[Python-modules-commits] [pyopenssl] 01/18: Import pyopenssl_17.5.0.orig.tar.gz
Sandro Tosi
morph at moszumanska.debian.org
Wed Dec 13 04:58:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
morph pushed a commit to branch master
in repository pyopenssl.
commit ece132987aa1ce8adb0367287b41c4d349633896
Author: Sandro Tosi <morph at debian.org>
Date: Sun Dec 10 22:17:09 2017 -0500
Import pyopenssl_17.5.0.orig.tar.gz
---
CHANGELOG.rst | 203 ++-
CONTRIBUTING.rst | 2 -
INSTALL.rst | 18 +
MANIFEST.in | 13 +-
PKG-INFO | 87 +-
README.rst | 6 +-
doc/api.rst | 1 -
doc/api/crypto.rst | 42 +-
doc/api/rand.rst | 43 -
doc/api/ssl.rst | 14 +-
doc/conf.py | 16 +-
docs-requirements.txt | 2 -
examples/simple/server.py | 3 +-
setup.cfg | 4 +-
setup.py | 17 +-
src/OpenSSL/SSL.py | 500 +++++-
src/OpenSSL/__init__.py | 4 +-
src/OpenSSL/_util.py | 6 +
src/OpenSSL/crypto.py | 450 ++++--
src/OpenSSL/debug.py | 42 +
src/OpenSSL/rand.py | 183 +--
src/OpenSSL/tsafe.py | 7 +
src/OpenSSL/version.py | 6 +-
src/pyOpenSSL.egg-info/PKG-INFO | 87 +-
src/pyOpenSSL.egg-info/SOURCES.txt | 4 +-
src/pyOpenSSL.egg-info/requires.txt | 11 +-
tests/conftest.py | 14 +
tests/test_crypto.py | 2599 +++++++++++++++-----------------
tests/test_debug.py | 10 +
tests/test_rand.py | 187 +--
tests/test_ssl.py | 2837 ++++++++++++++++++-----------------
tests/test_tsafe.py | 10 +-
tests/test_util.py | 15 +-
tests/util.py | 329 +---
tox.ini | 17 +-
35 files changed, 4084 insertions(+), 3705 deletions(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 2962dd7..2a297ad 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -4,6 +4,207 @@ Changelog
Versions are year-based with a strict backward-compatibility policy.
The third digit is only for regressions.
+17.5.0 (2017-11-30)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* The minimum ``cryptography`` version is now 2.1.4.
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+*none*
+
+
+Changes:
+^^^^^^^^
+
+- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``.
+ `#723 <https://github.com/pyca/pyopenssl/pull/723>`_
+- Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material.
+ `#725 <https://github.com/pyca/pyopenssl/pull/725>`_
+
+----
+
+
+
+17.4.0 (2017-11-21)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+*none*
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+*none*
+
+
+Changes:
+^^^^^^^^
+
+
+- Re-added a subset of the ``OpenSSL.rand`` module.
+ This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork.
+ `#708 <https://github.com/pyca/pyopenssl/pull/708>`_
+- Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated.
+ `#709 <https://github.com/pyca/pyopenssl/pull/709>`_
+
+----
+
+
+17.3.0 (2017-09-14)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Dropped support for Python 3.3.
+ `#677 <https://github.com/pyca/pyopenssl/pull/677>`_
+- Removed the deprecated ``OpenSSL.rand`` module.
+ This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.
+ ``os.urandom()`` should be used instead.
+ `#675 <https://github.com/pyca/pyopenssl/pull/675>`_
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+- Deprecated ``OpenSSL.tsafe``.
+ `#673 <https://github.com/pyca/pyopenssl/pull/673>`_
+
+Changes:
+^^^^^^^^
+
+- Fixed a memory leak in ``OpenSSL.crypto.CRL``.
+ `#690 <https://github.com/pyca/pyopenssl/pull/690>`_
+- Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``.
+ `#691 <https://github.com/pyca/pyopenssl/pull/691>`_
+
+
+----
+
+
+17.2.0 (2017-07-20)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+*none*
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+- Deprecated ``OpenSSL.rand`` - callers should use ``os.urandom()`` instead.
+ `#658 <https://github.com/pyca/pyopenssl/pull/658>`_
+
+
+Changes:
+^^^^^^^^
+
+- Fixed a bug causing ``Context.set_default_verify_paths()`` to not work with cryptography ``manylinux1`` wheels on Python 3.x.
+ `#665 <https://github.com/pyca/pyopenssl/pull/665>`_
+- Fixed a crash with (EC)DSA signatures in some cases.
+ `#670 <https://github.com/pyca/pyopenssl/pull/670>`_
+
+
+----
+
+
+17.1.0 (2017-06-30)
+-------------------
+
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+- Removed the deprecated ``OpenSSL.rand.egd()`` function.
+ Applications should prefer ``os.urandom()`` for random number generation.
+ `#630 <https://github.com/pyca/pyopenssl/pull/630>`_
+- Removed the deprecated default ``digest`` argument to ``OpenSSL.crypto.CRL.export()``.
+ Callers must now always pass an explicit ``digest``.
+ `#652 <https://github.com/pyca/pyopenssl/pull/652>`_
+- Fixed a bug with ``ASN1_TIME`` casting in ``X509.set_notBefore()``,
+ ``X509.set_notAfter()``, ``Revoked.set_rev_date()``, ``Revoked.set_nextUpdate()``,
+ and ``Revoked.set_lastUpdate()``. You must now pass times in the form
+ ``YYYYMMDDhhmmssZ``. ``YYYYMMDDhhmmss+hhmm`` and ``YYYYMMDDhhmmss-hhmm``
+ will no longer work. `#612 <https://github.com/pyca/pyopenssl/pull/612>`_
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+
+- Deprecated the legacy "Type" aliases: ``ContextType``, ``ConnectionType``, ``PKeyType``, ``X509NameType``, ``X509ExtensionType``, ``X509ReqType``, ``X509Type``, ``X509StoreType``, ``CRLType``, ``PKCS7Type``, ``PKCS12Type``, ``NetscapeSPKIType``.
+ The names without the "Type"-suffix should be used instead.
+
+
+Changes:
+^^^^^^^^
+
+- Added ``OpenSSL.crypto.X509.from_cryptography()`` and ``OpenSSL.crypto.X509.to_cryptography()`` for converting X.509 certificate to and from pyca/cryptography objects.
+ `#640 <https://github.com/pyca/pyopenssl/pull/640>`_
+- Added ``OpenSSL.crypto.X509Req.from_cryptography()``, ``OpenSSL.crypto.X509Req.to_cryptography()``, ``OpenSSL.crypto.CRL.from_cryptography()``, and ``OpenSSL.crypto.CRL.to_cryptography()`` for converting X.509 CSRs and CRLs to and from pyca/cryptography objects.
+ `#645 <https://github.com/pyca/pyopenssl/pull/645>`_
+- Added ``OpenSSL.debug`` that allows to get an overview of used library versions (including linked OpenSSL) and other useful runtime information using ``python -m OpenSSL.debug``.
+ `#620 <https://github.com/pyca/pyopenssl/pull/620>`_
+- Added a fallback path to ``Context.set_default_verify_paths()`` to accommodate the upcoming release of ``cryptography`` ``manylinux1`` wheels.
+ `#633 <https://github.com/pyca/pyopenssl/pull/633>`_
+
+
+----
+
+
+17.0.0 (2017-04-20)
+-------------------
+
+Backward-incompatible changes:
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+*none*
+
+
+Deprecations:
+^^^^^^^^^^^^^
+
+*none*
+
+
+Changes:
+^^^^^^^^
+
+- Added ``OpenSSL.X509Store.set_time()`` to set a custom verification time when verifying certificate chains.
+ `#567 <https://github.com/pyca/pyopenssl/pull/567>`_
+- Added a collection of functions for working with OCSP stapling.
+ None of these functions make it possible to validate OCSP assertions, only to staple them into the handshake and to retrieve the stapled assertion if provided.
+ Users will need to write their own code to handle OCSP assertions.
+ We specifically added: ``Context.set_ocsp_server_callback()``, ``Context.set_ocsp_client_callback()``, and ``Connection.request_ocsp()``.
+ `#580 <https://github.com/pyca/pyopenssl/pull/580>`_
+- Changed the ``SSL`` module's memory allocation policy to avoid zeroing memory it allocates when unnecessary.
+ This reduces CPU usage and memory allocation time by an amount proportional to the size of the allocation.
+ For applications that process a lot of TLS data or that use very lage allocations this can provide considerable performance improvements.
+ `#578 <https://github.com/pyca/pyopenssl/pull/578>`_
+- Automatically set ``SSL_CTX_set_ecdh_auto()`` on ``OpenSSL.SSL.Context``.
+ `#575 <https://github.com/pyca/pyopenssl/pull/575>`_
+- Fix empty exceptions from ``OpenSSL.crypto.load_privatekey()``.
+ `#581 <https://github.com/pyca/pyopenssl/pull/581>`_
+
+
+----
+
+
16.2.0 (2016-10-15)
-------------------
@@ -66,7 +267,7 @@ Changes:
This is the first release under full stewardship of PyCA.
We have made *many* changes to make local development more pleasing.
The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2.
-It has been moved to `pytest <https://pytest.org/>`_, all CI test runs are part of `tox <https://testrun.org/tox/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.io/>`_ compliant.
+It has been moved to `pytest <https://docs.pytest.org/>`_, all CI test runs are part of `tox <https://tox.readthedocs.io/>`_ and the source code has been made fully `flake8 <https://flake8.readthedocs.io/>`_ compliant.
We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.
diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst
index 8539f61..ad10137 100644
--- a/CONTRIBUTING.rst
+++ b/CONTRIBUTING.rst
@@ -28,7 +28,6 @@ Code
Create different pull requests for unrelated features or bugfixes.
- Code should follow `PEP 8`_, especially in the "do what code around you does" sense.
Follow OpenSSL naming for callables whenever possible is preferred.
-- New tests should use `pytest-style assertions`_ instead of the old ``self.assertXYZ``-style.
- Pull requests that introduce code must test all new behavior they introduce as well as for previously untested or poorly tested behavior that they touch.
- Pull requests are not allowed to break existing tests.
We usually don't comment on pull requests that are breaking the CI because we consider them work in progress.
@@ -111,7 +110,6 @@ Feel free to cross-check this information with Keybase_.
.. _Keybase: https://keybase.io/hynek
.. _pyca/pyopenssl: https://github.com/pyca/pyopenssl
.. _PEP 8: https://www.python.org/dev/peps/pep-0008/
-.. _pytest-style assertions: http://docs.pytest.org/en/latest/assert.html
.. _cryptography code review process: https://cryptography.io/en/latest/development/reviewing-patches/
.. _freenode: https://freenode.net
.. _mailing list: https://mail.python.org/mailman/listinfo/cryptography-dev
diff --git a/INSTALL.rst b/INSTALL.rst
index e146769..71fe1ed 100644
--- a/INSTALL.rst
+++ b/INSTALL.rst
@@ -19,6 +19,24 @@ If you are installing in order to *develop* on pyOpenSSL, move to the root direc
The most likely culprit being `cryptography <https://cryptography.io/>`_ that contains OpenSSL's library bindings.
+Supported OpenSSL Versions
+--------------------------
+
+pyOpenSSL supports the same platforms and releases as the upstream cryptography project `does <https://cryptography.io/en/latest/installation/#supported-platforms>`_.
+Currently that means:
+
+- 1.0.1
+- 1.0.2
+- 1.1.0
+
+If you need support for older releases, the following pinned versions will work:
+
+- **OpenSSL 0.9.8**: ``'pyOpenSSL<17.0' 'cryptography<1.4'``
+- **OpenSSL 1.0.0**: ``'pyOpenSSL<17.1' 'cryptography<1.7'``
+
+You can always find out the versions of pyOpenSSL, cryptography, and the linked OpenSSL by running ``python -m OpenSSL.debug``.
+
+
Documentation
-------------
diff --git a/MANIFEST.in b/MANIFEST.in
index 72b419c..4ff05bf 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,10 +1,11 @@
-include LICENSE MANIFEST.in *.rst tox.ini docs-requirements.txt .coveragerc
+include LICENSE MANIFEST.in *.rst tox.ini .coveragerc
exclude leakcheck
-recursive-include tests *.py
-recursive-include doc *
-recursive-include examples *
-recursive-include rpm *
-recursive-exclude leakcheck *.py *.pem
+recursive-include tests *.py
+recursive-include doc *
+recursive-include examples *
+recursive-include rpm *
+recursive-exclude leakcheck *.py *.pem
+recursive-exclude examples/simple *.cert *.pkey
prune doc/_build
prune .travis
prune .mention-bot
diff --git a/PKG-INFO b/PKG-INFO
index 4e4859d..acb351f 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -1,24 +1,25 @@
Metadata-Version: 1.1
Name: pyOpenSSL
-Version: 16.2.0
+Version: 17.5.0
Summary: Python wrapper module around the OpenSSL library
-Home-page: https://pyopenssl.readthedocs.io/
+Home-page: https://pyopenssl.org/
Author: Hynek Schlawack
Author-email: hs at ox.cx
License: Apache License, Version 2.0
+Description-Content-Type: UNKNOWN
Description: ========================================================
pyOpenSSL -- A Python wrapper around the OpenSSL library
========================================================
.. image:: https://readthedocs.org/projects/pyopenssl/badge/?version=stable
- :target: https://pyopenssl.readthedocs.io/
+ :target: https://pyopenssl.org/en/stable/
:alt: Stable Docs
.. image:: https://travis-ci.org/pyca/pyopenssl.svg?branch=master
:target: https://travis-ci.org/pyca/pyopenssl
:alt: Build status
- .. image:: https://codecov.io/github/pyca/pyopenssl/coverage.svg?branch=master
+ .. image:: https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg
:target: https://codecov.io/github/pyca/pyopenssl
:alt: Test coverage
@@ -45,7 +46,7 @@ Description: ========================================================
You can also join ``#cryptography-dev`` on Freenode to ask questions or get involved.
- .. _documentation: https://pyopenssl.readthedocs.io/
+ .. _documentation: https://pyopenssl.org/
.. _`issue tracker`: https://github.com/pyca/pyopenssl/issues
.. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _GitHub: https://github.com/pyca/pyopenssl
@@ -54,9 +55,38 @@ Description: ========================================================
Release Information
===================
- 16.2.0 (2016-10-15)
+ 17.5.0 (2017-11-30)
-------------------
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ * The minimum ``cryptography`` version is now 2.1.4.
+
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+
+ *none*
+
+
+ Changes:
+ ^^^^^^^^
+
+ - Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``.
+ `#723 <https://github.com/pyca/pyopenssl/pull/723>`_
+ - Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material.
+ `#725 <https://github.com/pyca/pyopenssl/pull/725>`_
+
+ ----
+
+
+
+ 17.4.0 (2017-11-21)
+ -------------------
+
+
Backward-incompatible changes:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -72,11 +102,46 @@ Description: ========================================================
Changes:
^^^^^^^^
- - Fixed compatibility errors with OpenSSL 1.1.0.
- - Fixed an issue that caused failures with subinterpreters and embedded Pythons.
- `#552 <https://github.com/pyca/pyopenssl/pull/552>`_
- `Full changelog <https://pyopenssl.readthedocs.io/en/stable/changelog.html>`_.
+ - Re-added a subset of the ``OpenSSL.rand`` module.
+ This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork.
+ `#708 <https://github.com/pyca/pyopenssl/pull/708>`_
+ - Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated.
+ `#709 <https://github.com/pyca/pyopenssl/pull/709>`_
+
+ ----
+
+
+ 17.3.0 (2017-09-14)
+ -------------------
+
+
+ Backward-incompatible changes:
+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+ - Dropped support for Python 3.3.
+ `#677 <https://github.com/pyca/pyopenssl/pull/677>`_
+ - Removed the deprecated ``OpenSSL.rand`` module.
+ This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.
+ ``os.urandom()`` should be used instead.
+ `#675 <https://github.com/pyca/pyopenssl/pull/675>`_
+
+
+ Deprecations:
+ ^^^^^^^^^^^^^
+
+ - Deprecated ``OpenSSL.tsafe``.
+ `#673 <https://github.com/pyca/pyopenssl/pull/673>`_
+
+ Changes:
+ ^^^^^^^^
+
+ - Fixed a memory leak in ``OpenSSL.crypto.CRL``.
+ `#690 <https://github.com/pyca/pyopenssl/pull/690>`_
+ - Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``.
+ `#691 <https://github.com/pyca/pyopenssl/pull/691>`_
+
+ `Full changelog <https://pyopenssl.org/en/stable/changelog.html>`_.
Platform: UNKNOWN
@@ -90,9 +155,9 @@ Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.6
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Topic :: Security :: Cryptography
diff --git a/README.rst b/README.rst
index 6fe3df7..36046ca 100644
--- a/README.rst
+++ b/README.rst
@@ -3,14 +3,14 @@ pyOpenSSL -- A Python wrapper around the OpenSSL library
========================================================
.. image:: https://readthedocs.org/projects/pyopenssl/badge/?version=stable
- :target: https://pyopenssl.readthedocs.io/
+ :target: https://pyopenssl.org/en/stable/
:alt: Stable Docs
.. image:: https://travis-ci.org/pyca/pyopenssl.svg?branch=master
:target: https://travis-ci.org/pyca/pyopenssl
:alt: Build status
-.. image:: https://codecov.io/github/pyca/pyopenssl/coverage.svg?branch=master
+.. image:: https://codecov.io/github/pyca/pyopenssl/branch/master/graph/badge.svg
:target: https://codecov.io/github/pyca/pyopenssl
:alt: Test coverage
@@ -37,7 +37,7 @@ We maintain a cryptography-dev_ mailing list for both user and development discu
You can also join ``#cryptography-dev`` on Freenode to ask questions or get involved.
-.. _documentation: https://pyopenssl.readthedocs.io/
+.. _documentation: https://pyopenssl.org/
.. _`issue tracker`: https://github.com/pyca/pyopenssl/issues
.. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev
.. _GitHub: https://github.com/pyca/pyopenssl
diff --git a/doc/api.rst b/doc/api.rst
index 826ec4d..b5ca3f2 100644
--- a/doc/api.rst
+++ b/doc/api.rst
@@ -14,5 +14,4 @@ OpenSSL library. The following modules are defined:
:maxdepth: 2
api/crypto
- api/rand
api/ssl
diff --git a/doc/api/crypto.rst b/doc/api/crypto.rst
index cac9dd9..7b21d4f 100644
--- a/doc/api/crypto.rst
+++ b/doc/api/crypto.rst
@@ -6,6 +6,13 @@
.. py:module:: OpenSSL.crypto
:synopsis: Generic cryptographic module
+.. note::
+
+ `pyca/cryptography`_ is likely a better choice than using this module.
+ It contains a complete set of cryptographic primitives as well as a significantly better and more powerful X509 API.
+ If necessary you can convert to and from cryptography objects using the ``to_cryptography`` and ``from_cryptography`` methods on ``X509``, ``X509Req``, ``CRL``, and ``PKey``.
+
+
Elliptic curves
---------------
@@ -319,35 +326,6 @@ For example, :const:`b"sha256"` or :const:`b"sha384"`.
More information and a list of these digest names can be found in the ``EVP_DigestInit(3)`` man page of your OpenSSL installation.
This page can be found online for the latest version of OpenSSL:
-https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html
-
-
-Backwards compatible type names
--------------------------------
-
-When pyOpenSSL was originally written, the most current version of Python was 2.1.
-It made a distinction between classes and types.
-None of the versions of Python currently supported by pyOpenSSL still enforce that distinction:
-the type of an instance of an :class:`X509` object is now simply :class:`X509`.
-Originally, the type would have been :class:`X509Type`.
-These days, :class:`X509Type` and :class:`X509` are literally the same object.
-pyOpenSSL maintains these old names for backwards compatibility.
-
-Here's a table of these backwards-compatible names:
-
-====================== ==========================
-Type name Backwards-compatible name
-====================== ==========================
-:class:`X509` :class:`X509Type`
-:class:`X509Name` :class:`X509NameType`
-:class:`X509Req` :class:`X509ReqType`
-:class:`X509Store` :class:`X509StoreType`
-:class:`X509Extension` :class:`X509ExtensionType`
-:class:`PKey` :class:`PKeyType`
-:class:`PKCS7` :class:`PKCS7Type`
-:class:`PKCS12` :class:`PKCS12Type`
-:class:`NetscapeSPKI` :class:`NetscapeSPKIType`
-:class:`CRL` :class:`CRLType`
-====================== ==========================
-
-Some objects, such as :class:`Revoked`, don't have ``Type`` equivalents, because they were added after the restriction had been lifted.
+https://www.openssl.org/docs/manmaster/man3/EVP_DigestInit.html
+
+.. _`pyca/cryptography`: https://cryptography.io
diff --git a/doc/api/rand.rst b/doc/api/rand.rst
deleted file mode 100644
index 83aec1e..0000000
--- a/doc/api/rand.rst
+++ /dev/null
@@ -1,43 +0,0 @@
-.. _openssl-rand:
-
-:mod:`rand` --- An interface to the OpenSSL pseudo random number generator
-==========================================================================
-
-.. warning::
- Functions from this module shouldn't be used.
- `Use urandom <https://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/>`_ instead.
-
-
-.. py:module:: OpenSSL.rand
- :synopsis: An interface to the OpenSSL pseudo random number generator
-
-
-This module handles the OpenSSL pseudo random number generator (PRNG) and declares the following:
-
-.. autofunction:: add
-
-.. autofunction:: bytes
-
-.. autofunction:: cleanup
-
-.. autofunction:: egd(path[, bytes])
-
-.. autofunction:: load_file(filename[, bytes])
-
-.. autofunction:: seed
-
-.. autofunction:: status
-
-.. autofunction:: write_file
-
-
-.. function:: screen
-
- Add the current contents of the screen to the PRNG state.
-
- Availability: Windows.
-
- :return: :obj:`None`
-
-
-.. autoexception:: Error
diff --git a/doc/api/ssl.rst b/doc/api/ssl.rst
index 00cae9b..d892dbb 100644
--- a/doc/api/ssl.rst
+++ b/doc/api/ssl.rst
@@ -306,8 +306,13 @@ Context objects have the following methods:
.. py:method:: Context.set_default_verify_paths()
- Specify that the platform provided CA certificates are to be used for
- verification purposes. This method may not work properly on OS X.
+ Specify that the platform provided CA certificates are to be used for verification purposes.
+ This method has some caveats related to the binary wheels that cryptography (pyOpenSSL's primary dependency) ships:
+
+ * macOS will only load certificates using this method if the user has the ``openssl at 1.1`` `Homebrew <https://brew.sh>`_ formula installed in the default location.
+ * Windows will not work.
+ * manylinux1 cryptography wheels will work on most common Linux distributions in pyOpenSSL 17.1.0 and above.
+ pyOpenSSL detects the manylinux1 wheel and attempts to load roots via a fallback path.
.. py:method:: Context.load_tmp_dh(dhfile)
@@ -364,8 +369,9 @@ Context objects have the following methods:
this, it will be truncated. Second, a boolean value which will be true if
the user should be prompted for the passphrase twice and the callback should
verify that the two values supplied are equal. Third, the value given as the
- *userdata* parameter to :py:meth:`set_passwd_cb`. If an error occurs,
- *callback* should return a false value (e.g. an empty string).
+ *userdata* parameter to :py:meth:`set_passwd_cb`. The *callback* must return
+ a byte string. If an error occurs, *callback* should return a false value
+ (e.g. an empty string).
.. py:method:: Context.set_session_cache_mode(mode)
diff --git a/doc/conf.py b/doc/conf.py
index 9eba065..3940dd2 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -52,9 +52,12 @@ sys.path.insert(0, os.path.abspath(os.path.join(DOC_DIR, "..")))
# If your documentation needs a minimal Sphinx version, state it here.
needs_sphinx = '1.0'
-# Add any Sphinx extension module names here, as strings. They can be extensions
-# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = ["sphinx.ext.autodoc"]
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = [
+ "sphinx.ext.autodoc",
+ 'sphinx.ext.intersphinx',
+]
# Add any paths that contain templates here, relative to this directory.
templates_path = ['_templates']
@@ -71,7 +74,7 @@ master_doc = 'index'
# General information about the project.
project = u'pyOpenSSL'
authors = u"The pyOpenSSL developers"
-copyright = u"2001-{0}, {1}".format(datetime.date.today().year, authors)
+copyright = u"2001 " + authors
# The version info for the project you're documenting, acts as replacement for
# |version| and |release|, also used in various other places throughout the
@@ -249,3 +252,8 @@ man_pages = [
('index', 'pyopenssl', u'pyOpenSSL Documentation',
[authors], 1)
]
+
+intersphinx_mapping = {
+ "https://docs.python.org/3": None,
+ "https://cryptography.io/en/latest/": None,
+}
diff --git a/docs-requirements.txt b/docs-requirements.txt
deleted file mode 100644
index 8213302..0000000
--- a/docs-requirements.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-sphinx
-sphinx_rtd_theme
diff --git a/examples/simple/server.py b/examples/simple/server.py
index 19f6d21..d25feb1 100644
--- a/examples/simple/server.py
+++ b/examples/simple/server.py
@@ -67,12 +67,13 @@ def dropClient(cli, errors=None):
cli.shutdown()
cli.close()
+
while 1:
try:
r, w, _ = select.select(
[server] + list(clients.keys()), list(writers.keys()), []
)
- except:
+ except Exception:
break
for cli in r:
diff --git a/setup.cfg b/setup.cfg
index afb25bf..d5fff4e 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -9,6 +9,9 @@ force_manifest = 1
[bdist_wheel]
universal = 1
+[metadata]
+license_file = LICENSE
+
[bdist_rpm]
release = 1
build-requires = openssl-devel python-devel python-sphinx
@@ -19,5 +22,4 @@ doc-files = doc/_build/html
[egg_info]
tag_build =
tag_date = 0
-tag_svn_revision = 0
diff --git a/setup.py b/setup.py
index d4c27ad..85252e9 100755
--- a/setup.py
+++ b/setup.py
@@ -80,9 +80,9 @@ if __name__ == "__main__":
'Programming Language :: Python :: 2.6',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3',
- 'Programming Language :: Python :: 3.3',
'Programming Language :: Python :: 3.4',
'Programming Language :: Python :: 3.5',
+ 'Programming Language :: Python :: 3.6',
'Programming Language :: Python :: Implementation :: CPython',
'Programming Language :: Python :: Implementation :: PyPy',
@@ -95,7 +95,20 @@ if __name__ == "__main__":
package_dir={"": "src"},
install_requires=[
# Fix cryptographyMinimum in tox.ini when changing this!
- "cryptography>=1.3.4",
+ "cryptography>=2.1.4",
"six>=1.5.2"
],
+ extras_require={
+ "test": [
+ "flaky",
+ "pretend",
+ # pytest 3.3 doesn't support Python 2.6 anymore.
+ # Remove this pin once we drop Python 2.6 too.
+ "pytest>=3.0.1,<3.3.0",
+ ],
+ "docs": [
+ "sphinx",
+ "sphinx_rtd_theme",
+ ]
+ },
)
diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py
index 7ebf7e0..b664254 100644
--- a/src/OpenSSL/SSL.py
+++ b/src/OpenSSL/SSL.py
@@ -1,3 +1,4 @@
+import os
import socket
from sys import platform
from functools import wraps, partial
@@ -5,9 +6,11 @@ from itertools import count, chain
from weakref import WeakValueDictionary
from errno import errorcode
-from six import binary_type as _binary_type
-from six import integer_types as integer_types
-from six import int2byte, indexbytes
+from cryptography.utils import deprecated
+
+from six import (
+ binary_type as _binary_type, integer_types as integer_types, int2byte,
+ indexbytes)
from OpenSSL._util import (
UNSPECIFIED as _UNSPECIFIED,
@@ -18,11 +21,101 @@ from OpenSSL._util import (
native as _native,
path_string as _path_string,
text_to_bytes_and_warn as _text_to_bytes_and_warn,
+ no_zero_allocator as _no_zero_allocator,
)
from OpenSSL.crypto import (
FILETYPE_PEM, _PassphraseHelper, PKey, X509Name, X509, X509Store)
+__all__ = [
+ 'OPENSSL_VERSION_NUMBER',
+ 'SSLEAY_VERSION',
+ 'SSLEAY_CFLAGS',
+ 'SSLEAY_PLATFORM',
+ 'SSLEAY_DIR',
+ 'SSLEAY_BUILT_ON',
+ 'SENT_SHUTDOWN',
+ 'RECEIVED_SHUTDOWN',
+ 'SSLv2_METHOD',
+ 'SSLv3_METHOD',
+ 'SSLv23_METHOD',
+ 'TLSv1_METHOD',
+ 'TLSv1_1_METHOD',
+ 'TLSv1_2_METHOD',
+ 'OP_NO_SSLv2',
+ 'OP_NO_SSLv3',
+ 'OP_NO_TLSv1',
+ 'OP_NO_TLSv1_1',
+ 'OP_NO_TLSv1_2',
+ 'MODE_RELEASE_BUFFERS',
+ 'OP_SINGLE_DH_USE',
+ 'OP_SINGLE_ECDH_USE',
+ 'OP_EPHEMERAL_RSA',
+ 'OP_MICROSOFT_SESS_ID_BUG',
+ 'OP_NETSCAPE_CHALLENGE_BUG',
+ 'OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG',
+ 'OP_SSLREF2_REUSE_CERT_TYPE_BUG',
+ 'OP_MICROSOFT_BIG_SSLV3_BUFFER',
+ 'OP_MSIE_SSLV2_RSA_PADDING',
+ 'OP_SSLEAY_080_CLIENT_DH_BUG',
+ 'OP_TLS_D5_BUG',
+ 'OP_TLS_BLOCK_PADDING_BUG',
+ 'OP_DONT_INSERT_EMPTY_FRAGMENTS',
+ 'OP_CIPHER_SERVER_PREFERENCE',
+ 'OP_TLS_ROLLBACK_BUG',
+ 'OP_PKCS1_CHECK_1',
+ 'OP_PKCS1_CHECK_2',
+ 'OP_NETSCAPE_CA_DN_BUG',
+ 'OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG',
+ 'OP_NO_COMPRESSION',
+ 'OP_NO_QUERY_MTU',
+ 'OP_COOKIE_EXCHANGE',
+ 'OP_NO_TICKET',
+ 'OP_ALL',
+ 'VERIFY_PEER',
+ 'VERIFY_FAIL_IF_NO_PEER_CERT',
+ 'VERIFY_CLIENT_ONCE',
+ 'VERIFY_NONE',
+ 'SESS_CACHE_OFF',
+ 'SESS_CACHE_CLIENT',
+ 'SESS_CACHE_SERVER',
+ 'SESS_CACHE_BOTH',
+ 'SESS_CACHE_NO_AUTO_CLEAR',
+ 'SESS_CACHE_NO_INTERNAL_LOOKUP',
+ 'SESS_CACHE_NO_INTERNAL_STORE',
+ 'SESS_CACHE_NO_INTERNAL',
+ 'SSL_ST_CONNECT',
+ 'SSL_ST_ACCEPT',
+ 'SSL_ST_MASK',
+ 'SSL_ST_INIT',
+ 'SSL_ST_BEFORE',
+ 'SSL_ST_OK',
+ 'SSL_ST_RENEGOTIATE',
+ 'SSL_CB_LOOP',
+ 'SSL_CB_EXIT',
+ 'SSL_CB_READ',
+ 'SSL_CB_WRITE',
+ 'SSL_CB_ALERT',
+ 'SSL_CB_READ_ALERT',
+ 'SSL_CB_WRITE_ALERT',
+ 'SSL_CB_ACCEPT_LOOP',
+ 'SSL_CB_ACCEPT_EXIT',
+ 'SSL_CB_CONNECT_LOOP',
+ 'SSL_CB_CONNECT_EXIT',
+ 'SSL_CB_HANDSHAKE_START',
+ 'SSL_CB_HANDSHAKE_DONE',
+ 'Error',
+ 'WantReadError',
+ 'WantWriteError',
+ 'WantX509LookupError',
+ 'ZeroReturnError',
+ 'SysCallError',
+ 'SSLeay_version',
+ 'Session',
+ 'Context',
+ 'Connection'
+]
+
try:
_memoryview = memoryview
except NameError:
@@ -55,9 +148,8 @@ TLSv1_2_METHOD = 6
OP_NO_SSLv2 = _lib.SSL_OP_NO_SSLv2
OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3
OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1
-
-OP_NO_TLSv1_1 = getattr(_lib, "SSL_OP_NO_TLSv1_1", 0)
-OP_NO_TLSv1_2 = getattr(_lib, "SSL_OP_NO_TLSv1_2", 0)
+OP_NO_TLSv1_1 = _lib.SSL_OP_NO_TLSv1_1
+OP_NO_TLSv1_2 = _lib.SSL_OP_NO_TLSv1_2
MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS
@@ -129,6 +221,24 @@ SSL_CB_CONNECT_EXIT = _lib.SSL_CB_CONNECT_EXIT
SSL_CB_HANDSHAKE_START = _lib.SSL_CB_HANDSHAKE_START
SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HANDSHAKE_DONE
+# Taken from https://golang.org/src/crypto/x509/root_linux.go
+_CERTIFICATE_FILE_LOCATIONS = [
+ "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc.
+ "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6
+ "/etc/ssl/ca-bundle.pem", # OpenSUSE
+ "/etc/pki/tls/cacert.pem", # OpenELEC
+ "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
+]
+
+_CERTIFICATE_PATH_LOCATIONS = [
+ "/etc/ssl/certs", # SLES10/SLES11
+]
+
+# These values are compared to output from cffi's ffi.string so they must be
+# byte strings.
+_CRYPTOGRAPHY_MANYLINUX1_CA_DIR = b"/opt/pyca/cryptography/openssl/certs"
+_CRYPTOGRAPHY_MANYLINUX1_CA_FILE = b"/opt/pyca/cryptography/openssl/cert.pem"
+
class Error(Exception):
"""
@@ -199,8 +309,9 @@ class _VerifyHelper(_CallbackExceptionHelper):
@wraps(callback)
def wrapper(ok, store_ctx):
- cert = X509.__new__(X509)
- cert._x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)
+ x509 = _lib.X509_STORE_CTX_get_current_cert(store_ctx)
+ _lib.X509_up_ref(x509)
+ cert = X509._from_raw_x509_ptr(x509)
error_number = _lib.X509_STORE_CTX_get_error(store_ctx)
error_depth = _lib.X509_STORE_CTX_get_error_depth(store_ctx)
@@ -286,10 +397,10 @@ class _NpnSelectHelper(_CallbackExceptionHelper):
instr = _ffi.buffer(in_, inlen)[:]
protolist = []
while instr:
- l = indexbytes(instr, 0)
- proto = instr[1:l + 1]
+ length = indexbytes(instr, 0)
+ proto = instr[1:length + 1]
protolist.append(proto)
- instr = instr[l + 1:]
+ instr = instr[length + 1:]
# Call the callback
outstr = callback(conn, protolist)
@@ -367,6 +478,137 @@ class _ALPNSelectHelper(_CallbackExceptionHelper):
)
+class _OCSPServerCallbackHelper(_CallbackExceptionHelper):
+ """
+ Wrap a callback such that it can be used as an OCSP callback for the server
+ side.
+
+ Annoyingly, OpenSSL defines one OCSP callback but uses it in two different
+ ways. For servers, that callback is expected to retrieve some OCSP data and
+ hand it to OpenSSL, and may return only SSL_TLSEXT_ERR_OK,
+ SSL_TLSEXT_ERR_FATAL, and SSL_TLSEXT_ERR_NOACK. For clients, that callback
+ is expected to check the OCSP data, and returns a negative value on error,
+ 0 if the response is not acceptable, or positive if it is. These are
+ mutually exclusive return code behaviours, and they mean that we need two
+ helpers so that we always return an appropriate error code if the user's
+ code throws an exception.
+
+ Given that we have to have two helpers anyway, these helpers are a bit more
+ helpery than most: specifically, they hide a few more of the OpenSSL
+ functions so that the user has an easier time writing these callbacks.
+
+ This helper implements the server side.
+ """
+
+ def __init__(self, callback):
+ _CallbackExceptionHelper.__init__(self)
+
+ @wraps(callback)
+ def wrapper(ssl, cdata):
... 11546 lines suppressed ...
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/pyopenssl.git
More information about the Python-modules-commits
mailing list