diff -Nru pyopenssl-17.5.0/CHANGELOG.rst pyopenssl-18.0.0/CHANGELOG.rst --- pyopenssl-17.5.0/CHANGELOG.rst 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/CHANGELOG.rst 2018-05-16 19:14:32.000000000 +0000 @@ -4,6 +4,36 @@ Versions are year-based with a strict backward-compatibility policy. The third digit is only for regressions. +18.0.0 (2018-05-16) +------------------- + + +Backward-incompatible changes: +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +- The minimum ``cryptography`` version is now 2.2.1. +- Support for Python 2.6 has been dropped. + + +Deprecations: +^^^^^^^^^^^^^ + +*none* + + +Changes: +^^^^^^^^ + +- Added ``Connection.get_certificate`` to retrieve the local certificate. + `#733 `_ +- ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default. + `#753 `_ +- Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material. + `#734 `_ + + +---- + 17.5.0 (2017-11-30) ------------------- @@ -11,7 +41,7 @@ Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* The minimum ``cryptography`` version is now 2.1.4. +- The minimum ``cryptography`` version is now 2.1.4. Deprecations: diff -Nru pyopenssl-17.5.0/debian/changelog pyopenssl-18.0.0/debian/changelog --- pyopenssl-17.5.0/debian/changelog 2018-05-29 14:26:51.000000000 +0000 +++ pyopenssl-18.0.0/debian/changelog 2018-06-09 22:48:34.000000000 +0000 @@ -1,3 +1,34 @@ +pyopenssl (18.0.0-1) unstable; urgency=medium + + [ Ondřej Nový ] + * d/control: + - Set Vcs-* to salsa.debian.org + - Remove python{,3}-all duplicates in B-D + - Remove ancient X-Python3-Version field + - Remove empty line at the end of file + - Bump Standards-Version to 4.1.4 (no changes needed) + * d/copyright: + - Use https protocol in Format field + - Rename shortname of licence from "Apache 2.0" to "Apache-2.0" + - Fix public domain license + - Mention license of examples/proxy.py + * d/changelog: Remove trailing whitespaces + * d/rules: Remove trailing whitespaces + + [ Sandro Tosi ] + * New upstream release + * debian/patches/0001-disable-test_set_default_verify_paths-since-it-tries.patch + - refreshed to new upstream release + * debian/patches/0003-Don-t-add-not-supported-SSL_ST_-into-_all_.patch + - dropped, released upstream + * debian/control + - bump cryptography dependency to >= 2.2.1 + - bump pytest build-dep to >= 3.0.1 + * debian/copyright + - extend packaging copyright years + + -- Sandro Tosi Sat, 09 Jun 2018 18:48:34 -0400 + pyopenssl (17.5.0-1.1) unstable; urgency=medium * Non-maintainer upload. @@ -148,7 +179,7 @@ [ Jakub Wilk ] * Use canonical URIs for Vcs-* fields. - + [ Sandro Tosi ] * New upstream release - debian/patches/CVE-2013-4314.patch removed, merged upstream @@ -377,7 +408,7 @@ - fixing commands to refer to new packages names [ Piotr Ożarowski ] - * Add python-pyopenssl to python-openssl's Conflicts, Replaces and Provides + * Add python-pyopenssl to python-openssl's Conflicts, Replaces and Provides -- Sandro Tosi Mon, 25 Feb 2008 22:39:45 +0100 @@ -611,7 +642,7 @@ pyopenssl (0.3-2) unstable; urgency=low - * X509Name objects now has a compare method + * X509Name objects now has a compare method -- Martin Sjögren Tue, 7 Aug 2001 10:53:58 +0200 diff -Nru pyopenssl-17.5.0/debian/control pyopenssl-18.0.0/debian/control --- pyopenssl-17.5.0/debian/control 2017-12-13 04:52:40.000000000 +0000 +++ pyopenssl-18.0.0/debian/control 2018-06-09 22:48:34.000000000 +0000 @@ -3,17 +3,16 @@ Priority: optional Maintainer: Sandro Tosi Uploaders: Debian Python Modules Team -Build-Depends: debhelper (>= 9), python-all, python3-all, dh-python, python3-sphinx (>= 1.0.7+dfsg), python-setuptools, python3-setuptools, python-cryptography (>= 2.1.4), python3-cryptography (>= 2.1.4), python-six, python3-six, python-pytest (>= 2.8.5), python3-pytest (>= 2.8.5), python-cffi, python3-cffi, python-all, python3-all, python3-sphinx-rtd-theme, python-pretend, python3-pretend, python-flaky, python3-flaky -Standards-Version: 4.1.2 +Build-Depends: debhelper (>= 9), python-all, python3-all, dh-python, python3-sphinx (>= 1.0.7+dfsg), python-setuptools, python3-setuptools, python-cryptography (>= 2.2.1), python3-cryptography (>= 2.2.1), python-six, python3-six, python-pytest (>= 3.0.1), python3-pytest (>= 3.0.1), python-cffi, python3-cffi, python3-sphinx-rtd-theme, python-pretend, python3-pretend, python-flaky, python3-flaky +Standards-Version: 4.1.4 Homepage: https://pyopenssl.org/ -Vcs-Git: https://anonscm.debian.org/git/python-modules/packages/pyopenssl.git -Vcs-Browser: https://anonscm.debian.org/cgit/python-modules/packages/pyopenssl.git +Vcs-Git: https://salsa.debian.org/python-team/modules/pyopenssl.git +Vcs-Browser: https://salsa.debian.org/python-team/modules/pyopenssl XS-Python-Version: all -X-Python3-Version: >= 3.2 Package: python-openssl Architecture: all -Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends}, python-cryptography (>= 2.1.4) +Depends: ${python:Depends}, ${shlibs:Depends}, ${misc:Depends}, python-cryptography (>= 2.2.1) Suggests: python-openssl-doc, python-openssl-dbg Description: Python 2 wrapper around the OpenSSL library High-level wrapper around a subset of the OpenSSL library, includes @@ -48,7 +47,7 @@ Package: python3-openssl Architecture: all -Depends: ${python3:Depends}, ${shlibs:Depends}, ${misc:Depends}, python3-cryptography (>= 2.1.4) +Depends: ${python3:Depends}, ${shlibs:Depends}, ${misc:Depends}, python3-cryptography (>= 2.2.1) Suggests: python-openssl-doc, python3-openssl-dbg Description: Python 3 wrapper around the OpenSSL library High-level wrapper around a subset of the OpenSSL library, includes @@ -63,4 +62,3 @@ corresponding function in the OpenSSL library. . This package contains the Python 3 version of pyopenssl. - diff -Nru pyopenssl-17.5.0/debian/copyright pyopenssl-18.0.0/debian/copyright --- pyopenssl-17.5.0/debian/copyright 2017-12-13 04:52:40.000000000 +0000 +++ pyopenssl-18.0.0/debian/copyright 2018-06-09 22:48:34.000000000 +0000 @@ -1,44 +1,47 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: pyOpenSSL Source: https://github.com/pyca/pyopenssl Files: * Copyright: Copyright (C) 2008-2015 Jean-Paul Calderone, All rights reserved -License: Apache 2.0 +License: Apache-2.0 Files: debian/* -Copyright: Copyright (C) 2008-2017, Sandro Tosi -License: Apache 2.0 +Copyright: Copyright (C) 2008-2018, Sandro Tosi +License: Apache-2.0 -License: Apache 2.0 +License: Apache-2.0 A copy of the Apache License (version 2) can be found in /usr/share/common-licenses/Apache-2.0 on Debian systems. Files: examples/simple/*.py examples/certgen.py src/OpenSSL/version.py Copyright: Copyright (C) AB Strakt Copyright (C) Jean-Paul Calderone -License: Apache 2.0 +License: Apache-2.0 Files: examples/SecureXMLRPCServer.py -Note: Written 0907.2002 by Michal Wallace -License: This code is in the public domain. +Copyright: This code is in the public domain. +License: public-domain + Written 0907.2002 by Michal Wallace + It is provided AS-IS WITH NO WARRANTY WHATSOEVER. Files: examples/proxy.py -Author: Mihai Ibanescu +Copyright: Copyright (c) Mihai Ibanescu +License: Apache-2.0 Files: tests/test_rand.py Copyright: Copyright (c) Frederick Dean -License: Apache 2.0 +License: Apache-2.0 Files: tests/util.py Copyright: Copyright (C) Jean-Paul Calderone Copyright (C) Twisted Matrix Laboratories. -License: Apache 2.0 +License: Apache-2.0 Files: src/OpenSSL/__init__.py Copyright: Copyright (C) AB Strakt -License: Apache 2.0 +License: Apache-2.0 Files: tests/conftest.py Copyright: Copyright (c) The pyOpenSSL developers -License: Apache 2.0 +License: Apache-2.0 diff -Nru pyopenssl-17.5.0/debian/.git-dpm pyopenssl-18.0.0/debian/.git-dpm --- pyopenssl-17.5.0/debian/.git-dpm 2017-12-13 04:52:40.000000000 +0000 +++ pyopenssl-18.0.0/debian/.git-dpm 2018-06-09 22:48:34.000000000 +0000 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -17fe01f6b1f88173975523536bb2530561f38703 -17fe01f6b1f88173975523536bb2530561f38703 +6e8bdca4fcc67154a7f96adce5825319e211f517 +6e8bdca4fcc67154a7f96adce5825319e211f517 ece132987aa1ce8adb0367287b41c4d349633896 ece132987aa1ce8adb0367287b41c4d349633896 pyopenssl_17.5.0.orig.tar.gz diff -Nru pyopenssl-17.5.0/debian/patches/0001-disable-test_set_default_verify_paths-since-it-tries.patch pyopenssl-18.0.0/debian/patches/0001-disable-test_set_default_verify_paths-since-it-tries.patch --- pyopenssl-17.5.0/debian/patches/0001-disable-test_set_default_verify_paths-since-it-tries.patch 2017-12-13 04:52:40.000000000 +0000 +++ pyopenssl-18.0.0/debian/patches/0001-disable-test_set_default_verify_paths-since-it-tries.patch 2018-06-09 22:48:34.000000000 +0000 @@ -1,18 +1,17 @@ -From d576c2a816de6adbfa4c3544aafb93b8c1468e7b Mon Sep 17 00:00:00 2001 From: SVN-Git Migration Date: Thu, 8 Oct 2015 10:47:52 -0700 Subject: disable test_set_default_verify_paths since it tries to access the web --- - tests/test_ssl.py | 28 ++++++++++++++++------------ - 1 file changed, 16 insertions(+), 12 deletions(-) + tests/test_ssl.py | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index 03dd935..a95a898 100644 +index 0831904..7ace6f8 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py -@@ -1183,6 +1183,7 @@ class TestContext(object): +@@ -1179,6 +1179,7 @@ class TestContext(object): platform == "win32", reason="set_default_verify_paths appears not to work on Windows. " "See LP#404343 and LP#404344." @@ -20,7 +19,7 @@ ) def test_set_default_verify_paths(self): """ -@@ -1196,19 +1197,22 @@ class TestContext(object): +@@ -1192,20 +1193,22 @@ class TestContext(object): # internet which has such a certificate. Connecting to the network # in a unit test is bad, but it's the only way I can think of to # really test this. -exarkun @@ -29,6 +28,15 @@ - context.set_verify( - VERIFY_PEER, - lambda conn, cert, errno, depth, preverify_ok: preverify_ok) +- +- client = socket() +- client.connect(("encrypted.google.com", 443)) +- clientSSL = Connection(context, client) +- clientSSL.set_connect_state() +- clientSSL.set_tlsext_host_name(b"encrypted.google.com") +- clientSSL.do_handshake() +- clientSSL.send(b"GET / HTTP/1.0\r\n\r\n") +- assert clientSSL.recv(1024) + pass + + #context = Context(SSLv23_METHOD) @@ -41,17 +49,10 @@ + #client.connect(("encrypted.google.com", 443)) + #clientSSL = Connection(context, client) + #clientSSL.set_connect_state() ++ #clientSSL.set_tlsext_host_name(b"encrypted.google.com") + #clientSSL.do_handshake() + #clientSSL.send(b"GET / HTTP/1.0\r\n\r\n") + #assert clientSSL.recv(1024) -- client = socket() -- client.connect(("encrypted.google.com", 443)) -- clientSSL = Connection(context, client) -- clientSSL.set_connect_state() -- clientSSL.do_handshake() -- clientSSL.send(b"GET / HTTP/1.0\r\n\r\n") -- assert clientSSL.recv(1024) - def test_fallback_path_is_not_file_or_dir(self): """ diff -Nru pyopenssl-17.5.0/debian/patches/0002-pass-PYTHONPATH-when-building-HTML-doc.patch pyopenssl-18.0.0/debian/patches/0002-pass-PYTHONPATH-when-building-HTML-doc.patch --- pyopenssl-17.5.0/debian/patches/0002-pass-PYTHONPATH-when-building-HTML-doc.patch 2017-12-13 04:52:40.000000000 +0000 +++ pyopenssl-18.0.0/debian/patches/0002-pass-PYTHONPATH-when-building-HTML-doc.patch 2018-06-09 22:48:34.000000000 +0000 @@ -1,4 +1,3 @@ -From 17fe01f6b1f88173975523536bb2530561f38703 Mon Sep 17 00:00:00 2001 From: Sandro Tosi Date: Wed, 13 Apr 2016 21:03:53 +0100 Subject: pass PYTHONPATH when building HTML doc diff -Nru pyopenssl-17.5.0/debian/patches/0003-Don-t-add-not-supported-SSL_ST_-into-_all_.patch pyopenssl-18.0.0/debian/patches/0003-Don-t-add-not-supported-SSL_ST_-into-_all_.patch --- pyopenssl-17.5.0/debian/patches/0003-Don-t-add-not-supported-SSL_ST_-into-_all_.patch 2018-05-29 14:26:51.000000000 +0000 +++ pyopenssl-18.0.0/debian/patches/0003-Don-t-add-not-supported-SSL_ST_-into-_all_.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -From 6e8bdca4fcc67154a7f96adce5825319e211f517 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20Nov=C3=BD?= -Date: Thu, 1 Mar 2018 14:56:53 +0100 -Subject: Don't add not supported SSL_ST_* into _all_ - -Origin: https://github.com/pyca/pyopenssl/commit/993c4e4afc4274019bdb835b64191afeed6c13b7 ---- - src/OpenSSL/SSL.py | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index b664254..fce973a 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -87,10 +87,6 @@ __all__ = [ - 'SSL_ST_CONNECT', - 'SSL_ST_ACCEPT', - 'SSL_ST_MASK', -- 'SSL_ST_INIT', -- 'SSL_ST_BEFORE', -- 'SSL_ST_OK', -- 'SSL_ST_RENEGOTIATE', - 'SSL_CB_LOOP', - 'SSL_CB_EXIT', - 'SSL_CB_READ', -@@ -206,6 +202,12 @@ if _lib.Cryptography_HAS_SSL_ST: - SSL_ST_BEFORE = _lib.SSL_ST_BEFORE - SSL_ST_OK = _lib.SSL_ST_OK - SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE -+ __all__.extend([ -+ 'SSL_ST_INIT', -+ 'SSL_ST_BEFORE', -+ 'SSL_ST_OK', -+ 'SSL_ST_RENEGOTIATE', -+ ]) - - SSL_CB_LOOP = _lib.SSL_CB_LOOP - SSL_CB_EXIT = _lib.SSL_CB_EXIT diff -Nru pyopenssl-17.5.0/debian/patches/series pyopenssl-18.0.0/debian/patches/series --- pyopenssl-17.5.0/debian/patches/series 2018-05-29 14:26:51.000000000 +0000 +++ pyopenssl-18.0.0/debian/patches/series 2018-06-09 22:48:34.000000000 +0000 @@ -1,3 +1,2 @@ 0001-disable-test_set_default_verify_paths-since-it-tries.patch 0002-pass-PYTHONPATH-when-building-HTML-doc.patch -0003-Don-t-add-not-supported-SSL_ST_-into-_all_.patch diff -Nru pyopenssl-17.5.0/debian/rules pyopenssl-18.0.0/debian/rules --- pyopenssl-17.5.0/debian/rules 2017-12-13 04:52:40.000000000 +0000 +++ pyopenssl-18.0.0/debian/rules 2018-06-09 22:48:34.000000000 +0000 @@ -1,6 +1,6 @@ #!/usr/bin/make -f -# Uncomment this to turn on verbose mode. +# Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 export LC_ALL=C.UTF-8 @@ -32,7 +32,7 @@ PYTHONPATH=$$LIB py.test-3 ;\ done endif - + override_dh_auto_clean: -for py in $(PYVERS); do \ diff -Nru pyopenssl-17.5.0/doc/api/crypto.rst pyopenssl-18.0.0/doc/api/crypto.rst --- pyopenssl-17.5.0/doc/api/crypto.rst 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/doc/api/crypto.rst 2018-05-16 19:14:32.000000000 +0000 @@ -16,27 +16,9 @@ Elliptic curves --------------- -.. py:function:: get_elliptic_curves - - Return a set of objects representing the elliptic curves supported in the - OpenSSL build in use. - - The curve objects have a :py:class:`unicode` ``name`` attribute by which - they identify themselves. - - The curve objects are useful as values for the argument accepted by - :py:meth:`Context.set_tmp_ecdh` to specify which elliptical curve should be - used for ECDHE key exchange. - - -.. py:function:: get_elliptic_curve(name) - - Return a single curve object selected by *name*. - - See :py:func:`get_elliptic_curves` for information about curve objects. - - If the named curve is not supported then :py:class:`ValueError` is raised. +.. autofunction:: get_elliptic_curves +.. autofunction:: get_elliptic_curve Serialization and deserialization --------------------------------- @@ -54,42 +36,23 @@ Certificates ~~~~~~~~~~~~ -.. py:function:: dump_certificate(type, cert) - - Dump the certificate *cert* into a buffer string encoded with the type - *type*. - -.. py:function:: load_certificate(type, buffer) +.. autofunction:: dump_certificate - Load a certificate (X509) from the string *buffer* encoded with the - type *type*. +.. autofunction:: load_certificate Certificate signing requests ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.. py:function:: dump_certificate_request(type, req) +.. autofunction:: dump_certificate_request - Dump the certificate request *req* into a buffer string encoded with the - type *type*. - -.. py:function:: load_certificate_request(type, buffer) - - Load a certificate request (X509Req) from the string *buffer* encoded with - the type *type*. +.. autofunction:: load_certificate_request Private keys ~~~~~~~~~~~~ .. autofunction:: dump_privatekey -.. py:function:: load_privatekey(type, buffer[, passphrase]) - - Load a private key (PKey) from the string *buffer* encoded with the type - *type* (must be one of :py:const:`FILETYPE_PEM` and - :py:const:`FILETYPE_ASN1`). - - *passphrase* must be either a string or a callback for providing the pass - phrase. +.. autofunction:: load_privatekey Public keys ~~~~~~~~~~~ @@ -103,53 +66,18 @@ .. autofunction:: dump_crl -.. py:function:: load_crl(type, buffer) - - Load Certificate Revocation List (CRL) data from a string *buffer*. - *buffer* encoded with the type *type*. The type *type* must either - :py:const:`FILETYPE_PEM` or :py:const:`FILETYPE_ASN1`). - - -.. py:function:: load_pkcs7_data(type, buffer) - - Load pkcs7 data from the string *buffer* encoded with the type - *type*. The type *type* must either :py:const:`FILETYPE_PEM` or - :py:const:`FILETYPE_ASN1`). - +.. autofunction:: load_crl -.. py:function:: load_pkcs12(buffer[, passphrase]) +.. autofunction:: load_pkcs7_data - Load pkcs12 data from the string *buffer*. If the pkcs12 structure is - encrypted, a *passphrase* must be included. The MAC is always - checked and thus required. - - See also the man page for the C function :py:func:`PKCS12_parse`. +.. autofunction:: load_pkcs12 Signing and verifying signatures -------------------------------- -.. py:function:: sign(key, data, digest) - - Sign a data string using the given key and message digest. - - *key* is a :py:class:`PKey` instance. *data* is a ``str`` instance. - *digest* is a ``str`` naming a supported message digest type, for example - :py:const:`b"sha256"`. - - .. versionadded:: 0.11 - +.. autofunction:: sign -.. py:function:: verify(certificate, signature, data, digest) - - Verify the signature for a data string. - - *certificate* is a :py:class:`X509` instance corresponding to the private - key which generated the signature. *signature* is a *str* instance giving - the signature itself. *data* is a *str* instance giving the data to which - the signature applies. *digest* is a *str* instance naming the message - digest type of the signature, for example :py:const:`b"sha256"`. - - .. versionadded:: 0.11 +.. autofunction:: verify .. _openssl-x509: @@ -243,25 +171,8 @@ PKCS7 objects have the following methods: -.. py:method:: PKCS7.type_is_signed() - - FIXME - -.. py:method:: PKCS7.type_is_enveloped() - - FIXME - -.. py:method:: PKCS7.type_is_signedAndEnveloped() - - FIXME - -.. py:method:: PKCS7.type_is_data() - - FIXME - -.. py:method:: PKCS7.get_type_name() - - Get the type name of the PKCS7. +.. autoclass:: PKCS7 + :members: .. _openssl-pkcs12: diff -Nru pyopenssl-17.5.0/doc/api/ssl.rst pyopenssl-18.0.0/doc/api/ssl.rst --- pyopenssl-17.5.0/doc/api/ssl.rst 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/doc/api/ssl.rst 2018-05-16 19:14:32.000000000 +0000 @@ -118,11 +118,7 @@ for details. -.. py:function:: SSLeay_version(type) - - Retrieve a string describing some aspect of the underlying OpenSSL version. The - type passed in should be one of the :py:const:`SSLEAY_*` constants defined in - this module. +.. autofunction:: SSLeay_version .. py:data:: ContextType @@ -130,23 +126,9 @@ See :py:class:`Context`. -.. py:class:: Context(method) - - A class representing SSL contexts. Contexts define the parameters of one or - more SSL connections. - - *method* should be :py:const:`SSLv2_METHOD`, :py:const:`SSLv3_METHOD`, - :py:const:`SSLv23_METHOD`, :py:const:`TLSv1_METHOD`, :py:const:`TLSv1_1_METHOD`, - or :py:const:`TLSv1_2_METHOD`. - - -.. py:class:: Session() +.. autoclass:: Context - A class representing an SSL session. A session defines certain connection - parameters which may be re-used to speed up the setup of subsequent - connections. - - .. versionadded:: 0.14 +.. autoclass:: Session .. py:data:: ConnectionType @@ -236,283 +218,8 @@ Context objects have the following methods: -.. :py:class:: OpenSSL.SSL.Context - -.. py:method:: Context.check_privatekey() - - Check if the private key (loaded with :py:meth:`use_privatekey`) matches the - certificate (loaded with :py:meth:`use_certificate`). Returns - :py:data:`None` if they match, raises :py:exc:`Error` otherwise. - - -.. py:method:: Context.get_app_data() - - Retrieve application data as set by :py:meth:`set_app_data`. - - -.. py:method:: Context.get_cert_store() - - Retrieve the certificate store (a X509Store object) that the context uses. - This can be used to add "trusted" certificates without using the - :py:meth:`load_verify_locations` method. - - -.. py:method:: Context.get_timeout() - - Retrieve session timeout, as set by :py:meth:`set_timeout`. The default is 300 - seconds. - - -.. py:method:: Context.get_verify_depth() - - Retrieve the Context object's verify depth, as set by - :py:meth:`set_verify_depth`. - - -.. py:method:: Context.get_verify_mode() - - Retrieve the Context object's verify mode, as set by :py:meth:`set_verify`. - - -.. automethod:: Context.load_client_ca - - -.. py:method:: Context.set_client_ca_list(certificate_authorities) - - Replace the current list of preferred certificate signers that would be - sent to the client when requesting a client certificate with the - *certificate_authorities* sequence of :py:class:`OpenSSL.crypto.X509Name`'s. - - .. versionadded:: 0.10 - - -.. py:method:: Context.add_client_ca(certificate_authority) - - Extract a :py:class:`OpenSSL.crypto.X509Name` from the *certificate_authority* - :py:class:`OpenSSL.crypto.X509` certificate and add it to the list of preferred - certificate signers sent to the client when requesting a client certificate. - - .. versionadded:: 0.10 - - -.. py:method:: Context.load_verify_locations(pemfile, capath) - - Specify where CA certificates for verification purposes are located. These - are trusted certificates. Note that the certificates have to be in PEM - format. If capath is passed, it must be a directory prepared using the - ``c_rehash`` tool included with OpenSSL. Either, but not both, of - *pemfile* or *capath* may be :py:data:`None`. - - -.. py:method:: Context.set_default_verify_paths() - - Specify that the platform provided CA certificates are to be used for verification purposes. - This method has some caveats related to the binary wheels that cryptography (pyOpenSSL's primary dependency) ships: - - * macOS will only load certificates using this method if the user has the ``openssl@1.1`` `Homebrew `_ formula installed in the default location. - * Windows will not work. - * manylinux1 cryptography wheels will work on most common Linux distributions in pyOpenSSL 17.1.0 and above. - pyOpenSSL detects the manylinux1 wheel and attempts to load roots via a fallback path. - - -.. py:method:: Context.load_tmp_dh(dhfile) - - Load parameters for Ephemeral Diffie-Hellman from *dhfile*. - - -.. py:method:: Context.set_tmp_ecdh(curve) - - Select a curve to use for ECDHE key exchange. - - The valid values of *curve* are the objects returned by - :py:func:`OpenSSL.crypto.get_elliptic_curves` or - :py:func:`OpenSSL.crypto.get_elliptic_curve`. - - -.. py:method:: Context.set_app_data(data) - - Associate *data* with this Context object. *data* can be retrieved - later using the :py:meth:`get_app_data` method. - - -.. automethod:: Context.set_cipher_list - -.. py:method:: Context.set_info_callback(callback) - - Set the information callback to *callback*. This function will be called - from time to time during SSL handshakes. - - *callback* should take three arguments: a Connection object and two integers. - The first integer specifies where in the SSL handshake the function was - called, and the other the return code from a (possibly failed) internal - function call. - - -.. py:method:: Context.set_options(options) - - Add SSL options. Options you have set before are not cleared! - This method should be used with the :py:const:`OP_*` constants. - - -.. py:method:: Context.set_mode(mode) - - Add SSL mode. Modes you have set before are not cleared! This method should - be used with the :py:const:`MODE_*` constants. - - -.. py:method:: Context.set_passwd_cb(callback[, userdata]) - - Set the passphrase callback to *callback*. This function will be called - when a private key with a passphrase is loaded. *callback* must accept - three positional arguments. First, an integer giving the maximum length of - the passphrase it may return. If the returned passphrase is longer than - this, it will be truncated. Second, a boolean value which will be true if - the user should be prompted for the passphrase twice and the callback should - verify that the two values supplied are equal. Third, the value given as the - *userdata* parameter to :py:meth:`set_passwd_cb`. The *callback* must return - a byte string. If an error occurs, *callback* should return a false value - (e.g. an empty string). - - -.. py:method:: Context.set_session_cache_mode(mode) - - Set the behavior of the session cache used by all connections using this - Context. The previously set mode is returned. See :py:const:`SESS_CACHE_*` - for details about particular modes. - - .. versionadded:: 0.14 - - -.. py:method:: Context.get_session_cache_mode() - - Get the current session cache mode. - - .. versionadded:: 0.14 - - -.. automethod:: Context.set_session_id - - -.. py:method:: Context.set_timeout(timeout) - - Set the timeout for newly created sessions for this Context object to - *timeout*. *timeout* must be given in (whole) seconds. The default - value is 300 seconds. See the OpenSSL manual for more information (e.g. - :manpage:`SSL_CTX_set_timeout(3)`). - - -.. py:method:: Context.set_verify(mode, callback) - - Set the verification flags for this Context object to *mode* and specify - that *callback* should be used for verification callbacks. *mode* should be - one of :py:const:`VERIFY_NONE` and :py:const:`VERIFY_PEER`. If - :py:const:`VERIFY_PEER` is used, *mode* can be OR:ed with - :py:const:`VERIFY_FAIL_IF_NO_PEER_CERT` and :py:const:`VERIFY_CLIENT_ONCE` - to further control the behaviour. - - *callback* should take five arguments: A Connection object, an X509 object, - and three integer variables, which are in turn potential error number, error - depth and return code. *callback* should return true if verification passes - and false otherwise. - - -.. py:method:: Context.set_verify_depth(depth) - - Set the maximum depth for the certificate chain verification that shall be - allowed for this Context object. - - -.. py:method:: Context.use_certificate(cert) - - Use the certificate *cert* which has to be a X509 object. - - -.. py:method:: Context.add_extra_chain_cert(cert) - - Adds the certificate *cert*, which has to be a X509 object, to the - certificate chain presented together with the certificate. - - -.. py:method:: Context.use_certificate_chain_file(file) - - Load a certificate chain from *file* which must be PEM encoded. - - -.. py:method:: Context.use_privatekey(pkey) - - Use the private key *pkey* which has to be a PKey object. - - -.. py:method:: Context.use_certificate_file(file[, format]) - - Load the first certificate found in *file*. The certificate must be in the - format specified by *format*, which is either :py:const:`FILETYPE_PEM` or - :py:const:`FILETYPE_ASN1`. The default is :py:const:`FILETYPE_PEM`. - - -.. py:method:: Context.use_privatekey_file(file[, format]) - - Load the first private key found in *file*. The private key must be in the - format specified by *format*, which is either :py:const:`FILETYPE_PEM` or - :py:const:`FILETYPE_ASN1`. The default is :py:const:`FILETYPE_PEM`. - - -.. py:method:: Context.set_tlsext_servername_callback(callback) - - Specify a one-argument callable to use as the TLS extension server name - callback. When a connection using the server name extension is made using - this context, the callback will be invoked with the :py:class:`Connection` - instance. - - .. versionadded:: 0.13 - - -.. py:method:: Context.set_npn_advertise_callback(callback) - - Specify a callback function that will be called when offering `Next - Protocol Negotiation - `_ as a server. - - *callback* should be the callback function. It will be invoked with one - argument, the :py:class:`Connection` instance. It should return a list of - bytestrings representing the advertised protocols, like - ``[b'http/1.1', b'spdy/2']``. - - .. versionadded:: 0.15 - - -.. py:method:: Context.set_npn_select_callback(callback): - - Specify a callback function that will be called when a server offers Next - Protocol Negotiation options. - - *callback* should be the callback function. It will be invoked with two - arguments: the :py:class:`Connection`, and a list of offered protocols as - bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return one of - those bytestrings, the chosen protocol. - - .. versionadded:: 0.15 - -.. py:method:: Context.set_alpn_protos(protos) - - Specify the protocols that the client is prepared to speak after the TLS - connection has been negotiated using Application Layer Protocol - Negotiation. - - *protos* should be a list of protocols that the client is offering, each - as a bytestring. For example, ``[b'http/1.1', b'spdy/2']``. - - -.. py:method:: Context.set_alpn_select_callback(callback) - - Specify a callback function that will be called on the server when a client - offers protocols using Application Layer Protocol Negotiation. - - *callback* should be the callback function. It will be invoked with two - arguments: the :py:class:`Connection` and a list of offered protocols as - bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return one of - these bytestrings, the chosen protocol. - +.. autoclass:: OpenSSL.SSL.Context + :members: .. _openssl-session: @@ -529,364 +236,8 @@ Connection objects have the following methods: -.. py:method:: Connection.accept() - - Call the :py:meth:`accept` method of the underlying socket and set up SSL on the - returned socket, using the Context object supplied to this Connection object at - creation. Returns a pair *(conn, address)*. where *conn* is the new - Connection object created, and *address* is as returned by the socket's - :py:meth:`accept`. - - -.. py:method:: Connection.bind(address) - - Call the :py:meth:`bind` method of the underlying socket. - - -.. py:method:: Connection.close() - - Call the :py:meth:`close` method of the underlying socket. Note: If you want - correct SSL closure, you need to call the :py:meth:`shutdown` method first. - - -.. py:method:: Connection.connect(address) - - Call the :py:meth:`connect` method of the underlying socket and set up SSL on the - socket, using the Context object supplied to this Connection object at - creation. - - -.. py:method:: Connection.connect_ex(address) - - Call the :py:meth:`connect_ex` method of the underlying socket and set up SSL on - the socket, using the Context object supplied to this Connection object at - creation. Note that if the :py:meth:`connect_ex` method of the socket doesn't - return 0, SSL won't be initialized. - - -.. py:method:: Connection.do_handshake() - - Perform an SSL handshake (usually called after :py:meth:`renegotiate` or one of - :py:meth:`set_accept_state` or :py:meth:`set_accept_state`). This can raise the - same exceptions as :py:meth:`send` and :py:meth:`recv`. - - -.. py:method:: Connection.fileno() - - Retrieve the file descriptor number for the underlying socket. - - -.. py:method:: Connection.listen(backlog) - - Call the :py:meth:`listen` method of the underlying socket. - - -.. py:method:: Connection.get_app_data() - - Retrieve application data as set by :py:meth:`set_app_data`. - - -.. automethod:: Connection.get_cipher_list - - -.. py:method:: Connection.get_protocol_version() - - Retrieve the version of the SSL or TLS protocol used by the Connection. - For example, it will return ``0x769`` for connections made over TLS - version 1. - - -.. py:method:: Connection.get_protocol_version_name() - - Retrieve the version of the SSL or TLS protocol used by the Connection as - a unicode string. For example, it will return ``TLSv1`` for connections - made over TLS version 1, or ``Unknown`` for connections that were not - successfully established. - - -.. py:method:: Connection.get_client_ca_list() - - Retrieve the list of preferred client certificate issuers sent by the server - as :py:class:`OpenSSL.crypto.X509Name` objects. - - If this is a client :py:class:`Connection`, the list will be empty until the - connection with the server is established. - - If this is a server :py:class:`Connection`, return the list of certificate - authorities that will be sent or has been sent to the client, as controlled - by this :py:class:`Connection`'s :py:class:`Context`. - - .. versionadded:: 0.10 - - -.. py:method:: Connection.get_context() - - Retrieve the Context object associated with this Connection. - - -.. py:method:: Connection.set_context(context) - - Specify a replacement Context object for this Connection. - - -.. py:method:: Connection.get_peer_certificate() - - Retrieve the other side's certificate (if any) - - -.. py:method:: Connection.get_peer_cert_chain() - - Retrieve the tuple of the other side's certificate chain (if any) - - -.. py:method:: Connection.getpeername() - - Call the :py:meth:`getpeername` method of the underlying socket. - - -.. py:method:: Connection.getsockname() - - Call the :py:meth:`getsockname` method of the underlying socket. - - -.. py:method:: Connection.getsockopt(level, optname[, buflen]) - - Call the :py:meth:`getsockopt` method of the underlying socket. - - -.. py:method:: Connection.pending() - - Retrieve the number of bytes that can be safely read from the SSL buffer - (**not** the underlying transport buffer). - - -.. py:method:: Connection.recv(bufsize[, flags]) - - Receive data from the Connection. The return value is a string representing the - data received. The maximum amount of data to be received at once, is specified - by *bufsize*. The only supported flag is ``MSG_PEEK``, all other flags are - ignored. - - -.. py:method:: Connection.recv_into(buffer[, nbytes[, flags]]) - - Receive data from the Connection and copy it directly into the provided - buffer. The return value is the number of bytes read from the connection. - The maximum amount of data to be received at once is specified by *nbytes*. - The only supported flag is ``MSG_PEEK``, all other flags are ignored. - -.. py:method:: Connection.bio_write(bytes) - - If the Connection was created with a memory BIO, this method can be used to add - bytes to the read end of that memory BIO. The Connection can then read the - bytes (for example, in response to a call to :py:meth:`recv`). - - -.. automethod:: Connection.renegotiate - -.. automethod:: Connection.renegotiate_pending - -.. automethod:: Connection.total_renegotiations - -.. py:method:: Connection.send(string) - - Send the *string* data to the Connection. - - -.. py:method:: Connection.bio_read(bufsize) - - If the Connection was created with a memory BIO, this method can be used to - read bytes from the write end of that memory BIO. Many Connection methods will - add bytes which must be read in this manner or the buffer will eventually fill - up and the Connection will be able to take no further actions. - - -.. py:method:: Connection.sendall(string) - - Send all of the *string* data to the Connection. This calls :py:meth:`send` - repeatedly until all data is sent. If an error occurs, it's impossible to tell - how much data has been sent. - - -.. py:method:: Connection.set_accept_state() - - Set the connection to work in server mode. The handshake will be handled - automatically by read/write. - - -.. py:method:: Connection.set_app_data(data) - - Associate *data* with this Connection object. *data* can be retrieved - later using the :py:meth:`get_app_data` method. - - -.. py:method:: Connection.set_connect_state() - - Set the connection to work in client mode. The handshake will be handled - automatically by read/write. - - -.. py:method:: Connection.setblocking(flag) - - Call the :py:meth:`setblocking` method of the underlying socket. - - -.. py:method:: Connection.setsockopt(level, optname, value) - - Call the :py:meth:`setsockopt` method of the underlying socket. - - -.. py:method:: Connection.shutdown() - - Send the shutdown message to the Connection. Returns true if the shutdown - message exchange is completed and false otherwise (in which case you call - :py:meth:`recv` or :py:meth:`send` when the connection becomes - readable/writeable. - - -.. py:method:: Connection.get_shutdown() - - Get the shutdown state of the Connection. Returns a bitvector of either or - both of *SENT_SHUTDOWN* and *RECEIVED_SHUTDOWN*. - - -.. py:method:: Connection.set_shutdown(state) - - Set the shutdown state of the Connection. *state* is a bitvector of - either or both of *SENT_SHUTDOWN* and *RECEIVED_SHUTDOWN*. - - -.. py:method:: Connection.sock_shutdown(how) - - Call the :py:meth:`shutdown` method of the underlying socket. - - -.. py:method:: Connection.bio_shutdown() - - If the Connection was created with a memory BIO, this method can be used to - indicate that *end of file* has been reached on the read end of that memory - BIO. - - -.. automethod:: Connection.get_state_string - -.. py:method:: Connection.client_random() - - Retrieve the random value used with the client hello message. - - -.. py:method:: Connection.server_random() - - Retrieve the random value used with the server hello message. - - -.. py:method:: Connection.master_key() - - Retrieve the value of the master key for this session. - - -.. py:method:: Connection.want_read() - - Checks if more data has to be read from the transport layer to complete an - operation. - - -.. py:method:: Connection.want_write() - - Checks if there is data to write to the transport layer to complete an - operation. - - -.. py:method:: Connection.set_tlsext_host_name(name) - - Specify the byte string to send as the server name in the client hello message. - - .. versionadded:: 0.13 - - -.. py:method:: Connection.get_servername() - - Get the value of the server name received in the client hello message. - - .. versionadded:: 0.13 - - -.. py:method:: Connection.get_session() - - Get a :py:class:`Session` instance representing the SSL session in use by - the connection, or :py:obj:`None` if there is no session. - - .. versionadded:: 0.14 - - -.. py:method:: Connection.set_session(session) - - Set a new SSL session (using a :py:class:`Session` instance) to be used by - the connection. - - .. versionadded:: 0.14 - - -.. py:method:: Connection.get_finished() - - Obtain latest TLS Finished message that we sent, or :py:obj:`None` if - handshake is not completed. - - .. versionadded:: 0.15 - - -.. py:method:: Connection.get_peer_finished() - - Obtain latest TLS Finished message that we expected from peer, or - :py:obj:`None` if handshake is not completed. - - .. versionadded:: 0.15 - - -.. py:method:: Connection.get_cipher_name() - - Obtain the name of the currently used cipher. - - .. versionadded:: 0.15 - - -.. py:method:: Connection.get_cipher_bits() - - Obtain the number of secret bits of the currently used cipher. - - .. versionadded:: 0.15 - - -.. py:method:: Connection.get_cipher_version() - - Obtain the protocol name of the currently used cipher. - - .. versionadded:: 0.15 - - -.. py:method:: Connection.get_next_proto_negotiated(): - - Get the protocol that was negotiated by Next Protocol Negotiation. Returns - a bytestring of the protocol name. If no protocol has been negotiated yet, - returns an empty string. - - .. versionadded:: 0.15 - -.. py:method:: Connection.set_alpn_protos(protos) - - Specify the protocols that the client is prepared to speak after the TLS - connection has been negotiated using Application Layer Protocol - Negotiation. - - *protos* should be a list of protocols that the client is offering, each - as a bytestring. For example, ``[b'http/1.1', b'spdy/2']``. - - -.. py:method:: Connection.get_alpn_proto_negotiated() - - Get the protocol that was negotiated by Application Layer Protocol - Negotiation. Returns a bytestring of the protocol name. If no protocol has - been negotiated yet, returns an empty string. +.. autoclass:: OpenSSL.SSL.Connection + :members: .. Rubric:: Footnotes diff -Nru pyopenssl-17.5.0/doc/ChangeLog_old.txt pyopenssl-18.0.0/doc/ChangeLog_old.txt --- pyopenssl-17.5.0/doc/ChangeLog_old.txt 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/doc/ChangeLog_old.txt 2018-05-16 19:14:32.000000000 +0000 @@ -740,7 +740,7 @@ 2002-06-13 Martin Sjögren * src/ssl/context.c: Changed global_verify_callback so that it uses - PyObject_IsTrue instead of requring ints. + PyObject_IsTrue instead of requiring ints. * Added pymemcompat.h to make the memory management uniform and backwards-compatible. * src/util.h: Added conditional definition of PyModule_AddObject and diff -Nru pyopenssl-17.5.0/doc/introduction.rst pyopenssl-18.0.0/doc/introduction.rst --- pyopenssl-17.5.0/doc/introduction.rst 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/doc/introduction.rst 2018-05-16 19:14:32.000000000 +0000 @@ -14,7 +14,7 @@ Later it was maintained by `Jean-Paul Calderone`_ who among other things managed to make pyOpenSSL a pure Python project which the current maintainers are *very* grateful for. Over the time the standard library's ``ssl`` module improved, never reaching the completeness of pyOpenSSL's API coverage. -Despite `PEP 466`_ many useful features remain Python 3-only and pyOpenSSL remains the only alternative for full-featured TLS code across all noteworthy Python versions from 2.6 through 3.5 and PyPy_. +Despite `PEP 466`_ many useful features remain Python 3-only and pyOpenSSL remains the only alternative for full-featured TLS code across all noteworthy Python versions from 2.7 through 3.5 and PyPy_. Development diff -Nru pyopenssl-17.5.0/MANIFEST.in pyopenssl-18.0.0/MANIFEST.in --- pyopenssl-17.5.0/MANIFEST.in 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/MANIFEST.in 2018-05-16 19:14:32.000000000 +0000 @@ -1,5 +1,5 @@ include LICENSE MANIFEST.in *.rst tox.ini .coveragerc -exclude leakcheck +exclude leakcheck codecov.yml recursive-include tests *.py recursive-include doc * recursive-include examples * diff -Nru pyopenssl-17.5.0/PKG-INFO pyopenssl-18.0.0/PKG-INFO --- pyopenssl-17.5.0/PKG-INFO 2017-12-01 02:17:48.000000000 +0000 +++ pyopenssl-18.0.0/PKG-INFO 2018-05-16 19:15:39.000000000 +0000 @@ -1,12 +1,11 @@ Metadata-Version: 1.1 Name: pyOpenSSL -Version: 17.5.0 +Version: 18.0.0 Summary: Python wrapper module around the OpenSSL library Home-page: https://pyopenssl.org/ Author: Hynek Schlawack Author-email: hs@ox.cx License: Apache License, Version 2.0 -Description-Content-Type: UNKNOWN Description: ======================================================== pyOpenSSL -- A Python wrapper around the OpenSSL library ======================================================== @@ -23,8 +22,11 @@ :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage + **Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ + where possible. If you are using pyOpenSSL for anything other than making a TLS connection + **you should move to cryptography and drop your pyOpenSSL dependency**. - High-level wrapper around a subset of the OpenSSL library. Includes + High-level wrapper around a subset of the OpenSSL library. Includes * ``SSL.Connection`` objects, wrapping the methods of Python's portable sockets * Callbacks written in Python @@ -50,19 +52,21 @@ .. _`issue tracker`: https://github.com/pyca/pyopenssl/issues .. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev .. _GitHub: https://github.com/pyca/pyopenssl + .. _`pyca/cryptography`: https://github.com/pyca/cryptography Release Information =================== - 17.5.0 (2017-11-30) + 18.0.0 (2018-05-16) ------------------- Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - * The minimum ``cryptography`` version is now 2.1.4. + - The minimum ``cryptography`` version is now 2.2.1. + - Support for Python 2.6 has been dropped. Deprecations: @@ -74,72 +78,12 @@ Changes: ^^^^^^^^ - - Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. - `#723 `_ - - Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. - `#725 `_ - - ---- - - - - 17.4.0 (2017-11-21) - ------------------- - - - Backward-incompatible changes: - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - *none* - - - Deprecations: - ^^^^^^^^^^^^^ - - *none* - - - Changes: - ^^^^^^^^ - - - - Re-added a subset of the ``OpenSSL.rand`` module. - This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. - `#708 `_ - - Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. - `#709 `_ - - ---- - - - 17.3.0 (2017-09-14) - ------------------- - - - Backward-incompatible changes: - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - - Dropped support for Python 3.3. - `#677 `_ - - Removed the deprecated ``OpenSSL.rand`` module. - This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. - ``os.urandom()`` should be used instead. - `#675 `_ - - - Deprecations: - ^^^^^^^^^^^^^ - - - Deprecated ``OpenSSL.tsafe``. - `#673 `_ - - Changes: - ^^^^^^^^ - - - Fixed a memory leak in ``OpenSSL.crypto.CRL``. - `#690 `_ - - Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``. - `#691 `_ + - Added ``Connection.get_certificate`` to retrieve the local certificate. + `#733 `_ + - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default. + `#753 `_ + - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material. + `#734 `_ `Full changelog `_. @@ -152,7 +96,6 @@ Classifier: Operating System :: Microsoft :: Windows Classifier: Operating System :: POSIX Classifier: Programming Language :: Python :: 2 -Classifier: Programming Language :: Python :: 2.6 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.4 diff -Nru pyopenssl-17.5.0/README.rst pyopenssl-18.0.0/README.rst --- pyopenssl-17.5.0/README.rst 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/README.rst 2018-05-16 19:14:32.000000000 +0000 @@ -14,8 +14,11 @@ :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage +**Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ +where possible. If you are using pyOpenSSL for anything other than making a TLS connection +**you should move to cryptography and drop your pyOpenSSL dependency**. -High-level wrapper around a subset of the OpenSSL library. Includes +High-level wrapper around a subset of the OpenSSL library. Includes * ``SSL.Connection`` objects, wrapping the methods of Python's portable sockets * Callbacks written in Python @@ -41,3 +44,4 @@ .. _`issue tracker`: https://github.com/pyca/pyopenssl/issues .. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev .. _GitHub: https://github.com/pyca/pyopenssl +.. _`pyca/cryptography`: https://github.com/pyca/cryptography diff -Nru pyopenssl-17.5.0/setup.cfg pyopenssl-18.0.0/setup.cfg --- pyopenssl-17.5.0/setup.cfg 2017-12-01 02:17:48.000000000 +0000 +++ pyopenssl-18.0.0/setup.cfg 2018-05-16 19:15:39.000000000 +0000 @@ -3,9 +3,6 @@ strict = true testpaths = tests -[sdist] -force_manifest = 1 - [bdist_wheel] universal = 1 @@ -22,4 +19,5 @@ [egg_info] tag_build = tag_date = 0 +tag_svn_revision = 0 diff -Nru pyopenssl-17.5.0/setup.py pyopenssl-18.0.0/setup.py --- pyopenssl-17.5.0/setup.py 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/setup.py 2018-05-16 19:14:32.000000000 +0000 @@ -77,7 +77,6 @@ 'Operating System :: POSIX', 'Programming Language :: Python :: 2', - 'Programming Language :: Python :: 2.6', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3.4', @@ -95,16 +94,14 @@ package_dir={"": "src"}, install_requires=[ # Fix cryptographyMinimum in tox.ini when changing this! - "cryptography>=2.1.4", + "cryptography>=2.2.1", "six>=1.5.2" ], extras_require={ "test": [ "flaky", "pretend", - # pytest 3.3 doesn't support Python 2.6 anymore. - # Remove this pin once we drop Python 2.6 too. - "pytest>=3.0.1,<3.3.0", + "pytest>=3.0.1", ], "docs": [ "sphinx", diff -Nru pyopenssl-17.5.0/src/OpenSSL/crypto.py pyopenssl-18.0.0/src/OpenSSL/crypto.py --- pyopenssl-17.5.0/src/OpenSSL/crypto.py 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/src/OpenSSL/crypto.py 2018-05-16 19:14:32.000000000 +0000 @@ -1799,7 +1799,8 @@ def load_certificate(type, buffer): """ - Load a certificate from a buffer + Load a certificate (X509) from the string *buffer* encoded with the + type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) @@ -1828,7 +1829,8 @@ def dump_certificate(type, cert): """ - Dump a certificate to a buffer + Dump the certificate *cert* into a buffer string encoded with the type + *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1, or FILETYPE_TEXT) @@ -2766,7 +2768,8 @@ def load_privatekey(type, buffer, passphrase=None): """ - Load a private key from a buffer + Load a private key (PKey) from the string *buffer* encoded with the type + *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the key is stored in @@ -2801,7 +2804,8 @@ def dump_certificate_request(type, req): """ - Dump a certificate request to a buffer + Dump the certificate request *req* into a buffer string encoded with the + type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param req: The certificate request to dump @@ -2828,7 +2832,8 @@ def load_certificate_request(type, buffer): """ - Load a certificate request from a buffer + Load a certificate request (X509Req) from the string *buffer* encoded with + the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the certificate request is stored in @@ -2855,12 +2860,14 @@ def sign(pkey, data, digest): """ - Sign data with a digest + Sign a data string using the given key and message digest. - :param pkey: Pkey to sign with + :param pkey: PKey to sign with :param data: data to be signed :param digest: message digest to use :return: signature + + .. versionadded:: 0.11 """ data = _text_to_bytes_and_warn("data", data) @@ -2887,13 +2894,16 @@ def verify(cert, signature, data, digest): """ - Verify a signature. + Verify the signature for a data string. - :param cert: signing certificate (X509 object) + :param cert: signing certificate (X509 object) corresponding to the + private key which generated the signature. :param signature: signature returned by sign function :param data: data to be verified :param digest: message digest to use :return: ``None`` if the signature is correct, raise exception otherwise. + + .. versionadded:: 0.11 """ data = _text_to_bytes_and_warn("data", data) @@ -2948,7 +2958,8 @@ def load_crl(type, buffer): """ - Load a certificate revocation list from a buffer + Load Certificate Revocation List (CRL) data from a string *buffer*. + *buffer* encoded with the type *type*. :param type: The file type (one of FILETYPE_PEM, FILETYPE_ASN1) :param buffer: The buffer the CRL is stored in @@ -2977,7 +2988,8 @@ def load_pkcs7_data(type, buffer): """ - Load pkcs7 data from a buffer + Load pkcs7 data from the string *buffer* encoded with the type + *type*. :param type: The file type (one of FILETYPE_PEM or FILETYPE_ASN1) :param buffer: The buffer with the pkcs7 data. @@ -3005,7 +3017,11 @@ def load_pkcs12(buffer, passphrase=None): """ - Load a PKCS12 object from a buffer + Load pkcs12 data from the string *buffer*. If the pkcs12 structure is + encrypted, a *passphrase* must be included. The MAC is always + checked and thus required. + + See also the man page for the C function :py:func:`PKCS12_parse`. :param buffer: The buffer the certificate is stored in :param passphrase: (Optional) The password to decrypt the PKCS12 lump diff -Nru pyopenssl-17.5.0/src/OpenSSL/SSL.py pyopenssl-18.0.0/src/OpenSSL/SSL.py --- pyopenssl-17.5.0/src/OpenSSL/SSL.py 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/src/OpenSSL/SSL.py 2018-05-16 19:14:32.000000000 +0000 @@ -87,10 +87,6 @@ 'SSL_ST_CONNECT', 'SSL_ST_ACCEPT', 'SSL_ST_MASK', - 'SSL_ST_INIT', - 'SSL_ST_BEFORE', - 'SSL_ST_OK', - 'SSL_ST_RENEGOTIATE', 'SSL_CB_LOOP', 'SSL_CB_EXIT', 'SSL_CB_READ', @@ -117,12 +113,6 @@ ] try: - _memoryview = memoryview -except NameError: - class _memoryview(object): - pass - -try: _buffer = buffer except NameError: class _buffer(object): @@ -206,6 +196,12 @@ SSL_ST_BEFORE = _lib.SSL_ST_BEFORE SSL_ST_OK = _lib.SSL_ST_OK SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE + __all__.extend([ + 'SSL_ST_INIT', + 'SSL_ST_BEFORE', + 'SSL_ST_OK', + 'SSL_ST_RENEGOTIATE', + ]) SSL_CB_LOOP = _lib.SSL_CB_LOOP SSL_CB_EXIT = _lib.SSL_CB_EXIT @@ -632,7 +628,7 @@ """ Return a string describing the version of OpenSSL in use. - :param type: One of the SSLEAY_ constants defined in this module. + :param type: One of the :const:`SSLEAY_` constants defined in this module. """ return _ffi.string(_lib.SSLeay_version(type)) @@ -675,6 +671,13 @@ class Session(object): + """ + A class representing an SSL session. A session defines certain connection + parameters which may be re-used to speed up the setup of subsequent + connections. + + .. versionadded:: 0.14 + """ pass @@ -682,6 +685,9 @@ """ :class:`OpenSSL.SSL.Context` instances define the parameters for setting up new SSL connections. + + :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or + TLSv1_METHOD. """ _methods = { SSLv2_METHOD: "SSLv2_method", @@ -697,10 +703,6 @@ if getattr(_lib, name, None) is not None) def __init__(self, method): - """ - :param method: One of SSLv2_METHOD, SSLv3_METHOD, SSLv23_METHOD, or - TLSv1_METHOD. - """ if not isinstance(method, integer_types): raise TypeError("method must be an integer") @@ -749,7 +751,11 @@ def load_verify_locations(self, cafile, capath=None): """ Let SSL know where we can find trusted certificates for the certificate - chain + chain. Note that the certificates have to be in PEM format. + + If capath is passed, it must be a directory prepared using the + ``c_rehash`` tool included with OpenSSL. Either, but not both, of + *pemfile* or *capath* may be :data:`None`. :param cafile: In which file we can find the certificates (``bytes`` or ``unicode``). @@ -783,9 +789,19 @@ def set_passwd_cb(self, callback, userdata=None): """ - Set the passphrase callback + Set the passphrase callback. This function will be called + when a private key with a passphrase is loaded. - :param callback: The Python callback to use; must return a byte string + :param callback: The Python callback to use. This must accept three + positional arguments. First, an integer giving the maximum length + of the passphrase it may return. If the returned passphrase is + longer than this, it will be truncated. Second, a boolean value + which will be true if the user should be prompted for the + passphrase twice and the callback should verify that the two values + supplied are equal. Third, the value given as the *userdata* + parameter to :meth:`set_passwd_cb`. The *callback* must return + a byte string. If an error occurs, *callback* should return a false + value (e.g. an empty string). :param userdata: (optional) A Python object which will be given as argument to the callback :return: None @@ -801,7 +817,17 @@ def set_default_verify_paths(self): """ - Use the platform-specific CA certificate locations + Specify that the platform provided CA certificates are to be used for + verification purposes. This method has some caveats related to the + binary wheels that cryptography (pyOpenSSL's primary dependency) ships: + + * macOS will only load certificates using this method if the user has + the ``openssl@1.1`` `Homebrew `_ formula installed + in the default location. + * Windows will not work. + * manylinux1 cryptography wheels will work on most common Linux + distributions in pyOpenSSL 17.1.0 and above. pyOpenSSL detects the + manylinux1 wheel and attempts to load roots via a fallback path. :return: None """ @@ -871,10 +897,10 @@ def use_certificate_chain_file(self, certfile): """ - Load a certificate chain from a file + Load a certificate chain from a file. :param certfile: The name of the certificate chain file (``bytes`` or - ``unicode``). + ``unicode``). Must be PEM encoded. :return: None """ @@ -892,7 +918,9 @@ :param certfile: The name of the certificate file (``bytes`` or ``unicode``). - :param filetype: (optional) The encoding of the file, default is PEM + :param filetype: (optional) The encoding of the file, which is either + :const:`FILETYPE_PEM` or :const:`FILETYPE_ASN1`. The default is + :const:`FILETYPE_PEM`. :return: None """ @@ -948,7 +976,9 @@ Load a private key from a file :param keyfile: The name of the key file (``bytes`` or ``unicode``) - :param filetype: (optional) The encoding of the file, default is PEM + :param filetype: (optional) The encoding of the file, which is either + :const:`FILETYPE_PEM` or :const:`FILETYPE_ASN1`. The default is + :const:`FILETYPE_PEM`. :return: None """ @@ -980,9 +1010,10 @@ def check_privatekey(self): """ - Check that the private key and certificate match up + Check if the private key (loaded with :meth:`use_privatekey`) matches + the certificate (loaded with :meth:`use_certificate`) - :return: None (raises an exception if something's wrong) + :return: :data:`None` (raises :exc:`Error` if something's wrong) """ if not _lib.SSL_CTX_check_private_key(self._context): _raise_current_error() @@ -1024,11 +1055,15 @@ def set_session_cache_mode(self, mode): """ - Enable/disable session caching and specify the mode used. + Set the behavior of the session cache used by all connections using + this Context. The previously set mode is returned. See + :const:`SESS_CACHE_*` for details about particular modes. :param mode: One or more of the SESS_CACHE_* flags (combine using bitwise or) :returns: The previously set caching mode. + + .. versionadded:: 0.14 """ if not isinstance(mode, integer_types): raise TypeError("mode must be an integer") @@ -1037,17 +1072,29 @@ def get_session_cache_mode(self): """ + Get the current session cache mode. + :returns: The currently used cache mode. + + .. versionadded:: 0.14 """ return _lib.SSL_CTX_get_session_cache_mode(self._context) def set_verify(self, mode, callback): """ - Set the verify mode and verify callback + et the verification flags for this Context object to *mode* and specify + that *callback* should be used for verification callbacks. - :param mode: The verify mode, this is either VERIFY_NONE or - VERIFY_PEER combined with possible other flags - :param callback: The Python callback to use + :param mode: The verify mode, this should be one of + :const:`VERIFY_NONE` and :const:`VERIFY_PEER`. If + :const:`VERIFY_PEER` is used, *mode* can be OR:ed with + :const:`VERIFY_FAIL_IF_NO_PEER_CERT` and + :const:`VERIFY_CLIENT_ONCE` to further control the behaviour. + :param callback: The Python callback to use. This should take five + arguments: A Connection object, an X509 object, and three integer + variables, which are in turn potential error number, error depth + and return code. *callback* should return True if verification + passes and False otherwise. :return: None See SSL_CTX_set_verify(3SSL) for further details. @@ -1064,7 +1111,8 @@ def set_verify_depth(self, depth): """ - Set the verify depth + Set the maximum depth for the certificate chain verification that shall + be allowed for this Context object. :param depth: An integer specifying the verify depth :return: None @@ -1076,7 +1124,8 @@ def get_verify_mode(self): """ - Get the verify mode + Retrieve the Context object's verify mode, as set by + :meth:`set_verify`. :return: The verify mode """ @@ -1084,7 +1133,8 @@ def get_verify_depth(self): """ - Get the verify depth + Retrieve the Context object's verify depth, as set by + :meth:`set_verify_depth`. :return: The verify depth """ @@ -1115,8 +1165,8 @@ Select a curve to use for ECDHE key exchange. :param curve: A curve object to use as returned by either - :py:meth:`OpenSSL.crypto.get_elliptic_curve` or - :py:meth:`OpenSSL.crypto.get_elliptic_curves`. + :meth:`OpenSSL.crypto.get_elliptic_curve` or + :meth:`OpenSSL.crypto.get_elliptic_curves`. :return: None """ @@ -1151,6 +1201,8 @@ :param certificate_authorities: a sequence of X509Names. :return: None + + .. versionadded:: 0.10 """ name_stack = _lib.sk_X509_NAME_new_null() _openssl_assert(name_stack != _ffi.NULL) @@ -1186,6 +1238,8 @@ :param certificate_authority: certificate authority's X509 certificate. :return: None + + .. versionadded:: 0.10 """ if not isinstance(certificate_authority, X509): raise TypeError("certificate_authority must be an X509 instance") @@ -1196,9 +1250,11 @@ def set_timeout(self, timeout): """ - Set session timeout + Set the timeout for newly created sessions for this Context object to + *timeout*. The default value is 300 seconds. See the OpenSSL manual + for more information (e.g. :manpage:`SSL_CTX_set_timeout(3)`). - :param timeout: The timeout in seconds + :param timeout: The timeout in (whole) seconds :return: The previous session timeout """ if not isinstance(timeout, integer_types): @@ -1208,7 +1264,8 @@ def get_timeout(self): """ - Get the session timeout + Retrieve session timeout, as set by :meth:`set_timeout`. The default + is 300 seconds. :return: The session timeout """ @@ -1216,9 +1273,14 @@ def set_info_callback(self, callback): """ - Set the info callback + Set the information callback to *callback*. This function will be + called from time to time during SSL handshakes. - :param callback: The Python callback to use + :param callback: The Python callback to use. This should take three + arguments: a Connection object and two integers. The first integer + specifies where in the SSL handshake the function was called, and + the other the return code from a (possibly failed) internal + function call. :return: None """ @wraps(callback) @@ -1230,7 +1292,7 @@ def get_app_data(self): """ - Get the application data (supplied via set_app_data()) + Get the application data (supplied via :meth:`set_app_data()`) :return: The application data """ @@ -1247,7 +1309,9 @@ def get_cert_store(self): """ - Get the certificate store for the context. + Get the certificate store for the context. This can be used to add + "trusted" certificates without using the + :meth:`load_verify_locations` method. :return: A X509Store object or None if it does not have one. """ @@ -1263,6 +1327,7 @@ def set_options(self, options): """ Add options. Options set before are not cleared! + This method should be used with the :const:`OP_*` constants. :param options: The options to add. :return: The new option bitmask. @@ -1274,7 +1339,8 @@ def set_mode(self, mode): """ - Add modes via bitmask. Modes set before are not cleared! + Add modes via bitmask. Modes set before are not cleared! This method + should be used with the :const:`MODE_*` constants. :param mode: The mode to add. :return: The new mode bitmask. @@ -1292,6 +1358,8 @@ :param callback: The callback function. It will be invoked with one argument, the Connection instance. + + .. versionadded:: 0.13 """ @wraps(callback) def wrapper(ssl, alert, arg): @@ -1303,6 +1371,21 @@ _lib.SSL_CTX_set_tlsext_servername_callback( self._context, self._tlsext_servername_callback) + def set_tlsext_use_srtp(self, profiles): + """ + Enable support for negotiating SRTP keying material. + + :param bytes profiles: A colon delimited list of protection profile + names, like ``b'SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32'``. + :return: None + """ + if not isinstance(profiles, bytes): + raise TypeError("profiles must be a byte string.") + + _openssl_assert( + _lib.SSL_CTX_set_tlsext_use_srtp(self._context, profiles) == 0 + ) + @_requires_npn def set_npn_advertise_callback(self, callback): """ @@ -1311,9 +1394,11 @@ `_ as a server. :param callback: The callback function. It will be invoked with one - argument, the Connection instance. It should return a list of - bytestrings representing the advertised protocols, like + argument, the :class:`Connection` instance. It should return a + list of bytestrings representing the advertised protocols, like ``[b'http/1.1', b'spdy/2']``. + + .. versionadded:: 0.15 """ self._npn_advertise_helper = _NpnAdvertiseHelper(callback) self._npn_advertise_callback = self._npn_advertise_helper.callback @@ -1330,6 +1415,8 @@ arguments: the Connection, and a list of offered protocols as bytestrings, e.g. ``[b'http/1.1', b'spdy/2']``. It should return one of those bytestrings, the chosen protocol. + + .. versionadded:: 0.15 """ self._npn_select_helper = _NpnSelectHelper(callback) self._npn_select_callback = self._npn_select_helper.callback @@ -1339,9 +1426,9 @@ @_requires_alpn def set_alpn_protos(self, protos): """ - Specify the clients ALPN protocol list. - - These protocols are offered to the server during protocol negotiation. + Specify the protocols that the client is prepared to speak after the + TLS connection has been negotiated using Application Layer Protocol + Negotiation. :param protos: A list of the protocols to be offered to the server. This list should be a Python list of bytestrings representing the @@ -1361,7 +1448,8 @@ @_requires_alpn def set_alpn_select_callback(self, callback): """ - Set the callback to handle ALPN protocol choice. + Specify a callback function that will be called on the server when a + client offers protocols using ALPN. :param callback: The callback function. It will be invoked with two arguments: the Connection, and a list of offered protocols as @@ -1456,6 +1544,11 @@ ssl = _lib.SSL_new(context._context) self._ssl = _ffi.gc(ssl, _lib.SSL_free) + # We set SSL_MODE_AUTO_RETRY to handle situations where OpenSSL returns + # an SSL_ERROR_WANT_READ when processing a non-application data packet + # even though there is still data on the underlying transport. + # See https://github.com/openssl/openssl/issues/6234 for more details. + _lib.SSL_set_mode(self._ssl, _lib.SSL_MODE_AUTO_RETRY) self._context = context self._app_data = None @@ -1547,15 +1640,16 @@ def get_context(self): """ - Get session context + Retrieve the :class:`Context` object associated with this + :class:`Connection`. """ return self._context def set_context(self, context): """ - Switch this connection to a new session context + Switch this connection to a new session context. - :param context: A :py:class:`Context` instance giving the new session + :param context: A :class:`Context` instance giving the new session context to use. """ if not isinstance(context, Context): @@ -1570,7 +1664,9 @@ Retrieve the servername extension value if provided in the client hello message, or None if there wasn't one. - :return: A byte string giving the server name or :py:data:`None`. + :return: A byte string giving the server name or :data:`None`. + + .. versionadded:: 0.13 """ name = _lib.SSL_get_servername( self._ssl, _lib.TLSEXT_NAMETYPE_host_name @@ -1586,6 +1682,8 @@ Set the value of the servername extension to send in the client hello. :param name: A byte string giving the name. + + .. versionadded:: 0.13 """ if not isinstance(name, bytes): raise TypeError("name must be a byte string") @@ -1597,7 +1695,8 @@ def pending(self): """ - Get the number of bytes that can be safely read from the connection + Get the number of bytes that can be safely read from the SSL buffer + (**not** the underlying transport buffer). :return: The number of bytes available in the receive buffer. """ @@ -1617,7 +1716,7 @@ # Backward compatibility buf = _text_to_bytes_and_warn("buf", buf) - if isinstance(buf, _memoryview): + if isinstance(buf, memoryview): buf = buf.tobytes() if isinstance(buf, _buffer): buf = str(buf) @@ -1644,7 +1743,7 @@ """ buf = _text_to_bytes_and_warn("buf", buf) - if isinstance(buf, _memoryview): + if isinstance(buf, memoryview): buf = buf.tobytes() if isinstance(buf, _buffer): buf = str(buf) @@ -1687,8 +1786,8 @@ def recv_into(self, buffer, nbytes=None, flags=None): """ - Receive data on the connection and store the data into a buffer rather - than creating a new string. + Receive data on the connection and copy it directly into the provided + buffer, rather than creating a new string. :param buffer: The buffer to copy into. :param nbytes: (optional) The maximum number of bytes to read into the @@ -1717,12 +1816,8 @@ # This strange line is all to avoid a memory copy. The buffer protocol # should allow us to assign a CFFI buffer to the LHS of this line, but # on CPython 3.3+ that segfaults. As a workaround, we can temporarily - # wrap it in a memoryview, except on Python 2.6 which doesn't have a - # memoryview type. - try: - buffer[:result] = memoryview(_ffi.buffer(buf, result)) - except NameError: - buffer[:result] = _ffi.buffer(buf, result) + # wrap it in a memoryview. + buffer[:result] = memoryview(_ffi.buffer(buf, result)) return result @@ -1746,8 +1841,11 @@ def bio_read(self, bufsiz): """ - When using non-socket connections this function reads the "dirty" data - that would have traveled away on the network. + If the Connection was created with a memory BIO, this method can be + used to read bytes from the write end of that memory BIO. Many + Connection methods will add bytes which must be read in this manner or + the buffer will eventually fill up and the Connection will be able to + take no further actions. :param bufsiz: The maximum number of bytes to read :return: The string read. @@ -1767,8 +1865,10 @@ def bio_write(self, buf): """ - When using non-socket connections this function sends "dirty" data that - would have traveled in on the network. + If the Connection was created with a memory BIO, this method can be + used to add bytes to the read end of that memory BIO. The Connection + can then read the bytes (for example, in response to a call to + :meth:`recv`). :param buf: The string to put into the memory BIO. :return: The number of bytes written @@ -1797,8 +1897,9 @@ def do_handshake(self): """ - Perform an SSL handshake (usually called after renegotiate() or one of - set_*_state()). This can raise the same exceptions as send and recv. + Perform an SSL handshake (usually called after :meth:`renegotiate` or + one of :meth:`set_accept_state` or :meth:`set_accept_state`). This can + raise the same exceptions as :meth:`send` and :meth:`recv`. :return: None. """ @@ -1826,7 +1927,9 @@ def connect(self, addr): """ - Connect to remote host and set up client-side SSL + Call the :meth:`connect` method of the underlying socket and set up SSL + on the socket, using the :class:`Context` object supplied to this + :class:`Connection` object at creation. :param addr: A remote address :return: What the socket's connect method returns @@ -1836,8 +1939,10 @@ def connect_ex(self, addr): """ - Connect to remote host and set up client-side SSL. Note that if the - socket's connect_ex method doesn't return 0, SSL won't be initialized. + Call the :meth:`connect_ex` method of the underlying socket and set up + SSL on the socket, using the Context object supplied to this Connection + object at creation. Note that if the :meth:`connect_ex` method of the + socket doesn't return 0, SSL won't be initialized. :param addr: A remove address :return: What the socket's connect_ex method returns @@ -1848,10 +1953,13 @@ def accept(self): """ - Accept incoming connection and set up SSL on it - - :return: A (conn,addr) pair where conn is a Connection and addr is an - address + Call the :meth:`accept` method of the underlying socket and set up SSL + on the returned socket, using the Context object supplied to this + :class:`Connection` object at creation. + + :return: A *(conn, addr)* pair where *conn* is the new + :class:`Connection` object created, and *address* is as returned by + the socket's :meth:`accept`. """ client, addr = self._socket.accept() conn = Connection(self._context, client) @@ -1860,8 +1968,9 @@ def bio_shutdown(self): """ - When using non-socket connections this function signals end of - data on the input for this connection. + If the Connection was created with a memory BIO, this method can be + used to indicate that *end of file* has been reached on the read end of + that memory BIO. :return: None """ @@ -1872,11 +1981,12 @@ def shutdown(self): """ - Send closure alert + Send the shutdown message to the Connection. :return: True if the shutdown completed successfully (i.e. both sides - have sent closure alerts), false otherwise (i.e. you have to - wait for a ZeroReturnError on a recv() method call + have sent closure alerts), False otherwise (in which case you + call :meth:`recv` or :meth:`send` when the connection becomes + readable/writeable). """ result = _lib.SSL_shutdown(self._ssl) if result < 0: @@ -1904,12 +2014,14 @@ """ Get CAs whose certificates are suggested for client authentication. - :return: If this is a server connection, a list of X509Names - representing the acceptable CAs as set by - :py:meth:`OpenSSL.SSL.Context.set_client_ca_list` or - :py:meth:`OpenSSL.SSL.Context.add_client_ca`. If this is a client - connection, the list of such X509Names sent by the server, or an - empty list if that has not yet happened. + :return: If this is a server connection, the list of certificate + authorities that will be sent or has been sent to the client, as + controlled by this :class:`Connection`'s :class:`Context`. + + If this is a client connection, the list will be empty until the + connection with the server is established. + + .. versionadded:: 0.10 """ ca_names = _lib.SSL_get_client_CA_list(self._ssl) if ca_names == _ffi.NULL: @@ -1927,7 +2039,7 @@ result.append(pyname) return result - def makefile(self): + def makefile(self, *args, **kwargs): """ The makefile() method is not implemented, since there is no dup semantics for SSL connections @@ -1939,7 +2051,7 @@ def get_app_data(self): """ - Get application data + Retrieve application data as set by :meth:`set_app_data`. :return: The application data """ @@ -1949,14 +2061,14 @@ """ Set application data - :param data - The application data + :param data: The application data :return: None """ self._app_data = data def get_shutdown(self): """ - Get shutdown state + Get the shutdown state of the Connection. :return: The shutdown state, a bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN. @@ -1965,9 +2077,9 @@ def set_shutdown(self, state): """ - Set shutdown state + Set the shutdown state of the Connection. - :param state - bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN. + :param state: bitvector of SENT_SHUTDOWN, RECEIVED_SHUTDOWN. :return: None """ if not isinstance(state, integer_types): @@ -1986,7 +2098,7 @@ def server_random(self): """ - Get a copy of the server hello nonce. + Retrieve the random value used with the server hello message. :return: A string representing the state """ @@ -2001,7 +2113,7 @@ def client_random(self): """ - Get a copy of the client hello nonce. + Retrieve the random value used with the client hello message. :return: A string representing the state """ @@ -2017,7 +2129,7 @@ def master_key(self): """ - Get a copy of the master key. + Retrieve the value of the master key for this session. :return: A string representing the state """ @@ -2035,10 +2147,10 @@ """ Obtain keying material for application use. - :param label - a disambiguating label string as described in RFC 5705 - :param olen - the length of the exported key material in bytes - :param context - a per-association context value - :return the exported key material bytes or None + :param: label - a disambiguating label string as described in RFC 5705 + :param: olen - the length of the exported key material in bytes + :param: context - a per-association context value + :return: the exported key material bytes or None """ outp = _no_zero_allocator("unsigned char[]", olen) context_buf = _ffi.NULL @@ -2057,12 +2169,25 @@ def sock_shutdown(self, *args, **kwargs): """ - See shutdown(2) + Call the :meth:`shutdown` method of the underlying socket. + See :manpage:`shutdown(2)`. :return: What the socket's shutdown() method returns """ return self._socket.shutdown(*args, **kwargs) + def get_certificate(self): + """ + Retrieve the local certificate (if any) + + :return: The local certificate + """ + cert = _lib.SSL_get_certificate(self._ssl) + if cert != _ffi.NULL: + _lib.X509_up_ref(cert) + return X509._from_raw_x509_ptr(cert) + return None + def get_peer_certificate(self): """ Retrieve the other side's certificate (if any) @@ -2133,8 +2258,10 @@ """ Returns the Session currently used. - @return: An instance of :py:class:`OpenSSL.SSL.Session` or - :py:obj:`None` if no session exists. + :return: An instance of :class:`OpenSSL.SSL.Session` or + :obj:`None` if no session exists. + + .. versionadded:: 0.14 """ session = _lib.SSL_get1_session(self._ssl) if session == _ffi.NULL: @@ -2150,6 +2277,8 @@ :param session: A Session instance representing the session to use. :returns: None + + .. versionadded:: 0.14 """ if not isinstance(session, Session): raise TypeError("session must be a Session instance") @@ -2160,15 +2289,15 @@ def _get_finished_message(self, function): """ - Helper to implement :py:meth:`get_finished` and - :py:meth:`get_peer_finished`. + Helper to implement :meth:`get_finished` and + :meth:`get_peer_finished`. - :param function: Either :py:data:`SSL_get_finished`: or - :py:data:`SSL_get_peer_finished`. + :param function: Either :data:`SSL_get_finished`: or + :data:`SSL_get_peer_finished`. - :return: :py:data:`None` if the desired message has not yet been + :return: :data:`None` if the desired message has not yet been received, otherwise the contents of the message. - :rtype: :py:class:`bytes` or :py:class:`NoneType` + :rtype: :class:`bytes` or :class:`NoneType` """ # The OpenSSL documentation says nothing about what might happen if the # count argument given is zero. Specifically, it doesn't say whether @@ -2194,21 +2323,25 @@ def get_finished(self): """ - Obtain the latest `handshake finished` message sent to the peer. + Obtain the latest TLS Finished message that we sent. - :return: The contents of the message or :py:obj:`None` if the TLS + :return: The contents of the message or :obj:`None` if the TLS handshake has not yet completed. - :rtype: :py:class:`bytes` or :py:class:`NoneType` + :rtype: :class:`bytes` or :class:`NoneType` + + .. versionadded:: 0.15 """ return self._get_finished_message(_lib.SSL_get_finished) def get_peer_finished(self): """ - Obtain the latest `handshake finished` message received from the peer. + Obtain the latest TLS Finished message that we received from the peer. - :return: The contents of the message or :py:obj:`None` if the TLS + :return: The contents of the message or :obj:`None` if the TLS handshake has not yet completed. - :rtype: :py:class:`bytes` or :py:class:`NoneType` + :rtype: :class:`bytes` or :class:`NoneType` + + .. versionadded:: 0.15 """ return self._get_finished_message(_lib.SSL_get_peer_finished) @@ -2216,9 +2349,11 @@ """ Obtain the name of the currently used cipher. - :returns: The name of the currently used cipher or :py:obj:`None` + :returns: The name of the currently used cipher or :obj:`None` if no connection has been established. - :rtype: :py:class:`unicode` or :py:class:`NoneType` + :rtype: :class:`unicode` or :class:`NoneType` + + .. versionadded:: 0.15 """ cipher = _lib.SSL_get_current_cipher(self._ssl) if cipher == _ffi.NULL: @@ -2232,8 +2367,10 @@ Obtain the number of secret bits of the currently used cipher. :returns: The number of secret bits of the currently used cipher - or :py:obj:`None` if no connection has been established. - :rtype: :py:class:`int` or :py:class:`NoneType` + or :obj:`None` if no connection has been established. + :rtype: :class:`int` or :class:`NoneType` + + .. versionadded:: 0.15 """ cipher = _lib.SSL_get_current_cipher(self._ssl) if cipher == _ffi.NULL: @@ -2246,8 +2383,10 @@ Obtain the protocol version of the currently used cipher. :returns: The protocol name of the currently used cipher - or :py:obj:`None` if no connection has been established. - :rtype: :py:class:`unicode` or :py:class:`NoneType` + or :obj:`None` if no connection has been established. + :rtype: :class:`unicode` or :class:`NoneType` + + .. versionadded:: 0.15 """ cipher = _lib.SSL_get_current_cipher(self._ssl) if cipher == _ffi.NULL: @@ -2258,23 +2397,23 @@ def get_protocol_version_name(self): """ - Obtain the protocol version of the current connection. + Retrieve the protocol version of the current connection. :returns: The TLS version of the current connection, for example the value for TLS 1.2 would be ``TLSv1.2``or ``Unknown`` for connections that were not successfully established. - :rtype: :py:class:`unicode` + :rtype: :class:`unicode` """ version = _ffi.string(_lib.SSL_get_version(self._ssl)) return version.decode("utf-8") def get_protocol_version(self): """ - Obtain the protocol version of the current connection. + Retrieve the SSL or TLS protocol version of the current connection. - :returns: The TLS version of the current connection, for example - the value for TLS 1 would be 0x769. - :rtype: :py:class:`int` + :returns: The TLS version of the current connection. For example, + it will return ``0x769`` for connections made over TLS version 1. + :rtype: :class:`int` """ version = _lib.SSL_version(self._ssl) return version @@ -2283,6 +2422,11 @@ def get_next_proto_negotiated(self): """ Get the protocol that was negotiated by NPN. + + :returns: A bytestring of the protocol name. If no protocol has been + negotiated yet, returns an empty string. + + .. versionadded:: 0.15 """ data = _ffi.new("unsigned char **") data_len = _ffi.new("unsigned int *") @@ -2317,6 +2461,9 @@ def get_alpn_proto_negotiated(self): """ Get the protocol that was negotiated by ALPN. + + :returns: A bytestring of the protocol name. If no protocol has been + negotiated yet, returns an empty string. """ data = _ffi.new("unsigned char **") data_len = _ffi.new("unsigned int *") diff -Nru pyopenssl-17.5.0/src/OpenSSL/version.py pyopenssl-18.0.0/src/OpenSSL/version.py --- pyopenssl-17.5.0/src/OpenSSL/version.py 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/src/OpenSSL/version.py 2018-05-16 19:14:32.000000000 +0000 @@ -11,7 +11,7 @@ "__title__", "__uri__", "__version__", ] -__version__ = "17.5.0" +__version__ = "18.0.0" __title__ = "pyOpenSSL" __uri__ = "https://pyopenssl.org/" diff -Nru pyopenssl-17.5.0/src/pyOpenSSL.egg-info/PKG-INFO pyopenssl-18.0.0/src/pyOpenSSL.egg-info/PKG-INFO --- pyopenssl-17.5.0/src/pyOpenSSL.egg-info/PKG-INFO 2017-12-01 02:17:48.000000000 +0000 +++ pyopenssl-18.0.0/src/pyOpenSSL.egg-info/PKG-INFO 2018-05-16 19:15:38.000000000 +0000 @@ -1,12 +1,11 @@ Metadata-Version: 1.1 Name: pyOpenSSL -Version: 17.5.0 +Version: 18.0.0 Summary: Python wrapper module around the OpenSSL library Home-page: https://pyopenssl.org/ Author: Hynek Schlawack Author-email: hs@ox.cx License: Apache License, Version 2.0 -Description-Content-Type: UNKNOWN Description: ======================================================== pyOpenSSL -- A Python wrapper around the OpenSSL library ======================================================== @@ -23,8 +22,11 @@ :target: https://codecov.io/github/pyca/pyopenssl :alt: Test coverage + **Note:** The Python Cryptographic Authority **strongly suggests** the use of `pyca/cryptography`_ + where possible. If you are using pyOpenSSL for anything other than making a TLS connection + **you should move to cryptography and drop your pyOpenSSL dependency**. - High-level wrapper around a subset of the OpenSSL library. Includes + High-level wrapper around a subset of the OpenSSL library. Includes * ``SSL.Connection`` objects, wrapping the methods of Python's portable sockets * Callbacks written in Python @@ -50,19 +52,21 @@ .. _`issue tracker`: https://github.com/pyca/pyopenssl/issues .. _cryptography-dev: https://mail.python.org/mailman/listinfo/cryptography-dev .. _GitHub: https://github.com/pyca/pyopenssl + .. _`pyca/cryptography`: https://github.com/pyca/cryptography Release Information =================== - 17.5.0 (2017-11-30) + 18.0.0 (2018-05-16) ------------------- Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - * The minimum ``cryptography`` version is now 2.1.4. + - The minimum ``cryptography`` version is now 2.2.1. + - Support for Python 2.6 has been dropped. Deprecations: @@ -74,72 +78,12 @@ Changes: ^^^^^^^^ - - Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. - `#723 `_ - - Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. - `#725 `_ - - ---- - - - - 17.4.0 (2017-11-21) - ------------------- - - - Backward-incompatible changes: - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - *none* - - - Deprecations: - ^^^^^^^^^^^^^ - - *none* - - - Changes: - ^^^^^^^^ - - - - Re-added a subset of the ``OpenSSL.rand`` module. - This subset allows conscientious users to reseed the OpenSSL CSPRNG after fork. - `#708 `_ - - Corrected a use-after-free when reusing an issuer or subject from an ``X509`` object after the underlying object has been mutated. - `#709 `_ - - ---- - - - 17.3.0 (2017-09-14) - ------------------- - - - Backward-incompatible changes: - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - - - Dropped support for Python 3.3. - `#677 `_ - - Removed the deprecated ``OpenSSL.rand`` module. - This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. - ``os.urandom()`` should be used instead. - `#675 `_ - - - Deprecations: - ^^^^^^^^^^^^^ - - - Deprecated ``OpenSSL.tsafe``. - `#673 `_ - - Changes: - ^^^^^^^^ - - - Fixed a memory leak in ``OpenSSL.crypto.CRL``. - `#690 `_ - - Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``. - `#691 `_ + - Added ``Connection.get_certificate`` to retrieve the local certificate. + `#733 `_ + - ``OpenSSL.SSL.Connection`` now sets ``SSL_MODE_AUTO_RETRY`` by default. + `#753 `_ + - Added ``Context.set_tlsext_use_srtp`` to enable negotiation of SRTP keying material. + `#734 `_ `Full changelog `_. @@ -152,7 +96,6 @@ Classifier: Operating System :: Microsoft :: Windows Classifier: Operating System :: POSIX Classifier: Programming Language :: Python :: 2 -Classifier: Programming Language :: Python :: 2.6 Classifier: Programming Language :: Python :: 2.7 Classifier: Programming Language :: Python :: 3 Classifier: Programming Language :: Python :: 3.4 diff -Nru pyopenssl-17.5.0/src/pyOpenSSL.egg-info/requires.txt pyopenssl-18.0.0/src/pyOpenSSL.egg-info/requires.txt --- pyopenssl-17.5.0/src/pyOpenSSL.egg-info/requires.txt 2017-12-01 02:17:48.000000000 +0000 +++ pyopenssl-18.0.0/src/pyOpenSSL.egg-info/requires.txt 2018-05-16 19:15:38.000000000 +0000 @@ -1,4 +1,4 @@ -cryptography>=2.1.4 +cryptography>=2.2.1 six>=1.5.2 [docs] @@ -8,4 +8,4 @@ [test] flaky pretend -pytest<3.3.0,>=3.0.1 +pytest>=3.0.1 diff -Nru pyopenssl-17.5.0/tests/test_crypto.py pyopenssl-18.0.0/tests/test_crypto.py --- pyopenssl-17.5.0/tests/test_crypto.py 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/tests/test_crypto.py 2018-05-16 19:14:32.000000000 +0000 @@ -573,7 +573,7 @@ """ # Basic setup stuff to generate a certificate pkey = PKey() - pkey.generate_key(TYPE_RSA, 384) + pkey.generate_key(TYPE_RSA, 512) req = X509Req() req.set_pubkey(pkey) # Authority good you have. @@ -917,7 +917,7 @@ `PKey.generate_key` generates an RSA key when passed `TYPE_RSA` as a type and a reasonable number of bits. """ - bits = 128 + bits = 512 key = PKey() key.generate_key(TYPE_RSA, bits) assert key.type() == TYPE_RSA diff -Nru pyopenssl-17.5.0/tests/test_ssl.py pyopenssl-18.0.0/tests/test_ssl.py --- pyopenssl-17.5.0/tests/test_ssl.py 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/tests/test_ssl.py 2018-05-16 19:14:32.000000000 +0000 @@ -11,7 +11,7 @@ from gc import collect, get_referrers from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN -from sys import platform, getfilesystemencoding, version_info +from sys import platform, getfilesystemencoding from socket import MSG_PEEK, SHUT_RDWR, error, socket from os import makedirs from os.path import join @@ -99,10 +99,6 @@ skip_if_py3 = pytest.mark.skipif(PY3, reason="Python 2 only") -skip_if_py26 = pytest.mark.skipif( - version_info[0:2] == (2, 6), - reason="Python 2.7 and later only" -) def join_bytes_or_unicode(prefix, suffix): @@ -523,7 +519,7 @@ `Context.use_privatekey` takes an `OpenSSL.crypto.PKey` instance. """ key = PKey() - key.generate_key(TYPE_RSA, 128) + key.generate_key(TYPE_RSA, 512) ctx = Context(TLSv1_METHOD) ctx.use_privatekey(key) with pytest.raises(TypeError): @@ -544,7 +540,7 @@ arguments does not raise an exception. """ key = PKey() - key.generate_key(TYPE_RSA, 128) + key.generate_key(TYPE_RSA, 512) with open(pemfile, "wt") as pem: pem.write( @@ -847,7 +843,7 @@ passphrase. Return the path to the new file. """ key = PKey() - key.generate_key(TYPE_RSA, 128) + key.generate_key(TYPE_RSA, 512) pem = dump_privatekey(FILETYPE_PEM, key, "blowfish", passphrase) with open(tmpfile, 'w') as fObj: fObj.write(pem.decode('ascii')) @@ -1206,6 +1202,7 @@ client.connect(("encrypted.google.com", 443)) clientSSL = Connection(context, client) clientSSL.set_connect_state() + clientSSL.set_tlsext_host_name(b"encrypted.google.com") clientSSL.do_handshake() clientSSL.send(b"GET / HTTP/1.0\r\n\r\n") assert clientSSL.recv(1024) @@ -1486,7 +1483,7 @@ @pytest.mark.parametrize('callback', [None, 1.0, 'mode', ('foo', 'bar')]) def test_set_verify_wrong_callable_arg(self, callback): """ - `Context.set_verify` raises `TypeError` if the the second argument + `Context.set_verify` raises `TypeError` if the second argument is not callable. """ context = Context(TLSv1_METHOD) @@ -1596,6 +1593,35 @@ store = context.get_cert_store() assert isinstance(store, X509Store) + def test_set_tlsext_use_srtp_not_bytes(self): + """ + `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material. + + It raises a TypeError if the list of profiles is not a byte string. + """ + context = Context(TLSv1_METHOD) + with pytest.raises(TypeError): + context.set_tlsext_use_srtp(text_type('SRTP_AES128_CM_SHA1_80')) + + def test_set_tlsext_use_srtp_invalid_profile(self): + """ + `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material. + + It raises an Error if the call to OpenSSL fails. + """ + context = Context(TLSv1_METHOD) + with pytest.raises(Error): + context.set_tlsext_use_srtp(b'SRTP_BOGUS') + + def test_set_tlsext_use_srtp_valid(self): + """ + `Context.set_tlsext_use_srtp' enables negotiating SRTP keying material. + + It does not return anything. + """ + context = Context(TLSv1_METHOD) + assert context.set_tlsext_use_srtp(b'SRTP_AES128_CM_SHA1_80') is None + class TestServerNameCallback(object): """ @@ -2392,6 +2418,31 @@ with pytest.raises(NotImplementedError): conn.makefile() + def test_get_certificate(self): + """ + `Connection.get_certificate` returns the local certificate. + """ + chain = _create_certificate_chain() + [(cakey, cacert), (ikey, icert), (skey, scert)] = chain + + context = Context(TLSv1_METHOD) + context.use_certificate(scert) + client = Connection(context, None) + cert = client.get_certificate() + assert cert is not None + assert "Server Certificate" == cert.get_subject().CN + + def test_get_certificate_none(self): + """ + `Connection.get_certificate` returns the local certificate. + + If there is no certificate, it returns None. + """ + context = Context(TLSv1_METHOD) + client = Connection(context, None) + cert = client.get_certificate() + assert cert is None + def test_get_peer_cert_chain(self): """ `Connection.get_peer_cert_chain` returns a list of certificates @@ -2867,7 +2918,6 @@ assert count == 2 assert client.recv(2) == b'xy' - @skip_if_py26 def test_short_memoryview(self): """ When passed a memoryview onto a small number of bytes, @@ -3004,7 +3054,6 @@ assert client.recv_into(output_buffer, flags=MSG_PEEK) == 2 assert output_buffer == bytearray(b'xy\x00\x00\x00') - @skip_if_py26 def test_memoryview_no_length(self): """ `Connection.recv_into` can be passed a `memoryview` instance and data @@ -3012,7 +3061,6 @@ """ self._no_length_test(_make_memoryview) - @skip_if_py26 def test_memoryview_respects_length(self): """ When called with a `memoryview` instance, `Connection.recv_into` @@ -3021,7 +3069,6 @@ """ self._respects_length_test(_make_memoryview) - @skip_if_py26 def test_memoryview_doesnt_overfill(self): """ When called with a `memoryview` instance, `Connection.recv_into` @@ -3030,7 +3077,6 @@ """ self._doesnt_overfill_test(_make_memoryview) - @skip_if_py26 def test_memoryview_really_doesnt_overfill(self): """ When called with a `memoryview` instance and an `nbytes` value that is @@ -3078,7 +3124,6 @@ ) == str(w[-1].message)) assert client.recv(1) == b"x" - @skip_if_py26 def test_short_memoryview(self): """ When passed a memoryview onto a small number of bytes, diff -Nru pyopenssl-17.5.0/tox.ini pyopenssl-18.0.0/tox.ini --- pyopenssl-17.5.0/tox.ini 2017-12-01 02:16:17.000000000 +0000 +++ pyopenssl-18.0.0/tox.ini 2018-05-16 19:14:32.000000000 +0000 @@ -1,5 +1,5 @@ [tox] -envlist = {pypy,py26,py27,py34,py35,py36}{,-cryptographyMaster,-cryptographyMinimum},py27-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report +envlist = {pypy,pypy3,py27,py34,py35,py36}{,-cryptographyMaster,-cryptographyMinimum},py27-twistedMaster,pypi-readme,check-manifest,flake8,docs,coverage-report [testenv] whitelist_externals = @@ -10,7 +10,7 @@ deps = coverage>=4.2 cryptographyMaster: git+https://github.com/pyca/cryptography.git - cryptographyMinimum: cryptography==2.1.4 + cryptographyMinimum: cryptography==2.2.1 setenv = # Do not allow the executing environment to pollute the test environment # with extra packages.