[Pkg-freeipa-devel] [Git][freeipa-team/python-nss][upstream] 6 commits: Added tag PYNSS_RELEASE_1_0_0 for changeset 9a5cf0294fc1

Timo Aaltonen gitlab at salsa.debian.org
Thu Dec 3 15:39:32 GMT 2020



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / python-nss


Commits:
3bf7e4a7 by John Dennis at 2016-09-02T13:06:18-04:00
Added tag PYNSS_RELEASE_1_0_0 for changeset 9a5cf0294fc1

- - - - -
ea420813 by John Dennis at 2016-10-11T13:42:47-04:00
Add doc/examples/ssl_cipher_info.py

- - - - -
9c44cdd5 by John Dennis at 2017-02-28T18:06:27-05:00
Add TLS 1.3 cipher suites

TLS 1.3 does not use any of the TLS 1.2 cipher suites but introduced a
new set of cipher suites. The new cipher suites no longer define key
agreement and authentication protocol.

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
58f07a78 by John Dennis at 2017-02-28T18:09:25-05:00
ssl_cipher_info: Try to enable TLS 1.3

Attempt to enable TLS version 1.3 in ssl_cipher_info.py example script.
At the moment NSS 3.28.1 and older have TLS 1.3 support disabled. With a
custom build of NSS, ssl_cipher_info.py is able to establish a TLS 1.3
connection to tls13.crypto.mozilla.org.

SSL connect to: tls13.crypto.mozilla.org
try connecting to: 52.32.149.186
connected to: 52.32.149.186
handshake complete, peer = 52.32.149.186, negotiated host = tls13.crypto.mozilla.org
Connection Info:
SSL Protocol Version: 3.4 (tls1.3)
Cipher:               128-bit AES-GCM
MAC:                  128-bit AEAD
Auth:                 2048-bit TLS 1.3
Key Exchange:         255-bit TLS 1.3
Compression:          NULL

Channel:
--------
Protocol Version:      3.4 (tls1.3)
Cipher Suite:          TLS_AES_128_GCM_SHA256 (0x1301)
Auth Key Bits:         2048
Key Exchange Key Bits: 255
Creation Time:         1970-01-01 01:00:00
Last Access Time:      1970-01-01 01:00:00
Expiration Time:       1970-01-01 01:00:00
Compression Method:    NULL (0x0)
Session ID:

Suite:
------
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
    Auth Algorithm:               TLS 1.3 (0xa)
    Key Exchange Type:            TLS 1.3 (0x7)
    Symmetric Cipher:             AES-GCM (0xa)
    Symmetric Key Bits:           128
    Effective Symmetric Key Bits: 128
    Symmetric Key Space:          128
    MAC Algorithm:                AEAD (0x6)
    MAC Bits:                     128
    FIPS:                         True
    Exportable:                   False
    Nonstandard:                  False

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
70299bb8 by John Dennis at 2017-02-28T18:11:19-05:00
Fix bdist_wheel support to build python-nss as Python wheel

The '-d' argument is already reserved as alias for destination
directory. The bdist_wheel builder uses -d to build wheels in a
temporary directory.

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
caa3100b by John Dennis at 2017-02-28T18:13:34-05:00
Update changelog and bump version

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -


6 changed files:

- .hgtags
- MANIFEST
- doc/ChangeLog
- + doc/examples/ssl_cipher_info.py
- setup.py
- src/py_ssl.c


Changes:

=====================================
.hgtags
=====================================
@@ -35,3 +35,5 @@ bbe06f8d7b1bd897a9a836ec9ae977413e0e0c55 PYNSS_RELEASE_0_17_0
 84c4fa461e3040f7b3ecbdcb370de7ca921f87d4 PYNSS_RELEASE_1_0_0
 84c4fa461e3040f7b3ecbdcb370de7ca921f87d4 PYNSS_RELEASE_1_0_0
 96fff7c15b21fb0e25acfa9d68b9094623f5fcf4 PYNSS_RELEASE_1_0_0
+96fff7c15b21fb0e25acfa9d68b9094623f5fcf4 PYNSS_RELEASE_1_0_0
+9a5cf0294fc1f888d93f5a9bbf4e0217039036da PYNSS_RELEASE_1_0_0


=====================================
MANIFEST
=====================================
@@ -9,6 +9,7 @@ doc/examples/pbkdf2_example.py
 doc/examples/cert_dump.py
 doc/examples/cert_trust.py
 doc/examples/httplib_example.py
+doc/examples/ssl_cipher_info.py
 doc/examples/ssl_example.py
 doc/examples/ssl_version_range.py
 doc/examples/verify_server.py


=====================================
doc/ChangeLog
=====================================
@@ -1,3 +1,18 @@
+2017-02-16  Christian Heimes  <cheimes at redhat.com> 1.0.1
+
+  * Add TLS 1.3 cipher suites.
+
+  * ssl_cipher_info.py now attempts to enable TLS 1.3.
+
+  * Fix build issue in setup.py. python-nss can now be build
+    as Python wheel, e.g. `pip wheel -w dist .`
+
+  * The following constants were added:
+
+    - ssl.TLS_AES_128_GCM_SHA256
+    - ssl.TLS_AES_256_GCM_SHA384
+    - ssl.TLS_CHACHA20_POLY1305_SHA256
+
 2016-09-01  John Dennis  <jdennis at redhat.com> 1.0.0
   * Official 1.0.0 release, only minor tweaks from 1.0.0.beta1
 


=====================================
doc/examples/ssl_cipher_info.py
=====================================
@@ -0,0 +1,208 @@
+from __future__ import absolute_import
+from __future__ import print_function
+
+import argparse
+import sys
+
+from nss.error import NSPRError
+import nss.io as io
+import nss.nss as nss
+import nss.ssl as ssl
+
+#-------------------------------------------------------------------------------
+
+TIMEOUT_SECS = 3
+
+REQUEST = '''\
+GET /index.html HTTP/1.0
+
+'''
+#-------------------------------------------------------------------------------
+
+def print_suite_info(suite):
+    print("Suite:")
+    print("------")
+
+    if not options.use_properties:
+        print(suite)
+    else:
+        print("cipher_suite_name:     %s"  % (suite.cipher_suite_name))
+        print("cipher_suite:          %#x" % (suite.cipher_suite))
+        print("auth_algorithm_name:   %s"  % (suite.auth_algorithm_name))
+        print("auth_algorithm:        %#x" % (suite.auth_algorithm))
+        print("kea_type_name:         %s"  % (suite.kea_type_name))
+        print("kea_type:              %#x" % (suite.kea_type))
+        print("symmetric_cipher_name: %s"  % (suite.symmetric_cipher_name))
+        print("symmetric_cipher:      %#x" % (suite.symmetric_cipher))
+        print("symmetric_key_bits:    %s"  % (suite.symmetric_key_bits))
+        print("symmetric_key_space:   %s"  % (suite.symmetric_key_space))
+        print("effective_key_bits:    %s"  % (suite.effective_key_bits))
+        print("mac_algorithm_name:    %s"  % (suite.mac_algorithm_name))
+        print("mac_algorithm:         %#x" % (suite.mac_algorithm))
+        print("mac_bits:              %s"  % (suite.mac_bits))
+        print("is_fips:               %s"  % (suite.is_fips))
+        print("is_exportable:         %s"  % (suite.is_exportable))
+        print("is_nonstandard:        %s"  % (suite.is_nonstandard))
+
+def print_channel_info(channel):
+    print("Channel:")
+    print("--------")
+
+    if not options.use_properties:
+        print(channel)
+    else:
+        print("protocol_version:        %#x" % (channel.protocol_version))
+        print("protocol_version string: %s"  % (channel.protocol_version_str))
+        print("protocol_version enum:   %#x" % (channel.protocol_version_enum))
+        print("major_protocol_version:  %s"  % (channel.major_protocol_version))
+        print("minor_protocol_version:  %s"  % (channel.minor_protocol_version))
+        print("cipher_suite:            %#x" % (channel.cipher_suite))
+        print("auth_key_bits:           %d"  % (channel.auth_key_bits))
+        print("kea_key_bits:            %d"  % (channel.kea_key_bits))
+        print("creation_time:           %s"  % (channel.creation_time))
+        print("last_access_time:        %s"  % (channel.last_access_time))
+        print("expiration_time:         %s"  % (channel.expiration_time))
+        print("creation_time_utc:       %s"  % (channel.creation_time_utc))
+        print("last_access_time_utc:    %s"  % (channel.last_access_time_utc))
+        print("expiration_time_utc:     %s"  % (channel.expiration_time_utc))
+        print("compression_method:      %#x" % (channel.compression_method))
+        print("compression_method_name: %s"  % (channel.compression_method_name))
+        print("session_id:              %s"  % (channel.session_id))
+
+def handshake_callback(sock):
+
+    print("handshake complete, peer = %s, negotiated host = %s" %
+          (sock.get_peer_name(), sock.get_negotiated_host()))
+    print("Connection Info:")
+    print(sock.connection_info_str())
+    print()
+
+    channel = sock.get_ssl_channel_info()
+    print_channel_info(channel)
+    print()
+
+    suite = ssl.get_cipher_suite_info(channel.cipher_suite)
+    print_suite_info(suite)
+
+def ssl_connect():
+    print("SSL connect to: %s" % options.hostname)
+
+    valid_addr = False
+    # Get the IP Address of our server
+    try:
+        addr_info = io.AddrInfo(options.hostname)
+    except:
+        print("ERROR: could not resolve hostname \"%s\"" % options.hostname)
+        return
+
+    for net_addr in addr_info:
+        net_addr.port = options.port
+        sock = ssl.SSLSocket(net_addr.family)
+        # Set client SSL socket options
+        sock.set_ssl_option(ssl.SSL_SECURITY, True)
+        sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
+        sock.set_hostname(options.hostname)
+        try:
+            sock.set_ssl_version_range("tls1.0", "tls1.3")
+        except NSPRError as e:
+            print("Cannot enable TLS 1.3, {}".format(e))
+
+        # Provide a callback which notifies us when the SSL handshake is
+        # complete
+        sock.set_handshake_callback(handshake_callback)
+
+        try:
+            print("try connecting to: %s" % (net_addr))
+            sock.connect(net_addr, timeout=io.seconds_to_interval(TIMEOUT_SECS))
+            print("connected to: %s" % (net_addr))
+            valid_addr = True
+            break
+        except:
+            continue
+
+    if not valid_addr:
+        print("ERROR: could not connect to \"%s\"" % options.hostname)
+        return
+
+    try:
+        # Talk to the server
+        n_received = 0
+        sock.send(REQUEST.encode('utf-8'))
+        while True:
+            buf = sock.recv(1024)
+            n_received += len(buf)
+            if not buf:
+                break
+    except Exception as e:
+        print(e)
+        sock.shutdown()
+        return
+
+    sock.shutdown()
+    return
+
+
+# -----------------------------------------------------------------------------
+
+parser = argparse.ArgumentParser(
+    description='Example showing how to enumerate cipher suites and '
+    'get their properties as well as how to get SSL channel information '
+    'after connecting including the cipher suite in use',
+    formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+
+parser.add_argument('-d', '--db-name',
+                    help='NSS database name (e.g. "sql:pki")')
+
+parser.add_argument('-H', '--hostname',
+                    help='host to connect to')
+
+parser.add_argument('-p', '--port', type=int,
+                    help='host port')
+
+parser.add_argument('-E', '--no-enumerate-cipher-suites',
+                    dest='enumerate_cipher_suites',
+                    action='store_false',
+                    help='do not enumerate cipher suites')
+
+parser.add_argument('-S', '--no-ssl-connect',
+                    dest='ssl_connect',
+                    action='store_false',
+                    help='do not perform SSL connection')
+
+parser.add_argument('-P', '--use-properties',
+                    dest='use_properties',
+                    action='store_true',
+                    help='print using object properties')
+
+parser.set_defaults(db_name='sql:pki',
+                    hostname='www.verisign.com',
+                    port=443,
+                    enumerate_cipher_suites=True,
+                    ssl_connect=True,
+                    use_properties=False)
+
+options = parser.parse_args()
+
+# Perform basic configuration and setup
+try:
+    nss.nss_init(options.db_name)
+    ssl.set_domestic_policy()
+
+except Exception as e:
+    print(str(e), file=sys.stderr)
+    sys.exit(1)
+
+
+if options.enumerate_cipher_suites:
+    suite_info = ssl.get_cipher_suite_info(ssl.ssl_implemented_ciphers[0])
+
+    print("There are %d implemented ciphers" %
+          (len(ssl.ssl_implemented_ciphers)))
+
+    for cipher in ssl.ssl_implemented_ciphers:
+        suite_info = ssl.get_cipher_suite_info(cipher)
+        print(suite_info)
+        print()
+
+if options.ssl_connect:
+    ssl_connect()


=====================================
setup.py
=====================================
@@ -16,7 +16,7 @@ from distutils.util import subst_vars, change_root
 from distutils.command.build_py import build_py as _build_py
 from distutils.command.sdist import sdist as _sdist
 
-version = "1.0.0"
+version = "1.0.1"
 
 doc_manifest = [
     [['include README LICENSE* doc/ChangeLog',
@@ -318,7 +318,7 @@ def main(argv):
     include_roots = []
 
     for arg in argv[:]:
-        if arg in ('-d', '--debug'):
+        if arg in ('--debug', ):
             print("compiling with debug")
             extra_compile_args += debug_compile_args
             argv.remove(arg)


=====================================
src/py_ssl.c
=====================================
@@ -4718,6 +4718,13 @@ if (_AddIntConstantWithLookup(m, #constant, constant, \
     ExportConstant(TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256);
 #endif
 
+    /* TLS 1.3 cipher suites */
+#ifdef TLS_AES_128_GCM_SHA256
+    ExportConstant(TLS_AES_128_GCM_SHA256);
+    ExportConstant(TLS_AES_256_GCM_SHA384);
+    ExportConstant(TLS_CHACHA20_POLY1305_SHA256);
+#endif
+
     /* Netscape "experimental" cipher suites. */
     ExportConstant(SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA);
     ExportConstant(SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA);



View it on GitLab: https://salsa.debian.org/freeipa-team/python-nss/-/compare/170f503ce2b087a4204505eb8698a9bfe9ea9480...caa3100b0fa97d1a23c60b86d5538b82d45a4da7

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/python-nss/-/compare/170f503ce2b087a4204505eb8698a9bfe9ea9480...caa3100b0fa97d1a23c60b86d5538b82d45a4da7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201203/12196855/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list