 3316 insertions(+), 448 deletions(-)

New commits:
commit 841f576de6afae22380b505af33135dafd0c50ae
Author: John Dennis <jdennis at redhat.com>
Date:   Tue Oct 28 14:50:39 2014 -0400

    add py_shared_doc.h to MANIFEST

diff --git a/MANIFEST b/MANIFEST
index 297bb58..5f1d623 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -34,6 +34,7 @@ src/py_nspr_io.c
 src/py_nspr_io.h
 src/py_nss.c
 src/py_nss.h
+src/py_shared_doc.h
 src/py_ssl.c
 src/py_ssl.h
 src/py_traceback.h

commit 564ec92dbeac04a5475ed5a415e7f7e1c1635c84
Author: John Dennis <jdennis at redhat.com>
Date:   Mon Oct 27 11:19:14 2014 -0400

    Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b

diff --git a/.hgtags b/.hgtags
index b209bbe..3ee56fd 100644
--- a/.hgtags
+++ b/.hgtags
@@ -20,3 +20,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
 e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
+e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0
+07759f773c0b643e0543ed3cf8168cd2937966dd PYNSS_RELEASE_0_16_0

commit 8f6b727f4cd5ba50b95800cd9520d181e95a852c
Author: John Dennis <jdennis at redhat.com>
Date:   Mon Oct 27 11:19:00 2014 -0400

    Fix doc typos

diff --git a/src/__init__.py b/src/__init__.py
index 42c2534..c1506fb 100644
--- a/src/__init__.py
+++ b/src/__init__.py
@@ -66,18 +66,6 @@ should not be used, they will be removed in a subsequent release.
     not respected, port will be value when `HostEntry` object was
     created.
 
-`ssl.nssinit()`
-    nssinit has been moved to the nss module, use `nss.nss_init()`
-    instead of ssl.nssinit
-
-`ssl.nss_init()`
-    nss_init has been moved to the nss module, use `nss.nss_init()`
-    instead of ssl.nssinit
-
-`ssl.nss_shutdown()`
-    nss_shutdown() has been moved to the nss module, use
-    `nss.nss_shutdown()` instead of ssl.nss_shutdown()
-
 `io.Socket()` and `ssl.SSLSocket()` without explicit family parameter
     Socket initialization will require the family parameter in the future.
     The default family parameter of PR_AF_INET is deprecated because
diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h
index 9a57279..79b4b83 100644
--- a/src/py_shared_doc.h
+++ b/src/py_shared_doc.h
@@ -30,13 +30,13 @@ representing the indentation level for that line. Any remaining items\n\
 in the tuple are strings to be output on that line.\n\
 \n\
 The output of this function can be formatted into a single string by\n\
-calling `indented_format()`, e.g.:\n\
+calling `nss.nss.indented_format()`, e.g.:\n\
 \n\
     print indented_format(obj.format_lines())\n\
 \n\
 The reason this function returns a tuple as opposed to an single\n\
 indented string is to support other text formatting systems such as\n\
-GUI's with indentation controls.  See `indented_format()` for a\n\
+GUI's with indentation controls.  See `nss.nss.indented_format()` for a\n\
 complete explanation.\n\
 ");
 
diff --git a/src/py_ssl.c b/src/py_ssl.c
index 3e0dbf6..c345b6c 100644
--- a/src/py_ssl.c
+++ b/src/py_ssl.c
@@ -3107,9 +3107,6 @@ SSLChannelInformation_dealloc(SSLChannelInformation* self)
 PyDoc_STRVAR(SSLChannelInformation_doc,
 "SSLChannelInformation(obj)\n\
 \n\
-:Parameters:\n\
-    obj : xxx\n\
-\n\
 An object representing SSLChannelInformation.\n\
 ");
 
@@ -3902,7 +3899,7 @@ PyDoc_STRVAR(SSL_get_ssl_version_from_major_minor_doc,
 :Parameters:\n\
     major : int\n\
         The major version number.\n\
-    mainor : int\n\
+    minor : int\n\
         The minor version number.\n\
     repr_kind : RepresentationKind constant\n\
         Specifies what format the return value will be in.\n\
@@ -4177,7 +4174,7 @@ PyDoc_STRVAR(SSL_get_cipher_suite_info_doc,
     suite : int\n\
         a cipher suite enumerated constant\n\
 \n\
-Returns a `SSLCipherSuiteInfo object`.\n\
+Returns a `ssl.SSLCipherSuiteInfo`.\n\
 ");
 
 static PyObject *

commit f9ecf9c3855a5f2b32ca1f1cb02b31a749cb3ed3
Author: John Dennis <jdennis at redhat.com>
Date:   Mon Oct 27 10:03:47 2014 -0400

    Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d

diff --git a/.hgtags b/.hgtags
index 7f6f84c..b209bbe 100644
--- a/.hgtags
+++ b/.hgtags
@@ -18,3 +18,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
+58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0
+e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0

commit e1e4f1a74f5cc4d234e992290f52fe8373ffd25a
Author: John Dennis <jdennis at redhat.com>
Date:   Mon Oct 27 10:02:59 2014 -0400

    Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a

diff --git a/.hgtags b/.hgtags
index 17e02d6..7f6f84c 100644
--- a/.hgtags
+++ b/.hgtags
@@ -16,3 +16,5 @@ e9302e97739fc677b660d6324efadea8294131ea PYNSS_RELEASE_0_14_1
 f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1
 73d6871d2b0770fa7f00e691c85f314bc0849309 PYNSS_RELEASE_0_15_0
 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
+288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0
+58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0

commit d11afcac6fa541ae2e629d70ad5e71d8dcef682c
Author: John Dennis <jdennis at redhat.com>
Date:   Mon Oct 27 10:02:19 2014 -0400

    Add SSLCipherSuiteInfo, SSLChannelInfo classes.
    Add SSLSocket.connection_info*

diff --git a/doc/ChangeLog b/doc/ChangeLog
index c03df82..dcf5260 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,20 +1,49 @@
 2014-10-21  John Dennis  <jdennis at redhat.com> 0.16.0
   The primary enhancements in this version is adding support for the
-  setting trust attributes on a Certificate and the SSL version range API.
+  setting trust attributes on a Certificate, the SSL version range API,
+  information on the SSL cipher suites and information on the SSL connection.
 
   * The following module functions were added:
-    - get_default_ssl_version_range
-    - get_supported_ssl_version_range
-    - set_default_ssl_version_range
-    - ssl_library_version_from_name
-    - ssl_library_version_name
+
+    - ssl.get_ssl_version_from_major_minor
+    - ssl.get_default_ssl_version_range
+    - ssl.get_supported_ssl_version_range
+    - ssl.set_default_ssl_version_range
+    - ssl.ssl_library_version_from_name
+    - ssl.ssl_library_version_name
+    - ssl.get_cipher_suite_info
+    - ssl.ssl_cipher_suite_name
+    - ssl.ssl_cipher_suite_from_name
+
+  * The following deprecated module functions were removed:
+
+    - ssl.nssinit
+    - ssl.nss_ini
+    - ssl.nss_shutdown
+
+  * The following classes were added:
+
+    - SSLCipherSuiteInfo
+    - SSLChannelInfo
 
   * The following class methods were added:
 
     - Certificate.trust_flags
     - Certificate.set_trust_attributes
+
     - SSLSocket.set_ssl_version_range
     - SSLSocket.get_ssl_version_range
+    - SSLSocket.get_ssl_channel_info
+    - SSLSocket.get_negotiated_host
+    - SSLSocket.connection_info_format_lines
+    - SSLSocket.connection_info_format
+    - SSLSocket.connection_info_str
+	
+    - SSLCipherSuiteInfo.format_lines
+    - SSLCipherSuiteInfo.format
+
+    - SSLChannelInfo.format_lines
+    - SSLChannelInfo.format
 
   * The following class properties were added:
 
@@ -22,6 +51,42 @@
     - Certificate.email_trust_flags
     - Certificate.signing_trust_flags
 
+    - SSLCipherSuiteInfo.cipher_suite
+    - SSLCipherSuiteInfo.cipher_suite_name
+    - SSLCipherSuiteInfo.auth_algorithm
+    - SSLCipherSuiteInfo.auth_algorithm_name
+    - SSLCipherSuiteInfo.kea_type
+    - SSLCipherSuiteInfo.kea_type_name
+    - SSLCipherSuiteInfo.symmetric_cipher
+    - SSLCipherSuiteInfo.symmetric_cipher_name
+    - SSLCipherSuiteInfo.symmetric_key_bits
+    - SSLCipherSuiteInfo.symmetric_key_space
+    - SSLCipherSuiteInfo.effective_key_bits
+    - SSLCipherSuiteInfo.mac_algorithm
+    - SSLCipherSuiteInfo.mac_algorithm_name
+    - SSLCipherSuiteInfo.mac_bits
+    - SSLCipherSuiteInfo.is_fips
+    - SSLCipherSuiteInfo.is_exportable
+    - SSLCipherSuiteInfo.is_nonstandard
+
+    - SSLChannelInfo.protocol_version
+    - SSLChannelInfo.protocol_version_str
+    - SSLChannelInfo.protocol_version_enum
+    - SSLChannelInfo.major_protocol_version
+    - SSLChannelInfo.minor_protocol_version
+    - SSLChannelInfo.cipher_suite
+    - SSLChannelInfo.auth_key_bits
+    - SSLChannelInfo.kea_key_bits
+    - SSLChannelInfo.creation_time
+    - SSLChannelInfo.creation_time_utc
+    - SSLChannelInfo.last_access_time
+    - SSLChannelInfo.last_access_time_utc
+    - SSLChannelInfo.expiration_time
+    - SSLChannelInfo.expiration_time_utc
+    - SSLChannelInfo.compression_method
+    - SSLChannelInfo.compression_method_name
+    - SSLChannelInfo.session_id
+
   * The following files were added:
 
     - doc/examples/cert_trust.py
@@ -131,6 +196,7 @@
     - ssl.tls1.3
 
    * The following methods were missing thread locks, this has been fixed.
+
      - nss.nss_initialize
      - nss.nss_init_context
      - nss.nss_shutdown_context
diff --git a/doc/examples/ssl_example.py b/doc/examples/ssl_example.py
index 74b83d7..e5084bb 100755
--- a/doc/examples/ssl_example.py
+++ b/doc/examples/ssl_example.py
@@ -40,7 +40,13 @@ def password_callback(slot, retry, password):
     return getpass.getpass("Enter password: ");
 
 def handshake_callback(sock):
-    print "handshake complete, peer = %s" % (sock.get_peer_name())
+    print "-- handshake complete --"
+    print "peer: %s" % (sock.get_peer_name())
+    print "negotiated host: %s" % (sock.get_negotiated_host())
+    print
+    print sock.connection_info_str()
+    print "-- handshake complete --"
+    print
 
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
     print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)
@@ -382,6 +388,12 @@ parser.add_argument('--request-cert-once', dest='client_cert_action',
 parser.add_argument('--request-cert-always', dest='client_cert_action',
                     action='store_const', const=REQUEST_CLIENT_CERT_ALWAYS)
 
+parser.add_argument('--min-ssl-version',
+                    help='minimum SSL version')
+
+parser.add_argument('--max-ssl-version',
+                    help='minimum SSL version')
+
 parser.set_defaults(client = False,
                     server = False,
                     db_name = 'sql:pki',
@@ -413,7 +425,34 @@ else:
 ssl.set_domestic_policy()
 nss.set_password_callback(password_callback)
 
-# Run as a client or as a server
+min_ssl_version, max_ssl_version = \
+    ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
+print "Supported SSL version range: min=%s, max=%s" % \
+    (min_ssl_version, max_ssl_version)
+
+min_ssl_version, max_ssl_version = \
+    ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+print "Default SSL version range: min=%s, max=%s" % \
+    (min_ssl_version, max_ssl_version)
+
+if options.min_ssl_version is not None or \
+   options.max_ssl_version is not None:
+
+    if options.min_ssl_version is not None:
+        min_ssl_version  = options.min_ssl_version
+    if options.max_ssl_version is not None:
+        max_ssl_version  = options.max_ssl_version
+
+    print "Setting default SSL version range: min=%s, max=%s" % \
+        (min_ssl_version, max_ssl_version)
+    ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version)
+
+    min_ssl_version, max_ssl_version = \
+        ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+    print "Default SSL version range now: min=%s, max=%s" % \
+        (min_ssl_version, max_ssl_version)
+
+# Run as a client or as a serveri
 if options.client:
     print "starting as client"
     Client()
diff --git a/doc/examples/ssl_version_range.py b/doc/examples/ssl_version_range.py
index 11fe85e..c784a99 100644
--- a/doc/examples/ssl_version_range.py
+++ b/doc/examples/ssl_version_range.py
@@ -118,3 +118,5 @@ for name in names:
     enum = ssl.ssl_library_version_from_name(name)
     enum_name = ssl.ssl_library_version_name(enum, nss.AsString)
     print "name='%s' -> %s (%#06x)" % (name, enum_name, enum)
+
+
diff --git a/doc/examples/verify_server.py b/doc/examples/verify_server.py
index e58c21e..3318ed7 100755
--- a/doc/examples/verify_server.py
+++ b/doc/examples/verify_server.py
@@ -27,7 +27,13 @@ GET /index.html HTTP/1.0
 # -----------------------------------------------------------------------------
 
 def handshake_callback(sock):
-    print "handshake complete, peer = %s" % (sock.get_peer_name())
+    print "-- handshake complete --"
+    print "peer: %s" % (sock.get_peer_name())
+    print "negotiated host: %s" % (sock.get_negotiated_host())
+    print
+    print sock.connection_info_str()
+    print "-- handshake complete --"
+    print
 
 def auth_certificate_callback(sock, check_sig, is_server, certdb):
     print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server)
@@ -170,14 +176,48 @@ parser.set_defaults(db_name = 'sql:pki',
                     port = 443,
                     )
 
+parser.add_argument('--min-ssl-version',
+                    help='minimum SSL version')
+
+parser.add_argument('--max-ssl-version',
+                    help='minimum SSL version')
+
 options = parser.parse_args()
 
 # Perform basic configuration and setup
 try:
     nss.nss_init(options.db_name)
     ssl.set_domestic_policy()
+
+    min_ssl_version, max_ssl_version = \
+        ssl.get_supported_ssl_version_range(repr_kind=nss.AsString)
+    print "Supported SSL version range: min=%s, max=%s" % \
+        (min_ssl_version, max_ssl_version)
+
+    min_ssl_version, max_ssl_version = \
+        ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+    print "Default SSL version range: min=%s, max=%s" % \
+        (min_ssl_version, max_ssl_version)
+
+    if options.min_ssl_version is not None or \
+       options.max_ssl_version is not None:
+
+        if options.min_ssl_version is not None:
+            min_ssl_version  = options.min_ssl_version
+        if options.max_ssl_version is not None:
+            max_ssl_version  = options.max_ssl_version
+
+        print "Setting default SSL version range: min=%s, max=%s" % \
+            (min_ssl_version, max_ssl_version)
+        ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version)
+
+        min_ssl_version, max_ssl_version = \
+            ssl.get_default_ssl_version_range(repr_kind=nss.AsString)
+        print "Default SSL version range now: min=%s, max=%s" % \
+            (min_ssl_version, max_ssl_version)
+
 except Exception, e:
-    print >>sys.stderr, e.strerror
+    print >>sys.stderr, str(e)
     sys.exit(1)
 
 client()
diff --git a/src/SECerrs.h b/src/SECerrs.h
index 04d0c11..8b6b36f 100644
--- a/src/SECerrs.h
+++ b/src/SECerrs.h
@@ -115,7 +115,7 @@ ER3(SEC_ERROR_EXTENSION_NOT_FOUND,		(SEC_ERROR_BASE + 35),
 
 ER3(SEC_ERROR_CA_CERT_INVALID,			(SEC_ERROR_BASE + 36),
 "Issuer certificate is invalid.")
-
+   
 ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID,	(SEC_ERROR_BASE + 37),
 "Certificate path length constraint is invalid.")
 
@@ -343,7 +343,7 @@ ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, 		(SEC_ERROR_BASE + 109),
 
 ER3(SEC_ERROR_OLD_KRL,	     			(SEC_ERROR_BASE + 110),
 "New KRL is not later than the current one.")
-
+ 
 ER3(SEC_ERROR_CKL_CONFLICT,	     		(SEC_ERROR_BASE + 111),
 "New CKL has different issuer than current CKL.  Delete current CKL.")
 
@@ -515,9 +515,6 @@ ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION,    		(SEC_ERROR_BASE + 165),
 ER3(SEC_ERROR_LIBPKIX_INTERNAL,      		(SEC_ERROR_BASE + 166),
 "Libpkix internal error occurred during cert validation.")
 
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13)
-
-
 ER3(SEC_ERROR_PKCS11_GENERAL_ERROR,      		(SEC_ERROR_BASE + 167),
 "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.")
 
@@ -545,10 +542,6 @@ ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR,        		(SEC_ERROR_BASE + 174),
 ER3(SEC_ERROR_BAD_CRL_DP_URL,			(SEC_ERROR_BASE + 175),
 "Invalid or unsupported URL in CRL distribution point name.")
 
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
-
 ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,	(SEC_ERROR_BASE + 176),
 "The certificate was signed using a signature algorithm that is disabled because it is not secure.")
 
@@ -558,4 +551,3 @@ ER3(SEC_ERROR_LEGACY_DATABASE,			(SEC_ERROR_BASE + 177),
 ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR,        (SEC_ERROR_BASE + 178),
 "The certificate was rejected by extra checks in the application.")
 
-#endif
diff --git a/src/SSLerrs.h b/src/SSLerrs.h
index 7e05af2..174037b 100644
--- a/src/SSLerrs.h
+++ b/src/SSLerrs.h
@@ -359,8 +359,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109),
 ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110),
 "SSL received a malformed New Session Ticket handshake message.")
 
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13)
-
 ER3(SSL_ERROR_DECOMPRESSION_FAILURE,           (SSL_ERROR_BASE + 111),
 "SSL received a compressed record that could not be decompressed.")
 
@@ -376,10 +374,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114),
 ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY,    (SSL_ERROR_BASE + 115),
 "SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.")
 
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14)
-
 ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID,      (SSL_ERROR_BASE + 116),
 "SSL received invalid NPN extension data.")
 
@@ -407,11 +401,24 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123),
 ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124),
 "SSL feature not supported for the protocol version.")
 
-#endif
-
-#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 15)
-
 ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS,       (SSL_ERROR_BASE + 125),
 "SSL received an unexpected Certificate Status handshake message.")
 
-#endif
+ER3(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, (SSL_ERROR_BASE + 126),
+"Unsupported hash algorithm used by TLS peer.")
+
+ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR_BASE + 127),
+"Digest function failed.")
+
+ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128),
+"Incorrect signature algorithm specified in a digitally-signed element.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK, (SSL_ERROR_BASE + 129),
+"The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.")
+
+ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130),
+"The server supports no protocols that the client advertises in the ALPN extension.")
+
+ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131),
+"The server rejected the handshake because the client downgraded to a lower "
+"TLS version than the server supports.")
diff --git a/src/py_nspr_common.h b/src/py_nspr_common.h
index b576d15..d123139 100644
--- a/src/py_nspr_common.h
+++ b/src/py_nspr_common.h
@@ -4,6 +4,8 @@
 
 //#define DEBUG
 
+typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds);
+
 typedef enum RepresentationKindEnum {
     AsObject,
     AsString,
@@ -50,6 +52,107 @@ do {                                            \
 } while (0)
 
 
+/******************************************************************************/
+
+#define OCTETS_PER_LINE_DEFAULT 16
+#define HEX_SEPARATOR_DEFAULT ":"
+
+#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \
+{                                                                       \
+    PyObject *fmt_tuple = NULL;                                         \
+                                                                        \
+    if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) {  \
+        goto fail;                                                      \
+    }                                                                   \
+    if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) {                \
+        Py_DECREF(fmt_tuple);                                           \
+        goto fail;                                                      \
+    }                                                                   \
+}
+
+#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail)        \
+{                                                                       \
+    PyObject *fmt_tuple = NULL;                                         \
+                                                                        \
+    if ((fmt_tuple = fmt_label(level, label)) == NULL) {                \
+        goto fail;                                                      \
+    }                                                                   \
+    if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) {                \
+        Py_DECREF(fmt_tuple);                                           \
+        goto fail;                                                      \
+    }                                                                   \
+}
+
+#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \
+{                                                                       \
+    PyObject *src_obj;                                                  \
+    Py_ssize_t len, i;                                                  \
+    if (src_fmt_tuples) {                                               \
+        len = PyList_Size(src_fmt_tuples);                              \
+        for (i = 0; i < len; i++) {                                     \
+            src_obj = PyList_GetItem(src_fmt_tuples, i);                \
+            PyList_Append(dst_fmt_tuples, src_obj);                     \
+        }                                                               \
+        Py_CLEAR(src_fmt_tuples);                                       \
+    }                                                                   \
+}
+
+#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail)  \
+{                                                                       \
+    PyObject *src_obj;                                                  \
+    Py_ssize_t len, i;                                                  \
+    if (src_lines) {                                                    \
+        len = PySequence_Size(src_lines);                               \
+        for (i = 0; i < len; i++) {                                     \
+            src_obj = PySequence_GetItem(src_lines, i);                 \
+            FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \
+            Py_DECREF(src_obj);                                         \
+        }                                                               \
+        Py_CLEAR(src_lines);                                            \
+    }                                                                   \
+}
+
+#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail)  \
+{                                                                       \
+    PyObject *obj_line_fmt_tuples;                                      \
+                                                                        \
+    if ((obj_line_fmt_tuples =                                          \
+         PyObject_CallMethod(obj, "format_lines",                       \
+                             "(i)", level)) == NULL) {                  \
+        goto fail;                                                      \
+    }                                                                   \
+                                                                        \
+    APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \
+}
+
+
+#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \
+{                                                                       \
+    PyObject *obj_lines;                                                \
+                                                                        \
+    if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT,           \
+                                HEX_SEPARATOR_DEFAULT)) == NULL) {      \
+        goto fail;                                                      \
+    }                                                                   \
+    Py_CLEAR(obj);                                                      \
+    APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail);     \
+}
+
+#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \
+{                                                                       \
+    PyObject *obj_lines = NULL;                                         \
+    SecItem *item = (SecItem *)obj;                                     \
+                                                                        \
+    FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail);           \
+    if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \
+        goto fail;                                                      \
+    }                                                                   \
+    Py_CLEAR(obj);                                                      \
+    APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail);      \
+}
+
+/******************************************************************************/
+
 // Gettext
 #ifndef _
 #define _(s) s
diff --git a/src/py_nss.c b/src/py_nss.c
index 95d3958..a34fae3 100644
--- a/src/py_nss.c
+++ b/src/py_nss.c
@@ -355,10 +355,12 @@ NewType_new_from_NSSType(NSSType *id)
 #define PY_SSIZE_T_CLEAN
 #include "Python.h"
 #include "structmember.h"
+#include "datetime.h"
 
 #include "py_nspr_common.h"
 #define NSS_NSS_MODULE
 #include "py_nss.h"
+#include "py_shared_doc.h"
 #include "py_nspr_error.h"
 
 #include "secder.h"
@@ -379,8 +381,6 @@ NewType_new_from_NSSType(NSSType *id)
 
 #define MAX_AVAS 10
 #define MAX_RDNS 10
-#define OCTETS_PER_LINE_DEFAULT 16
-#define HEX_SEPARATOR_DEFAULT ":"
 
 #ifdef DEBUG
 #include "py_traceback.h"
@@ -534,8 +534,6 @@ PyString_UTF8(PyObject *obj, char *name);
 /* ========================================================================== */
 
 
-typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds);
-
 static PyObject *
 line_fmt_tuple(int level, const char *label, PyObject *py_value);
 
@@ -554,140 +552,6 @@ format_from_lines(format_lines_func formatter, PyObject *self, PyObject *args, P
 static PyObject *
 py_indented_format(PyObject *self, PyObject *args, PyObject *kwds);
 
-#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \
-{                                                                       \
-    PyObject *fmt_tuple = NULL;                                         \
-                                                                        \
-    if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) {  \
-        goto fail;                                                      \
-    }                                                                   \
-    if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) {                \
-        Py_DECREF(fmt_tuple);                                           \
-        goto fail;                                                      \
-    }                                                                   \
-}
-
-#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail)        \
-{                                                                       \
-    PyObject *fmt_tuple = NULL;                                         \
-                                                                        \
-    if ((fmt_tuple = fmt_label(level, label)) == NULL) {                \
-        goto fail;                                                      \
-    }                                                                   \
-    if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) {                \
-        Py_DECREF(fmt_tuple);                                           \
-        goto fail;                                                      \
-    }                                                                   \
-}
-
-#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \
-{                                                                       \
-    PyObject *src_obj;                                                  \
-    Py_ssize_t len, i;                                                  \
-    if (src_fmt_tuples) {                                               \
-        len = PyList_Size(src_fmt_tuples);                              \
-        for (i = 0; i < len; i++) {                                     \
-            src_obj = PyList_GetItem(src_fmt_tuples, i);                \
-            PyList_Append(dst_fmt_tuples, src_obj);                     \
-        }                                                               \
-        Py_CLEAR(src_fmt_tuples);                                       \
-    }                                                                   \
-}
-
-#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail)  \
-{                                                                       \
-    PyObject *src_obj;                                                  \
-    Py_ssize_t len, i;                                                  \
-    if (src_lines) {                                                    \
-        len = PySequence_Size(src_lines);                               \
-        for (i = 0; i < len; i++) {                                     \
-            src_obj = PySequence_GetItem(src_lines, i);                 \
-            FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \
-            Py_DECREF(src_obj);                                         \
-        }                                                               \
-        Py_CLEAR(src_lines);                                            \
-    }                                                                   \
-}
-
-#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail)  \
-{                                                                       \
-    PyObject *obj_line_fmt_tuples;                                      \
-                                                                        \
-    if ((obj_line_fmt_tuples =                                          \
-         PyObject_CallMethod(obj, "format_lines",                       \
-                             "(i)", level)) == NULL) {                  \
-        goto fail;                                                      \
-    }                                                                   \
-                                                                        \
-    APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \
-}
-
-
-#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \
-{                                                                       \
-    PyObject *obj_lines;                                                \
-                                                                        \
-    if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT,           \
-                                HEX_SEPARATOR_DEFAULT)) == NULL) {      \
-        goto fail;                                                      \
-    }                                                                   \
-    Py_CLEAR(obj);                                                      \
-    APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail);     \
-}
-
-#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \
-{                                                                       \
-    PyObject *obj_lines = NULL;                                         \
-    SecItem *item = (SecItem *)obj;                                     \
-                                                                        \
-    FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail);           \
-    if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \
-        goto fail;                                                      \
-    }                                                                   \
-    Py_CLEAR(obj);                                                      \
-    APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail);      \
-}
-
-PyDoc_STRVAR(generic_format_doc,
-"format(level=0, indent='    ') -> string)\n\
-\n\
-:Parameters:\n\
-    level : integer\n\
-        Initial indentation level, all subsequent indents are relative\n\
-        to this starting level.\n\
-    indent : string\n\
-        string replicated once for each indent level then prepended to output line\n\
-\n\
-This is equivalent to:\n\
-indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\
-");
-
-PyDoc_STRVAR(generic_format_lines_doc,
-"format_lines(level=0) -> [(level, string),...]\n\
-\n\
-:Parameters:\n\
-    level : integer\n\
-        Initial indentation level, all subsequent indents are relative\n\
-        to this starting level.\n\
-\n\
-Formats the object into a sequence of lines with indent level\n\
-information.  The return value is a list where each list item is a\n\
-tuple.  The first item in the tuple is an integer\n\
-representing the indentation level for that line. Any remaining items\n\
-in the tuple are strings to be output on that line.\n\
-\n\
-The output of this function can be formatted into a single string by\n\
-calling `indented_format()`, e.g.:\n\
-\n\
-    print indented_format(obj.format_lines())\n\
-\n\
-The reason this function returns a tuple as opposed to an single\n\
-indented string is to support other text formatting systems such as\n\
-GUI's with indentation controls.  See `indented_format()` for a\n\
-complete explanation.\n\
-");
-
-
 /* Steals reference to obj_str */
 static PyObject *
 line_fmt_tuple(int level, const char *label, PyObject *py_value)
@@ -1794,6 +1658,9 @@ CERTCertExtensions_from_CERTAttribute(PRArenaPool *arena,
 static SECStatus
 My_CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, CERTCertExtension ***exts);
 
+static PyObject *
+timestamp_to_DateTime(time_t timestamp, bool utc);
+
 /* ==================================== */
 
 typedef struct BitStringTableStr {
@@ -1844,6 +1711,23 @@ static BitStringTable CertTypeDef[] = {
     BITSTRING_TBL_INIT(NS_CERT_TYPE_OBJECT_SIGNING_CA, _("Object Signing CA") ), /* bit 7 */
 };
 
+static PyObject *
+timestamp_to_DateTime(time_t timestamp, bool utc)
+{
+    double d_timestamp = timestamp;
+    PyObject *py_datetime = NULL;
+    char *method;
+
+    method = utc ? "utcfromtimestamp" : "fromtimestamp";
+    if ((py_datetime = 
+         PyObject_CallMethod((PyObject *)PyDateTimeAPI->DateTimeType,
+                             method, "(d)", d_timestamp)) == NULL) {
+            return NULL;
+    }
+
+    return py_datetime;
+}
+
 /* returns new reference or NULL on error */
 PyObject *
 PyString_UTF8(PyObject *obj, char *name)
@@ -5209,6 +5093,8 @@ SecItem_str(SecItem *self)
         break;
     case SECITEM_algorithm:
         return oid_secitem_to_pystr_desc(&self->item);
+    case SECITEM_buffer:
+        return secitem_to_pystr_hex(&self->item);
     default:
         return der_any_secitem_to_pystr(&self->item);
         break;
@@ -23973,6 +23859,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api =
     cert_distnames_as_CERTDistNames,
     _AddIntConstantWithLookup,
     _AddIntConstantAlias,
+    format_from_lines,
+    line_fmt_tuple,
+    obj_sprintf,
+    obj_to_hex,
+    raw_data_to_hex,
+    fmt_label,
+    timestamp_to_DateTime
 };
 
 /* ============================== Module Construction ============================= */
@@ -23991,6 +23884,8 @@ initnss(void)
         return;
     }
 
+    PyDateTime_IMPORT;
+
     if ((m = Py_InitModule3("nss.nss", module_methods, module_doc)) == NULL) {
         return;
     }
diff --git a/src/py_nss.h b/src/py_nss.h
index c9661e2..1fb858a 100644
--- a/src/py_nss.h
+++ b/src/py_nss.h
@@ -414,6 +414,18 @@ typedef struct {
                                      PyObject *value_to_name);
     int (*_AddIntConstantAlias)(const char *name, long value,
                                 PyObject *name_to_value);
+    PyObject *(*format_from_lines)(format_lines_func formatter, PyObject *self,
+                                   PyObject *args, PyObject *kwds);
+    PyObject *(*line_fmt_tuple)(int level, const char *label,
+                                PyObject *py_value);
+    PyObject *(*obj_sprintf)(const char *fmt, ...);
+    PyObject *(*obj_to_hex)(PyObject *obj,
+                            int octets_per_line, char *separator);
+    PyObject *(*raw_data_to_hex)(unsigned char *data, int data_len,
+                                 int octets_per_line, char *separator);
+    PyObject *(*fmt_label)(int level, char *label);
+    PyObject *(*timestamp_to_DateTime)(time_t timestamp, bool utc);
+
 
 
 } PyNSPR_NSS_C_API_Type;
@@ -452,6 +464,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api;
 #define cert_distnames_as_CERTDistNames (*nspr_nss_c_api.cert_distnames_as_CERTDistNames)
 #define _AddIntConstantWithLookup (*nspr_nss_c_api._AddIntConstantWithLookup)
 #define _AddIntConstantAlias (*nspr_nss_c_api._AddIntConstantAlias)
+#define format_from_lines (*nspr_nss_c_api.format_from_lines)
+#define line_fmt_tuple (*nspr_nss_c_api.line_fmt_tuple)
+#define obj_sprintf (*nspr_nss_c_api.obj_sprintf)
+#define obj_to_hex (*nspr_nss_c_api.obj_to_hex)
+#define raw_data_to_hex (*nspr_nss_c_api.raw_data_to_hex)
+#define fmt_label (*nspr_nss_c_api.fmt_label)
+#define timestamp_to_DateTime (*nspr_nss_c_api.timestamp_to_DateTime)
 
 static int
 import_nspr_nss_c_api(void)
diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h
new file mode 100644
index 0000000..9a57279
--- /dev/null
+++ b/src/py_shared_doc.h
@@ -0,0 +1,43 @@
+#ifndef PY_SHARED_DOC_H
+#define PY_SHARED_DOC_H
+
+PyDoc_STRVAR(generic_format_doc,
+"format(level=0, indent='    ') -> string)\n\
+\n\
+:Parameters:\n\
+    level : integer\n\
+        Initial indentation level, all subsequent indents are relative\n\
+        to this starting level.\n\
+    indent : string\n\
+        string replicated once for each indent level then prepended to output line\n\
+\n\
+This is equivalent to:\n\
+indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\
+");
+
+PyDoc_STRVAR(generic_format_lines_doc,
+"format_lines(level=0) -> [(level, string),...]\n\
+\n\
+:Parameters:\n\
+    level : integer\n\
+        Initial indentation level, all subsequent indents are relative\n\
+        to this starting level.\n\
+\n\
+Formats the object into a sequence of lines with indent level\n\
+information.  The return value is a list where each list item is a\n\
+tuple.  The first item in the tuple is an integer\n\
+representing the indentation level for that line. Any remaining items\n\
+in the tuple are strings to be output on that line.\n\
+\n\
+The output of this function can be formatted into a single string by\n\
+calling `indented_format()`, e.g.:\n\
+\n\
+    print indented_format(obj.format_lines())\n\
+\n\
+The reason this function returns a tuple as opposed to an single\n\
+indented string is to support other text formatting systems such as\n\
+GUI's with indentation controls.  See `indented_format()` for a\n\
+complete explanation.\n\
+");
+
+#endif // PY_SHARED_DOC_H
diff --git a/src/py_ssl.c b/src/py_ssl.c
index a1dbdce..3e0dbf6 100644
--- a/src/py_ssl.c
+++ b/src/py_ssl.c
@@ -15,12 +15,18 @@
 #define NSS_SSL_MODULE
 #include "py_ssl.h"
 #include "py_nss.h"
+#include "py_shared_doc.h"
 #include "py_nspr_error.h"
 



More information about the Pkg-freeipa-devel mailing list