[Pkg-freeipa-devel] [Git][freeipa-team/python-nss][upstream] 6 commits: Added tag PYNSS_RELEASE_1_0_0 for changeset 9a5cf0294fc1
Timo Aaltonen
gitlab at salsa.debian.org
Thu Dec 3 15:39:32 GMT 2020
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / python-nss
Commits:
3bf7e4a7 by John Dennis at 2016-09-02T13:06:18-04:00
Added tag PYNSS_RELEASE_1_0_0 for changeset 9a5cf0294fc1
- - - - -
ea420813 by John Dennis at 2016-10-11T13:42:47-04:00
Add doc/examples/ssl_cipher_info.py
- - - - -
9c44cdd5 by John Dennis at 2017-02-28T18:06:27-05:00
Add TLS 1.3 cipher suites
TLS 1.3 does not use any of the TLS 1.2 cipher suites but introduced a
new set of cipher suites. The new cipher suites no longer define key
agreement and authentication protocol.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
58f07a78 by John Dennis at 2017-02-28T18:09:25-05:00
ssl_cipher_info: Try to enable TLS 1.3
Attempt to enable TLS version 1.3 in ssl_cipher_info.py example script.
At the moment NSS 3.28.1 and older have TLS 1.3 support disabled. With a
custom build of NSS, ssl_cipher_info.py is able to establish a TLS 1.3
connection to tls13.crypto.mozilla.org.
SSL connect to: tls13.crypto.mozilla.org
try connecting to: 52.32.149.186
connected to: 52.32.149.186
handshake complete, peer = 52.32.149.186, negotiated host = tls13.crypto.mozilla.org
Connection Info:
SSL Protocol Version: 3.4 (tls1.3)
Cipher: 128-bit AES-GCM
MAC: 128-bit AEAD
Auth: 2048-bit TLS 1.3
Key Exchange: 255-bit TLS 1.3
Compression: NULL
Channel:
--------
Protocol Version: 3.4 (tls1.3)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Auth Key Bits: 2048
Key Exchange Key Bits: 255
Creation Time: 1970-01-01 01:00:00
Last Access Time: 1970-01-01 01:00:00
Expiration Time: 1970-01-01 01:00:00
Compression Method: NULL (0x0)
Session ID:
Suite:
------
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Auth Algorithm: TLS 1.3 (0xa)
Key Exchange Type: TLS 1.3 (0x7)
Symmetric Cipher: AES-GCM (0xa)
Symmetric Key Bits: 128
Effective Symmetric Key Bits: 128
Symmetric Key Space: 128
MAC Algorithm: AEAD (0x6)
MAC Bits: 128
FIPS: True
Exportable: False
Nonstandard: False
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
70299bb8 by John Dennis at 2017-02-28T18:11:19-05:00
Fix bdist_wheel support to build python-nss as Python wheel
The '-d' argument is already reserved as alias for destination
directory. The bdist_wheel builder uses -d to build wheels in a
temporary directory.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
caa3100b by John Dennis at 2017-02-28T18:13:34-05:00
Update changelog and bump version
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
6 changed files:
- .hgtags
- MANIFEST
- doc/ChangeLog
- + doc/examples/ssl_cipher_info.py
- setup.py
- src/py_ssl.c
Changes:
=====================================
.hgtags
=====================================
@@ -35,3 +35,5 @@ bbe06f8d7b1bd897a9a836ec9ae977413e0e0c55 PYNSS_RELEASE_0_17_0
84c4fa461e3040f7b3ecbdcb370de7ca921f87d4 PYNSS_RELEASE_1_0_0
84c4fa461e3040f7b3ecbdcb370de7ca921f87d4 PYNSS_RELEASE_1_0_0
96fff7c15b21fb0e25acfa9d68b9094623f5fcf4 PYNSS_RELEASE_1_0_0
+96fff7c15b21fb0e25acfa9d68b9094623f5fcf4 PYNSS_RELEASE_1_0_0
+9a5cf0294fc1f888d93f5a9bbf4e0217039036da PYNSS_RELEASE_1_0_0
=====================================
MANIFEST
=====================================
@@ -9,6 +9,7 @@ doc/examples/pbkdf2_example.py
doc/examples/cert_dump.py
doc/examples/cert_trust.py
doc/examples/httplib_example.py
+doc/examples/ssl_cipher_info.py
doc/examples/ssl_example.py
doc/examples/ssl_version_range.py
doc/examples/verify_server.py
=====================================
doc/ChangeLog
=====================================
@@ -1,3 +1,18 @@
+2017-02-16 Christian Heimes <cheimes at redhat.com> 1.0.1
+
+ * Add TLS 1.3 cipher suites.
+
+ * ssl_cipher_info.py now attempts to enable TLS 1.3.
+
+ * Fix build issue in setup.py. python-nss can now be build
+ as Python wheel, e.g. `pip wheel -w dist .`
+
+ * The following constants were added:
+
+ - ssl.TLS_AES_128_GCM_SHA256
+ - ssl.TLS_AES_256_GCM_SHA384
+ - ssl.TLS_CHACHA20_POLY1305_SHA256
+
2016-09-01 John Dennis <jdennis at redhat.com> 1.0.0
* Official 1.0.0 release, only minor tweaks from 1.0.0.beta1
=====================================
doc/examples/ssl_cipher_info.py
=====================================
@@ -0,0 +1,208 @@
+from __future__ import absolute_import
+from __future__ import print_function
+
+import argparse
+import sys
+
+from nss.error import NSPRError
+import nss.io as io
+import nss.nss as nss
+import nss.ssl as ssl
+
+#-------------------------------------------------------------------------------
+
+TIMEOUT_SECS = 3
+
+REQUEST = '''\
+GET /index.html HTTP/1.0
+
+'''
+#-------------------------------------------------------------------------------
+
+def print_suite_info(suite):
+ print("Suite:")
+ print("------")
+
+ if not options.use_properties:
+ print(suite)
+ else:
+ print("cipher_suite_name: %s" % (suite.cipher_suite_name))
+ print("cipher_suite: %#x" % (suite.cipher_suite))
+ print("auth_algorithm_name: %s" % (suite.auth_algorithm_name))
+ print("auth_algorithm: %#x" % (suite.auth_algorithm))
+ print("kea_type_name: %s" % (suite.kea_type_name))
+ print("kea_type: %#x" % (suite.kea_type))
+ print("symmetric_cipher_name: %s" % (suite.symmetric_cipher_name))
+ print("symmetric_cipher: %#x" % (suite.symmetric_cipher))
+ print("symmetric_key_bits: %s" % (suite.symmetric_key_bits))
+ print("symmetric_key_space: %s" % (suite.symmetric_key_space))
+ print("effective_key_bits: %s" % (suite.effective_key_bits))
+ print("mac_algorithm_name: %s" % (suite.mac_algorithm_name))
+ print("mac_algorithm: %#x" % (suite.mac_algorithm))
+ print("mac_bits: %s" % (suite.mac_bits))
+ print("is_fips: %s" % (suite.is_fips))
+ print("is_exportable: %s" % (suite.is_exportable))
+ print("is_nonstandard: %s" % (suite.is_nonstandard))
+
+def print_channel_info(channel):
+ print("Channel:")
+ print("--------")
+
+ if not options.use_properties:
+ print(channel)
+ else:
+ print("protocol_version: %#x" % (channel.protocol_version))
+ print("protocol_version string: %s" % (channel.protocol_version_str))
+ print("protocol_version enum: %#x" % (channel.protocol_version_enum))
+ print("major_protocol_version: %s" % (channel.major_protocol_version))
+ print("minor_protocol_version: %s" % (channel.minor_protocol_version))
+ print("cipher_suite: %#x" % (channel.cipher_suite))
+ print("auth_key_bits: %d" % (channel.auth_key_bits))
+ print("kea_key_bits: %d" % (channel.kea_key_bits))
+ print("creation_time: %s" % (channel.creation_time))
+ print("last_access_time: %s" % (channel.last_access_time))
+ print("expiration_time: %s" % (channel.expiration_time))
+ print("creation_time_utc: %s" % (channel.creation_time_utc))
+ print("last_access_time_utc: %s" % (channel.last_access_time_utc))
+ print("expiration_time_utc: %s" % (channel.expiration_time_utc))
+ print("compression_method: %#x" % (channel.compression_method))
+ print("compression_method_name: %s" % (channel.compression_method_name))
+ print("session_id: %s" % (channel.session_id))
+
+def handshake_callback(sock):
+
+ print("handshake complete, peer = %s, negotiated host = %s" %
+ (sock.get_peer_name(), sock.get_negotiated_host()))
+ print("Connection Info:")
+ print(sock.connection_info_str())
+ print()
+
+ channel = sock.get_ssl_channel_info()
+ print_channel_info(channel)
+ print()
+
+ suite = ssl.get_cipher_suite_info(channel.cipher_suite)
+ print_suite_info(suite)
+
+def ssl_connect():
+ print("SSL connect to: %s" % options.hostname)
+
+ valid_addr = False
+ # Get the IP Address of our server
+ try:
+ addr_info = io.AddrInfo(options.hostname)
+ except:
+ print("ERROR: could not resolve hostname \"%s\"" % options.hostname)
+ return
+
+ for net_addr in addr_info:
+ net_addr.port = options.port
+ sock = ssl.SSLSocket(net_addr.family)
+ # Set client SSL socket options
+ sock.set_ssl_option(ssl.SSL_SECURITY, True)
+ sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
+ sock.set_hostname(options.hostname)
+ try:
+ sock.set_ssl_version_range("tls1.0", "tls1.3")
+ except NSPRError as e:
+ print("Cannot enable TLS 1.3, {}".format(e))
+
+ # Provide a callback which notifies us when the SSL handshake is
+ # complete
+ sock.set_handshake_callback(handshake_callback)
+
+ try:
+ print("try connecting to: %s" % (net_addr))
+ sock.connect(net_addr, timeout=io.seconds_to_interval(TIMEOUT_SECS))
+ print("connected to: %s" % (net_addr))
+ valid_addr = True
+ break
+ except:
+ continue
+
+ if not valid_addr:
+ print("ERROR: could not connect to \"%s\"" % options.hostname)
+ return
+
+ try:
+ # Talk to the server
+ n_received = 0
+ sock.send(REQUEST.encode('utf-8'))
+ while True:
+ buf = sock.recv(1024)
+ n_received += len(buf)
+ if not buf:
+ break
+ except Exception as e:
+ print(e)
+ sock.shutdown()
+ return
+
+ sock.shutdown()
+ return
+
+
+# -----------------------------------------------------------------------------
+
+parser = argparse.ArgumentParser(
+ description='Example showing how to enumerate cipher suites and '
+ 'get their properties as well as how to get SSL channel information '
+ 'after connecting including the cipher suite in use',
+ formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+
+parser.add_argument('-d', '--db-name',
+ help='NSS database name (e.g. "sql:pki")')
+
+parser.add_argument('-H', '--hostname',
+ help='host to connect to')
+
+parser.add_argument('-p', '--port', type=int,
+ help='host port')
+
+parser.add_argument('-E', '--no-enumerate-cipher-suites',
+ dest='enumerate_cipher_suites',
+ action='store_false',
+ help='do not enumerate cipher suites')
+
+parser.add_argument('-S', '--no-ssl-connect',
+ dest='ssl_connect',
+ action='store_false',
+ help='do not perform SSL connection')
+
+parser.add_argument('-P', '--use-properties',
+ dest='use_properties',
+ action='store_true',
+ help='print using object properties')
+
+parser.set_defaults(db_name='sql:pki',
+ hostname='www.verisign.com',
+ port=443,
+ enumerate_cipher_suites=True,
+ ssl_connect=True,
+ use_properties=False)
+
+options = parser.parse_args()
+
+# Perform basic configuration and setup
+try:
+ nss.nss_init(options.db_name)
+ ssl.set_domestic_policy()
+
+except Exception as e:
+ print(str(e), file=sys.stderr)
+ sys.exit(1)
+
+
+if options.enumerate_cipher_suites:
+ suite_info = ssl.get_cipher_suite_info(ssl.ssl_implemented_ciphers[0])
+
+ print("There are %d implemented ciphers" %
+ (len(ssl.ssl_implemented_ciphers)))
+
+ for cipher in ssl.ssl_implemented_ciphers:
+ suite_info = ssl.get_cipher_suite_info(cipher)
+ print(suite_info)
+ print()
+
+if options.ssl_connect:
+ ssl_connect()
=====================================
setup.py
=====================================
@@ -16,7 +16,7 @@ from distutils.util import subst_vars, change_root
from distutils.command.build_py import build_py as _build_py
from distutils.command.sdist import sdist as _sdist
-version = "1.0.0"
+version = "1.0.1"
doc_manifest = [
[['include README LICENSE* doc/ChangeLog',
@@ -318,7 +318,7 @@ def main(argv):
include_roots = []
for arg in argv[:]:
- if arg in ('-d', '--debug'):
+ if arg in ('--debug', ):
print("compiling with debug")
extra_compile_args += debug_compile_args
argv.remove(arg)
=====================================
src/py_ssl.c
=====================================
@@ -4718,6 +4718,13 @@ if (_AddIntConstantWithLookup(m, #constant, constant, \
ExportConstant(TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256);
#endif
+ /* TLS 1.3 cipher suites */
+#ifdef TLS_AES_128_GCM_SHA256
+ ExportConstant(TLS_AES_128_GCM_SHA256);
+ ExportConstant(TLS_AES_256_GCM_SHA384);
+ ExportConstant(TLS_CHACHA20_POLY1305_SHA256);
+#endif
+
/* Netscape "experimental" cipher suites. */
ExportConstant(SSL_RSA_OLDFIPS_WITH_3DES_EDE_CBC_SHA);
ExportConstant(SSL_RSA_OLDFIPS_WITH_DES_CBC_SHA);
View it on GitLab: https://salsa.debian.org/freeipa-team/python-nss/-/compare/170f503ce2b087a4204505eb8698a9bfe9ea9480...caa3100b0fa97d1a23c60b86d5538b82d45a4da7
--
View it on GitLab: https://salsa.debian.org/freeipa-team/python-nss/-/compare/170f503ce2b087a4204505eb8698a9bfe9ea9480...caa3100b0fa97d1a23c60b86d5538b82d45a4da7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201203/12196855/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list