diff -Nru pyopenssl-0.13/ChangeLog pyopenssl-0.13.1/ChangeLog --- pyopenssl-0.13/ChangeLog 2011-09-02 15:46:13.000000000 +0000 +++ pyopenssl-0.13.1/ChangeLog 2013-09-01 14:38:56.000000000 +0000 @@ -1,3 +1,10 @@ +2013-08-11 Christian Heimes + + * OpenSSL/crypto/x509ext.c: Fix handling of NULL bytes inside + subjectAltName general names when formatting an X509 extension + as a string. + * OpenSSL/crypto/x509.c: Fix memory leak in get_extension(). + 2011-09-02 Jean-Paul Calderone * Release 0.13 diff -Nru pyopenssl-0.13/debian/changelog pyopenssl-0.13.1/debian/changelog --- pyopenssl-0.13/debian/changelog 2014-03-31 22:57:41.000000000 +0000 +++ pyopenssl-0.13.1/debian/changelog 2014-05-23 18:03:07.000000000 +0000 @@ -1,3 +1,60 @@ +pyopenssl (0.13.1-2ubuntu1) utopic; urgency=medium + + * Merge from debian remaining changes: + - remove tex4ht from Build-Depends (universe + - disable 10_fix_doc_buildsystem.patch and use upstream doc build + process. + + -- Dimitri John Ledkov Fri, 23 May 2014 18:54:26 +0100 + +pyopenssl (0.13.1-2) unstable; urgency=medium + + * debian/control + - add texlive-fonts-recommended to b-d, fixing a FTBFS; thanks to Daniel + Schepler for the report and Hideki Yamane for the patch; Closes: #739076 + - switch me to Maintainer (team to Uploaders) + * Switch to dh_python2 + * debian/{compat, control} + - bump compat to 9 + + -- Sandro Tosi Fri, 21 Feb 2014 20:43:50 +0100 + +pyopenssl (0.13.1-1) unstable; urgency=low + + [ Jakub Wilk ] + * Use canonical URIs for Vcs-* fields. + + [ Sandro Tosi ] + * New upstream release + - debian/patches/CVE-2013-4314.patch removed, merged upstream + * Acknowledge NMU; thanks Salvatore Bonaccorso; Closes: #722055 + * debian/patches/bts733366_make_symbol_optional.patch + - fix a FTBFS by making SSL_OP_MSIE_SSLV2_RSA_PADDING optional; thanks to + David Suárez for the report and to Mehdi Abaakouk for the patch; + Closes: #733366 + * debian/control + - bump Standards-Version to 3.9.5 (no changes needed) + * debian/copyright + - bump packaging copyright years + + -- Sandro Tosi Sun, 12 Jan 2014 22:15:57 +0100 + +pyopenssl (0.13-3.1) experimental; urgency=low + + * Non-maintainer upload. + * Add CVE-2013-4314.patch patch. + CVE-2013-4314: Fix hostname check bypassing vulnerability with server + certificates that have a null byte in the subjectAltName. (Closes: #722055) + + -- Salvatore Bonaccorso Sun, 15 Sep 2013 16:59:07 +0200 + +pyopenssl (0.13-3) experimental; urgency=low + + * debian/{control, rules} + - migrate to dh sequences, implicitly Closes: #675414 + + -- Sandro Tosi Wed, 29 Aug 2012 22:45:02 +0200 + pyopenssl (0.13-2ubuntu6) trusty; urgency=medium * No change rebuild to drop python3.3 compiled extension. @@ -550,4 +607,3 @@ * Initial version. -- Anders Hammarquist Mon, 23 Jul 2001 15:17:38 +0200 - diff -Nru pyopenssl-0.13/debian/compat pyopenssl-0.13.1/debian/compat --- pyopenssl-0.13/debian/compat 2012-05-07 01:03:38.000000000 +0000 +++ pyopenssl-0.13.1/debian/compat 2014-05-23 17:49:46.000000000 +0000 @@ -1 +1 @@ -5 +9 diff -Nru pyopenssl-0.13/debian/control pyopenssl-0.13.1/debian/control --- pyopenssl-0.13/debian/control 2012-05-07 01:11:43.000000000 +0000 +++ pyopenssl-0.13.1/debian/control 2014-05-23 18:01:37.000000000 +0000 @@ -2,13 +2,13 @@ Section: python Priority: optional Maintainer: Ubuntu Developers -XSBC-Original-Maintainer: Debian Python Modules Team -Uploaders: Sandro Tosi -Build-Depends: debhelper (>= 5.0.37.2), python-all-dev (>= 2.6.6-3~), python-all-dbg (>= 2.5.4-1~), python3-all-dev, python3-all-dbg, libssl-dev (>= 0.9.8), latex2html, lynx, openssl -Standards-Version: 3.9.3 +XSBC-Original-Maintainer: Sandro Tosi +Uploaders: Debian Python Modules Team +Build-Depends: debhelper (>= 9), python-all-dev (>= 2.5.4-1~), python-all-dbg (>= 2.5.4-1~), python3-all-dev, python3-all-dbg, dh-python, libssl-dev (>= 0.9.8), lynx, latex2html, texlive-latex-base, texlive-latex-recommended, openssl, texlive-fonts-recommended +Standards-Version: 3.9.5 Homepage: http://launchpad.net/pyopenssl -Vcs-Svn: svn://svn.debian.org/python-modules/packages/pyopenssl/trunk/ -Vcs-Browser: http://svn.debian.org/viewsvn/python-modules/packages/pyopenssl/trunk/ +Vcs-Svn: svn://anonscm.debian.org/python-modules/packages/pyopenssl/trunk/ +Vcs-Browser: http://anonscm.debian.org/viewvc/python-modules/packages/pyopenssl/trunk/ XS-Python-Version: all X-Python3-Version: >= 3.2 diff -Nru pyopenssl-0.13/debian/copyright pyopenssl-0.13.1/debian/copyright --- pyopenssl-0.13/debian/copyright 2012-05-07 01:03:38.000000000 +0000 +++ pyopenssl-0.13.1/debian/copyright 2014-05-23 17:49:46.000000000 +0000 @@ -19,7 +19,7 @@ A copy of the Apache License (version 2) can be found in /usr/share/common-licenses/Apache-2.0 on Debian systems. -The Debian packaging is Copyright (C) 2008-2011, Sandro Tosi +The Debian packaging is Copyright (C) 2008-2014, Sandro Tosi and is licensed under the same terms as upstream code. The following files have different copyright info: diff -Nru pyopenssl-0.13/debian/patches/bts733366_make_symbol_optional.patch pyopenssl-0.13.1/debian/patches/bts733366_make_symbol_optional.patch --- pyopenssl-0.13/debian/patches/bts733366_make_symbol_optional.patch 1970-01-01 00:00:00.000000000 +0000 +++ pyopenssl-0.13.1/debian/patches/bts733366_make_symbol_optional.patch 2014-05-23 17:49:46.000000000 +0000 @@ -0,0 +1,25 @@ +Description: Make SSL_OP_MSIE_SSLV2_RSA_PADDING optional + Since 0.9.7h SSL_OP_MSIE_SSLV2_RSA_PADDING has no effect and + it have been removed in version 0.9.8a + . + This patch makes it optional. +Author: Mehdi Abaakouk +Origin: https://bugs.launchpad.net/pyopenssl/+bug/1266521 +Bug: https://bugs.launchpad.net/pyopenssl/+bug/1266521 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733366 +Forwarded: not-needed +Last-Update: 2014-01-12 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/OpenSSL/ssl/ssl.c ++++ b/OpenSSL/ssl/ssl.c +@@ -211,7 +211,9 @@ do { + PyModule_AddIntConstant(module, "OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG", SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG); + PyModule_AddIntConstant(module, "OP_SSLREF2_REUSE_CERT_TYPE_BUG", SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); + PyModule_AddIntConstant(module, "OP_MICROSOFT_BIG_SSLV3_BUFFER", SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); ++#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING + PyModule_AddIntConstant(module, "OP_MSIE_SSLV2_RSA_PADDING", SSL_OP_MSIE_SSLV2_RSA_PADDING); ++#endif + PyModule_AddIntConstant(module, "OP_SSLEAY_080_CLIENT_DH_BUG", SSL_OP_SSLEAY_080_CLIENT_DH_BUG); + PyModule_AddIntConstant(module, "OP_TLS_D5_BUG", SSL_OP_TLS_D5_BUG); + PyModule_AddIntConstant(module, "OP_TLS_BLOCK_PADDING_BUG", SSL_OP_TLS_BLOCK_PADDING_BUG); diff -Nru pyopenssl-0.13/debian/patches/CVE-2013-4314.patch pyopenssl-0.13.1/debian/patches/CVE-2013-4314.patch --- pyopenssl-0.13/debian/patches/CVE-2013-4314.patch 2013-09-20 19:43:12.000000000 +0000 +++ pyopenssl-0.13.1/debian/patches/CVE-2013-4314.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,214 +0,0 @@ -Description: fix incorrect ssl cert validation via NUL byte in subjectAltName -Origin: backport, http://bazaar.launchpad.net/~exarkun/pyopenssl/trunk/revision/169 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722055 - -Index: pyopenssl-0.13/OpenSSL/crypto/x509.c -=================================================================== ---- pyopenssl-0.13.orig/OpenSSL/crypto/x509.c 2011-09-02 11:46:13.000000000 -0400 -+++ pyopenssl-0.13/OpenSSL/crypto/x509.c 2013-09-20 15:38:11.043547355 -0400 -@@ -756,6 +756,7 @@ - - extobj = PyObject_New(crypto_X509ExtensionObj, &crypto_X509Extension_Type); - extobj->x509_extension = X509_EXTENSION_dup(ext); -+ extobj->dealloc = 1; - - return (PyObject*)extobj; - } -Index: pyopenssl-0.13/OpenSSL/crypto/x509ext.c -=================================================================== ---- pyopenssl-0.13.orig/OpenSSL/crypto/x509ext.c 2011-09-02 11:46:13.000000000 -0400 -+++ pyopenssl-0.13/OpenSSL/crypto/x509ext.c 2013-09-20 15:38:11.043547355 -0400 -@@ -236,19 +236,92 @@ - PyObject_Del(self); - } - -+ -+/* Special handling of subjectAltName. OpenSSL's builtin formatter, -+ * X509V3_EXT_print, mishandles NUL bytes allowing a truncated display that -+ * does not accurately reflect what's in the extension. -+ */ -+int -+crypto_X509Extension_str_subjectAltName(crypto_X509ExtensionObj *self, BIO *bio) { -+ GENERAL_NAMES *names; -+ const X509V3_EXT_METHOD *method = NULL; -+ long i, length, num; -+ const unsigned char *p; -+ -+ method = X509V3_EXT_get(self->x509_extension); -+ if (method == NULL) { -+ return -1; -+ } -+ -+ p = self->x509_extension->value->data; -+ length = self->x509_extension->value->length; -+ if (method->it) { -+ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length, -+ ASN1_ITEM_ptr(method->it))); -+ } else { -+ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length)); -+ } -+ if (names == NULL) { -+ return -1; -+ } -+ -+ num = sk_GENERAL_NAME_num(names); -+ for (i = 0; i < num; i++) { -+ GENERAL_NAME *name; -+ ASN1_STRING *as; -+ name = sk_GENERAL_NAME_value(names, i); -+ switch (name->type) { -+ case GEN_EMAIL: -+ BIO_puts(bio, "email:"); -+ as = name->d.rfc822Name; -+ BIO_write(bio, ASN1_STRING_data(as), -+ ASN1_STRING_length(as)); -+ break; -+ case GEN_DNS: -+ BIO_puts(bio, "DNS:"); -+ as = name->d.dNSName; -+ BIO_write(bio, ASN1_STRING_data(as), -+ ASN1_STRING_length(as)); -+ break; -+ case GEN_URI: -+ BIO_puts(bio, "URI:"); -+ as = name->d.uniformResourceIdentifier; -+ BIO_write(bio, ASN1_STRING_data(as), -+ ASN1_STRING_length(as)); -+ break; -+ default: -+ /* use builtin print for GEN_OTHERNAME, GEN_X400, -+ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID -+ */ -+ GENERAL_NAME_print(bio, name); -+ } -+ /* trailing ', ' except for last element */ -+ if (i < (num - 1)) { -+ BIO_puts(bio, ", "); -+ } -+ } -+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); -+ -+ return 0; -+} -+ - /* - * Print a nice text representation of the certificate request. - */ - static PyObject * --crypto_X509Extension_str(crypto_X509ExtensionObj *self) --{ -+crypto_X509Extension_str(crypto_X509ExtensionObj *self) { - int str_len; - char *tmp_str; - PyObject *str; - BIO *bio = BIO_new(BIO_s_mem()); - -- if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) -- { -+ if (OBJ_obj2nid(self->x509_extension->object) == NID_subject_alt_name) { -+ if (crypto_X509Extension_str_subjectAltName(self, bio) == -1) { -+ BIO_free(bio); -+ exception_from_error_queue(crypto_Error); -+ return NULL; -+ } -+ } else if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) { - BIO_free(bio); - exception_from_error_queue(crypto_Error); - return NULL; -@@ -267,7 +340,7 @@ - "X509Extension", - sizeof(crypto_X509ExtensionObj), - 0, -- (destructor)crypto_X509Extension_dealloc, -+ (destructor)crypto_X509Extension_dealloc, - NULL, /* print */ - NULL, /* getattr */ - NULL, /* setattr (setattrfunc)crypto_X509Name_setattr, */ -Index: pyopenssl-0.13/OpenSSL/test/test_crypto.py -=================================================================== ---- pyopenssl-0.13.orig/OpenSSL/test/test_crypto.py 2011-09-02 11:46:13.000000000 -0400 -+++ pyopenssl-0.13/OpenSSL/test/test_crypto.py 2013-09-20 15:40:54.055542869 -0400 -@@ -266,6 +266,38 @@ - """) - - -+# certificate with NULL bytes in subjectAltName and common name -+ -+nulbyteSubjectAltNamePEM = b("""-----BEGIN CERTIFICATE----- -+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx -+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ -+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg -+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y -+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw -+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI -+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv -+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt -+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq -+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB -+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j -+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P -+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv -+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA -+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL -+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV -+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E -+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu -+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251 -+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA -+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9 -+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j -+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk -+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx -+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW -+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ= -+-----END CERTIFICATE-----""") -+ -+ - class X509ExtTests(TestCase): - """ - Tests for L{OpenSSL.crypto.X509Extension}. -@@ -856,6 +888,19 @@ - [(b("CN"), b("foo")), (b("OU"), b("bar"))]) - - -+ def test_load_nul_byte_attribute(self): -+ """ -+ An :py:class:`OpenSSL.crypto.X509Name` from an -+ :py:class:`OpenSSL.crypto.X509` instance loaded from a file can have a -+ NUL byte in the value of one of its attributes. -+ """ -+ cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) -+ subject = cert.get_subject() -+ self.assertEqual( -+ "null.python.org\x00example.org", subject.commonName) -+ -+ -+ - class _PKeyInteractionTestsMixin: - """ - Tests which involve another thing and a PKey. -@@ -1382,6 +1427,24 @@ - self.assertRaises(TypeError, cert.get_extension, "hello") - - -+ def test_nullbyte_subjectAltName(self): -+ """ -+ The fields of a `subjectAltName` extension on an X509 may contain NUL -+ bytes and this value is reflected in the string representation of the -+ extension object. -+ """ -+ cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) -+ -+ ext = cert.get_extension(3) -+ self.assertEqual(ext.get_short_name(), b('subjectAltName')) -+ self.assertEqual( -+ b("DNS:altnull.python.org\x00example.com, " -+ "email:null@python.org\x00user@example.org, " -+ "URI:http://null.python.org\x00http://example.org, " -+ "IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"), -+ b(str(ext))) -+ -+ - def test_invalid_digest_algorithm(self): - """ - L{X509.digest} raises L{ValueError} if called with an unrecognized hash diff -Nru pyopenssl-0.13/debian/patches/series pyopenssl-0.13.1/debian/patches/series --- pyopenssl-0.13/debian/patches/series 2013-09-20 19:37:59.000000000 +0000 +++ pyopenssl-0.13.1/debian/patches/series 2014-05-23 17:50:07.000000000 +0000 @@ -1,3 +1,3 @@ #10_fix_doc_buildsystem.patch disable_test_set_default_verify_paths.patch -CVE-2013-4314.patch +bts733366_make_symbol_optional.patch diff -Nru pyopenssl-0.13/debian/rules pyopenssl-0.13.1/debian/rules --- pyopenssl-0.13/debian/rules 2012-05-07 01:12:14.000000000 +0000 +++ pyopenssl-0.13.1/debian/rules 2014-05-23 17:49:46.000000000 +0000 @@ -7,18 +7,20 @@ PY3VERS := $(shell py3versions -r -v) PYVERS := $(PY2VERS) $(PY3VERS) -build: build-arch build-indep -build-arch: build-stamp -build-indep: build-stamp -build-stamp: - dh_testdir +%: + dh $@ --with python2,python3 +override_dh_auto_build: set -e; \ for py in $(PYVERS); do \ python$$py setup.py build; \ python$$py-dbg setup.py build; \ done + $(MAKE) -C doc all + +override_dh_auto_test: +ifeq ($(filter nocheck,$(DEB_BUILD_OPTIONS)),) # run tests -for py in $(PYVERS); do \ for test in OpenSSL/test/test*; do \ @@ -27,16 +29,10 @@ PYTHONPATH=`ls -d build/lib_d.*-$$py || ls -d build/lib.*-$$py-pydebug` python$$py-dbg $$test; \ done; \ done +endif - $(MAKE) -C doc all - - touch build-stamp - -clean: - dh_testdir - dh_testroot - +override_dh_auto_clean: -for py in $(PYVERS); do \ python$$py setup.py clean --all; \ python$$py-dbg setup.py clean --all; \ @@ -50,13 +46,8 @@ dh_clean build-stamp version.pyc -install: DH_OPTIONS= -install: build - dh_testdir - dh_testroot - dh_clean -k - dh_installdirs - +override_dh_auto_install: DH_OPTIONS= +override_dh_auto_install: set -e; \ for py in $(PY2VERS); do \ echo "installing for python$$py ..."; \ @@ -74,44 +65,11 @@ find debian/python-openssl-dbg ! -type d ! -name '*_d.so' | xargs rm -f find debian/python-openssl-dbg -depth -empty -exec rmdir {} \; -# Build architecture-independent files here. -# Pass -i to all debhelper commands in this target to reduce clutter. -binary-indep: build install - dh_testdir -i - dh_testroot -i - dh_installdocs -i - dh_installexamples -i - dh_installchangelogs ChangeLog -i - dh_compress -i - dh_fixperms -i - dh_python2 -i - dh_python3 -i - dh_installdeb -i - dh_gencontrol -i - dh_md5sums -i - dh_builddeb -i - -# Build architecture-dependent files here. -binary-arch: build install - dh_testdir -a - dh_testroot -a - dh_installdocs -a - dh_installexamples -a - dh_installchangelogs ChangeLog -a +override_dh_installchangelogs: + dh_installchangelogs ChangeLog + +override_dh_strip: dh_strip -ppython-openssl --dbg-package=python-openssl-dbg dh_strip -ppython3-openssl --dbg-package=python3-openssl-dbg rm -rf debian/python-openssl-dbg/usr/share/doc/python-openssl-dbg ln -s python-openssl debian/python-openssl-dbg/usr/share/doc/python-openssl-dbg - dh_compress -a - dh_fixperms -a - dh_python2 -a - dh_python3 -a - dh_makeshlibs -a - dh_installdeb -a - dh_shlibdeps -a - dh_gencontrol -a - dh_md5sums -a - dh_builddeb -a - -binary: binary-indep binary-arch -.PHONY: build clean binary-indep binary-arch binary install diff -Nru pyopenssl-0.13/OpenSSL/crypto/x509.c pyopenssl-0.13.1/OpenSSL/crypto/x509.c --- pyopenssl-0.13/OpenSSL/crypto/x509.c 2011-09-02 15:46:13.000000000 +0000 +++ pyopenssl-0.13.1/OpenSSL/crypto/x509.c 2013-08-23 19:48:24.000000000 +0000 @@ -756,6 +756,7 @@ extobj = PyObject_New(crypto_X509ExtensionObj, &crypto_X509Extension_Type); extobj->x509_extension = X509_EXTENSION_dup(ext); + extobj->dealloc = 1; return (PyObject*)extobj; } diff -Nru pyopenssl-0.13/OpenSSL/crypto/x509ext.c pyopenssl-0.13.1/OpenSSL/crypto/x509ext.c --- pyopenssl-0.13/OpenSSL/crypto/x509ext.c 2011-09-02 15:46:13.000000000 +0000 +++ pyopenssl-0.13.1/OpenSSL/crypto/x509ext.c 2013-08-23 19:48:24.000000000 +0000 @@ -236,19 +236,92 @@ PyObject_Del(self); } + +/* Special handling of subjectAltName. OpenSSL's builtin formatter, + * X509V3_EXT_print, mishandles NUL bytes allowing a truncated display that + * does not accurately reflect what's in the extension. + */ +int +crypto_X509Extension_str_subjectAltName(crypto_X509ExtensionObj *self, BIO *bio) { + GENERAL_NAMES *names; + const X509V3_EXT_METHOD *method = NULL; + long i, length, num; + const unsigned char *p; + + method = X509V3_EXT_get(self->x509_extension); + if (method == NULL) { + return -1; + } + + p = self->x509_extension->value->data; + length = self->x509_extension->value->length; + if (method->it) { + names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length, + ASN1_ITEM_ptr(method->it))); + } else { + names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length)); + } + if (names == NULL) { + return -1; + } + + num = sk_GENERAL_NAME_num(names); + for (i = 0; i < num; i++) { + GENERAL_NAME *name; + ASN1_STRING *as; + name = sk_GENERAL_NAME_value(names, i); + switch (name->type) { + case GEN_EMAIL: + BIO_puts(bio, "email:"); + as = name->d.rfc822Name; + BIO_write(bio, ASN1_STRING_data(as), + ASN1_STRING_length(as)); + break; + case GEN_DNS: + BIO_puts(bio, "DNS:"); + as = name->d.dNSName; + BIO_write(bio, ASN1_STRING_data(as), + ASN1_STRING_length(as)); + break; + case GEN_URI: + BIO_puts(bio, "URI:"); + as = name->d.uniformResourceIdentifier; + BIO_write(bio, ASN1_STRING_data(as), + ASN1_STRING_length(as)); + break; + default: + /* use builtin print for GEN_OTHERNAME, GEN_X400, + * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID + */ + GENERAL_NAME_print(bio, name); + } + /* trailing ', ' except for last element */ + if (i < (num - 1)) { + BIO_puts(bio, ", "); + } + } + sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); + + return 0; +} + /* * Print a nice text representation of the certificate request. */ static PyObject * -crypto_X509Extension_str(crypto_X509ExtensionObj *self) -{ +crypto_X509Extension_str(crypto_X509ExtensionObj *self) { int str_len; char *tmp_str; PyObject *str; BIO *bio = BIO_new(BIO_s_mem()); - if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) - { + if (OBJ_obj2nid(self->x509_extension->object) == NID_subject_alt_name) { + if (crypto_X509Extension_str_subjectAltName(self, bio) == -1) { + BIO_free(bio); + exception_from_error_queue(crypto_Error); + return NULL; + } + } else if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) { BIO_free(bio); exception_from_error_queue(crypto_Error); return NULL; @@ -267,7 +340,7 @@ "X509Extension", sizeof(crypto_X509ExtensionObj), 0, - (destructor)crypto_X509Extension_dealloc, + (destructor)crypto_X509Extension_dealloc, NULL, /* print */ NULL, /* getattr */ NULL, /* setattr (setattrfunc)crypto_X509Name_setattr, */ diff -Nru pyopenssl-0.13/OpenSSL/test/test_crypto.py pyopenssl-0.13.1/OpenSSL/test/test_crypto.py --- pyopenssl-0.13/OpenSSL/test/test_crypto.py 2011-09-02 15:46:13.000000000 +0000 +++ pyopenssl-0.13.1/OpenSSL/test/test_crypto.py 2013-08-23 19:48:24.000000000 +0000 @@ -265,6 +265,37 @@ -----END RSA PRIVATE KEY----- """) +# certificate with NULL bytes in subjectAltName and common name + +nulbyteSubjectAltNamePEM = b("""-----BEGIN CERTIFICATE----- +MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx +DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ +eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg +RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y +ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw +NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI +DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv +ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt +ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq +hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j +pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P +vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv +KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA +oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL +08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV +HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E +BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu +Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251 +bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA +AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9 +i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j +HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk +kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx +VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW +RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ= +-----END CERTIFICATE-----""") + class X509ExtTests(TestCase): """ @@ -856,6 +887,18 @@ [(b("CN"), b("foo")), (b("OU"), b("bar"))]) + def test_load_nul_byte_attribute(self): + """ + An L{X509Name} from an L{X509} instance loaded from a file can have a + NUL byte in the value of one of its attributes. + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + subject = cert.get_subject() + self.assertEqual( + "null.python.org\x00example.org", subject.commonName) + + + class _PKeyInteractionTestsMixin: """ Tests which involve another thing and a PKey. @@ -1382,6 +1425,24 @@ self.assertRaises(TypeError, cert.get_extension, "hello") + def test_nullbyte_subjectAltName(self): + """ + The fields of a I{subjectAltName} extension on an X509 may contain NUL + bytes and this value is reflected in the string representation of the + extension object. + """ + cert = load_certificate(FILETYPE_PEM, nulbyteSubjectAltNamePEM) + + ext = cert.get_extension(3) + self.assertEqual(ext.get_short_name(), b('subjectAltName')) + self.assertEqual( + b("DNS:altnull.python.org\x00example.com, " + "email:null@python.org\x00user@example.org, " + "URI:http://null.python.org\x00http://example.org, " + "IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n"), + b(str(ext))) + + def test_invalid_digest_algorithm(self): """ L{X509.digest} raises L{ValueError} if called with an unrecognized hash diff -Nru pyopenssl-0.13/OpenSSL/version.py pyopenssl-0.13.1/OpenSSL/version.py --- pyopenssl-0.13/OpenSSL/version.py 2011-09-02 15:46:13.000000000 +0000 +++ pyopenssl-0.13.1/OpenSSL/version.py 2013-08-23 20:10:28.000000000 +0000 @@ -6,4 +6,4 @@ pyOpenSSL - A simple wrapper around the OpenSSL library """ -__version__ = '0.13' +__version__ = '0.13.1' diff -Nru pyopenssl-0.13/PKG-INFO pyopenssl-0.13.1/PKG-INFO --- pyopenssl-0.13/PKG-INFO 2011-09-02 15:46:19.000000000 +0000 +++ pyopenssl-0.13.1/PKG-INFO 2013-09-01 14:39:06.000000000 +0000 @@ -1,15 +1,15 @@ Metadata-Version: 1.0 Name: pyOpenSSL -Version: 0.13 +Version: 0.13.1 Summary: Python wrapper module around the OpenSSL library Home-page: http://pyopenssl.sourceforge.net/ Author: Jean-Paul Calderone Author-email: exarkun@twistedmatrix.com License: APL2 Description: High-level wrapper around a subset of the OpenSSL library, includes - * SSL.Connection objects, wrapping the methods of Python's portable - sockets - * Callbacks written in Python - * Extensive error-handling mechanism, mirroring OpenSSL's error codes + * SSL.Connection objects, wrapping the methods of Python's portable + sockets + * Callbacks written in Python + * Extensive error-handling mechanism, mirroring OpenSSL's error codes ... and much more ;) Platform: UNKNOWN diff -Nru pyopenssl-0.13/setup.py pyopenssl-0.13.1/setup.py --- pyopenssl-0.13/setup.py 2011-09-02 15:46:13.000000000 +0000 +++ pyopenssl-0.13.1/setup.py 2013-08-23 20:10:07.000000000 +0000 @@ -15,7 +15,7 @@ from distutils.command.build_ext import build_ext # XXX Deduplicate this -__version__ = '0.13' +__version__ = '0.13.1' crypto_src = ['OpenSSL/crypto/crypto.c', 'OpenSSL/crypto/x509.c', 'OpenSSL/crypto/x509name.c', 'OpenSSL/crypto/pkey.c',