From nobody Mon Apr 1 11:40:50 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4V7Tbk74rwz5GJ2H; Mon, 1 Apr 2024 11:40:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4V7Tbk6s5rz40n7; Mon, 1 Apr 2024 11:40:50 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711971650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PNHs9kTWThoXyLCqUHGjOJPMxTLJ5TsW2s08Hp+YNZ0=; b=h1bdsoflKF/ReTxVLecMLrfaCA8vdZbNJi3c/SxG0oipev9vRrkrZRgWf/OnyXO8CgZUj7 ZqdsJEsdFUUCM9t+QODnp0/Lasis0IyuJ24KW289VDu1D87CkE+cLzf3wmoUVks8/AORJZ XyPFR5kLT1PjUxSflcBNphmuV23c1rGRkU03vWvGUlwmrMCidiGx/eVvLHfJVYlKstucbv +bZhHDoLV8BJH5FU/i2s09vkc2l0pDsrFxquRK4wq0rTpAdapW+vwQWhbQlaTEODugt9BC SBXSoa+eQvlmt13tf8JDn2h9V5lmFoq0boF3O85G3ZrmmXJGbkzst/5yuaTlIA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1711971650; a=rsa-sha256; cv=none; b=T+qpQUpYoiYCsRw4CvBroBmQ5tVEKKXldIzQmtsN65nuojVO/o4kaayIvS4cfjW0ghCrfG XpUtIR+aVlWWCnXDZlPcXQ84bm14qImc9tp2YkdV4aU1XS7cg1cjjz/ZsdDwXPMpL5k2Qf QdSvSLu/ijQJh0XC08xRz3hgltJcXftymOw82PkDGcc/7yzSRq3r+iUl+EKaJ2NMVs4ruK vA7kW8Ka9YixGu+EhakY5hvxV1PCa4vX5rvpNxs4hsJC5uGWwboDMECf/nbF1Pw6E11aJl pj/zQJer5jIW+wginbaPPu0KE7L1wXAkxBZmHeZykhBXg12+LL2NFsP+rEvO8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1711971650; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PNHs9kTWThoXyLCqUHGjOJPMxTLJ5TsW2s08Hp+YNZ0=; b=SoyyPOgAexKC3wRpk6rleAN0tsHwklqtI4djZxMTyKAQk/xIhivz8dmObcTXpx5pu3nmey /1QvSfgrSNgnKPH5JRV8fZCZoCaHP6Z0oD+doqJBDXiFDdEl3x5JBSaEr9rIEQDF/54G2u E3LagB7C5UnzEbspP1k+HlldSJujRkmiQurQ1uTxD/uyg3Y44jWdgAGtl8qf5D5ewE4wDA LtLHgBcDq8Ok+Jro2ownp2x0bSidkh3ob/950wlGE6qvNNUylb/S6hYcFAGHmeZ/LoCeQa HEBpguM80JJYDceFGyMGiLfqY7iuj7qVhcosciwz5M3uuFcCoWtmBSLwJqwozA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4V7Tbk6RxGz1Jsh; Mon, 1 Apr 2024 11:40:50 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 431BeobI053901; Mon, 1 Apr 2024 11:40:50 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 431BeoYU053897; Mon, 1 Apr 2024 11:40:50 GMT (envelope-from git) Date: Mon, 1 Apr 2024 11:40:50 GMT Message-Id: <202404011140.431BeoYU053897@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Rene Ladan Subject: git: 040ab4ccf57a - main - security/py-nassl: Remove expired port List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rene X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 040ab4ccf57abdb27d30249dafe26ad5cc46da61 Auto-Submitted: auto-generated The branch main has been updated by rene: URL: https://cgit.FreeBSD.org/ports/commit/?id=040ab4ccf57abdb27d30249dafe26ad5cc46da61 commit 040ab4ccf57abdb27d30249dafe26ad5cc46da61 Author: Rene Ladan AuthorDate: 2024-04-01 11:40:37 +0000 Commit: Rene Ladan CommitDate: 2024-04-01 11:40:37 +0000 security/py-nassl: Remove expired port 2024-03-31 security/py-nassl: It does not support OpenSSL 3.0+ --- MOVED | 1 + security/Makefile | 1 - security/py-nassl/Makefile | 32 --- security/py-nassl/distinfo | 3 - security/py-nassl/files/patch-openssl | 485 ---------------------------------- security/py-nassl/pkg-descr | 1 - 6 files changed, 1 insertion(+), 522 deletions(-) diff --git a/MOVED b/MOVED index 60c5b7c61188..c90e4c8c61bf 100644 --- a/MOVED +++ b/MOVED @@ -3118,3 +3118,4 @@ editors/morla||2024-04-01|Has expired: Project is unmaintained and last upstream java/netcomponents||2024-04-01|Has expired: Last upstream release was in 2000 and upstream unmaintained consider using net/apache-commons-net devel/upslug||2024-04-01|Has expired: Utility for a NAS released in 2004 and discontinued in 2008 security/py-sslyze||2024-04-01|Has expired: It does not support OpenSSL 3.0+ +security/py-nassl||2024-04-01|Has expired: It does not support OpenSSL 3.0+ diff --git a/security/Makefile b/security/Makefile index ac6861a33fcf..37779ac62d1c 100644 --- a/security/Makefile +++ b/security/Makefile @@ -963,7 +963,6 @@ SUBDIR += py-mnemonic SUBDIR += py-msoffcrypto-tool SUBDIR += py-muacrypt - SUBDIR += py-nassl SUBDIR += py-netbox-secrets SUBDIR += py-netmiko SUBDIR += py-noiseprotocol diff --git a/security/py-nassl/Makefile b/security/py-nassl/Makefile deleted file mode 100644 index fae2125320d2..000000000000 --- a/security/py-nassl/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -PORTNAME= nassl -PORTVERSION= 5.1.0 -CATEGORIES= security python -PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} - -MAINTAINER= sunpoet@FreeBSD.org -COMMENT= Experimental OpenSSL wrapper for SSLyze -WWW= https://github.com/nabla-c0d3/nassl - -LICENSE= AGPLv3 -LICENSE_FILE= ${WRKSRC}/LICENSE.txt - -# Upstream bug https://github.com/nabla-c0d3/nassl/issues/110 -BROKEN_SSL= openssl openssl31 -BROKEN_SSL_REASON= Fails to detect OpenSSL 3.0.0 libcrypt.so -DEPRECATED= It does not support OpenSSL 3.0+ -EXPIRATION_DATE=2024-03-31 - -USES= python ssl -USE_PYTHON= autoplist concurrent distutils - -GH_ACCOUNT= nabla-c0d3 -USE_GITHUB= yes - -post-patch: - @${RM} ${WRKSRC}/build_tasks.py ${WRKSRC}/tasks.py ${WRKSRC}/nassl/legacy_ssl_client.py - @${REINPLACE_CMD} -e 's|%%OPENSSLINC%%|${OPENSSLINC}|; s|%%OPENSSLLIB%%|${OPENSSLLIB}|' ${WRKSRC}/setup.py - -post-install: - ${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name '*.so' -exec ${STRIP_CMD} {} + - -.include diff --git a/security/py-nassl/distinfo b/security/py-nassl/distinfo deleted file mode 100644 index 662092bb441e..000000000000 --- a/security/py-nassl/distinfo +++ /dev/null @@ -1,3 +0,0 @@ -TIMESTAMP = 1696001396 -SHA256 (nabla-c0d3-nassl-5.1.0_GH0.tar.gz) = 20f1aa7be2dea3dad4b7765f830eac807ee9a514be5b8b16aeefbcceff9a6484 -SIZE (nabla-c0d3-nassl-5.1.0_GH0.tar.gz) = 212992 diff --git a/security/py-nassl/files/patch-openssl b/security/py-nassl/files/patch-openssl deleted file mode 100644 index 030fccdf40cd..000000000000 --- a/security/py-nassl/files/patch-openssl +++ /dev/null @@ -1,485 +0,0 @@ ---- nassl/_nassl/nassl_SSL.c.orig 2023-09-24 06:39:12 UTC -+++ nassl/_nassl/nassl_SSL.c -@@ -1034,6 +1034,7 @@ static PyObject *nassl_SSL_get_dh_info(nassl_SSL_Objec - return return_dict; - } - #ifndef LEGACY_OPENSSL -+#if defined(EVP_PKEY_X25519) && defined(EVP_PKEY_X448) - else if(key_id == EVP_PKEY_X25519 || key_id == EVP_PKEY_X448){ - - // If the connection uses X25519 or X448 -@@ -1074,6 +1075,7 @@ static PyObject *nassl_SSL_get_dh_info(nassl_SSL_Objec - EVP_PKEY_free(key); - return return_dict; - } -+#endif - #endif - else - { ---- nassl/_nassl/nassl_SSL_CTX.c.orig 2023-09-24 06:39:12 UTC -+++ nassl/_nassl/nassl_SSL_CTX.c -@@ -88,8 +88,10 @@ static PyObject* nassl_SSL_CTX_new(PyTypeObject *type, - // Replicate the pre-1.1.0 OpenSSL API to avoid breaking _nassl's API - // TODO(AD): Break modern _nassl's API to make it nicer by exposing min/max_proto_version - sslCtx = SSL_CTX_new(TLS_client_method()); -+#if defined(TLS1_3_VERSION) - // Force TLS 1.3 - SSL_CTX_set_min_proto_version(sslCtx, TLS1_3_VERSION); -+#endif - SSL_CTX_set_max_proto_version(sslCtx, 0); - break; - #endif ---- nassl/ssl_client.py.orig 2023-09-24 06:39:12 UTC -+++ nassl/ssl_client.py -@@ -429,6 +429,25 @@ class SslClient(BaseSslClient): - # The default client uses the modern OpenSSL - _NASSL_MODULE = _nassl - -+ def do_renegotiate(self) -> None: -+ """Initiate an SSL renegotiation.""" -+ if not self._is_handshake_completed: -+ raise IOError("SSL Handshake was not completed; cannot renegotiate.") -+ -+ self._ssl.renegotiate() -+ self.do_handshake() -+ -+ @staticmethod -+ def get_available_compression_methods() -> List[str]: -+ """Returns the list of SSL compression methods supported by SslClient.""" -+ return _nassl.SSL.get_available_compression_methods() -+ -+ def get_current_compression_method(self) -> Optional[str]: -+ return self._ssl.get_current_compression_method() -+ -+ def get_secure_renegotiation_support(self) -> bool: -+ return self._ssl.get_secure_renegotiation_support() -+ - def write_early_data(self, data: bytes) -> int: - """Returns the number of (encrypted) bytes sent.""" - if self._is_handshake_completed: ---- setup.py.orig 2023-09-24 06:39:12 UTC -+++ setup.py -@@ -2,29 +2,25 @@ import copy - import sys - from pathlib import Path - --from build_tasks import ( -- ModernOpenSslBuildConfig, -- ZlibBuildConfig, -- LegacyOpenSslBuildConfig, -- SupportedPlatformEnum, -- CURRENT_PLATFORM, --) - from nassl import __author__, __version__ - from setuptools import setup, Extension, find_packages - -+from platform import architecture, machine -+from sys import platform -+ -+CURRENT_PLATFORM = 'linux' -+SupportedPlatformEnum = platform - SHOULD_BUILD_FOR_DEBUG = False - -- - NASSL_SETUP = { - "name": "nassl", - "version": __version__, -- "packages": find_packages(exclude=["docs", "tests"]), -+ "packages": find_packages(exclude=["docs*", "tests*"]), - "package_data": {"nassl": ["py.typed", "_nassl.pyi", "_nassl_legacy.pyi"]}, - "py_modules": [ - "nassl.__init__", - "nassl.ssl_client", - "nassl.ephemeral_key_info", -- "nassl.legacy_ssl_client", - "nassl.ocsp_response", - "nassl.cert_chain_verifier", - ], -@@ -71,63 +67,20 @@ BASE_NASSL_EXT_SETUP = { - ], - } - --if CURRENT_PLATFORM in [SupportedPlatformEnum.WINDOWS_32, SupportedPlatformEnum.WINDOWS_64]: -- # Build using the Python that was used to run this script; will not work for cross-compiling -- PYTHON_LIBS_PATH = Path(sys.executable).parent / "libs" -+BASE_NASSL_EXT_SETUP["extra_compile_args"].append("-Wall") -+BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,-z,noexecstack") -+BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,-z,notext") - -- BASE_NASSL_EXT_SETUP.update( -- { -- "library_dirs": [str(PYTHON_LIBS_PATH)], -- "libraries": ["user32", "kernel32", "Gdi32", "Advapi32", "Ws2_32", "crypt32"], -- } -- ) --else: -- BASE_NASSL_EXT_SETUP["extra_compile_args"].append("-Wall") -- -- if CURRENT_PLATFORM in SupportedPlatformEnum.all_linux_platforms(): -- # Hide internal OpenSSL symbols to avoid "symbol confusion" when Python loads the system's OpenSSL libraries -- # https://github.com/nabla-c0d3/nassl/issues/95 -- BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,--exclude-libs=ALL") -- -- if CURRENT_PLATFORM == SupportedPlatformEnum.LINUX_64: -- # Explicitly disable executable stack on Linux 64 to address issues with Ubuntu on Windows -- # https://github.com/nabla-c0d3/nassl/issues/28 -- BASE_NASSL_EXT_SETUP["extra_link_args"].append("-Wl,-z,noexecstack") -- --zlib_config = ZlibBuildConfig(CURRENT_PLATFORM) -- -- --# The configure the setup for legacy nassl --legacy_openssl_config = LegacyOpenSslBuildConfig(CURRENT_PLATFORM) -- --LEGACY_NASSL_EXT_SETUP = copy.deepcopy(BASE_NASSL_EXT_SETUP) --LEGACY_NASSL_EXT_SETUP["name"] = "nassl._nassl_legacy" --LEGACY_NASSL_EXT_SETUP["define_macros"] = [("LEGACY_OPENSSL", "1")] --LEGACY_NASSL_EXT_SETUP.update( -- { -- "include_dirs": [str(legacy_openssl_config.include_path)], -- "extra_objects": [ -- # The order matters on some flavors of Linux -- str(legacy_openssl_config.libssl_path), -- str(legacy_openssl_config.libcrypto_path), -- str(zlib_config.libz_path), -- ], -- } --) -- --# The configure the setup for modern nassl --modern_openssl_config = ModernOpenSslBuildConfig(CURRENT_PLATFORM) -- - MODERN_NASSL_EXT_SETUP = copy.deepcopy(BASE_NASSL_EXT_SETUP) - MODERN_NASSL_EXT_SETUP["name"] = "nassl._nassl" - MODERN_NASSL_EXT_SETUP.update( - { -- "include_dirs": [str(modern_openssl_config.include_path)], -+ "include_dirs": [str('%%OPENSSLINC%%'), str('/usr/include')], - "extra_objects": [ - # The order matters on some flavors of Linux -- str(modern_openssl_config.libssl_path), -- str(modern_openssl_config.libcrypto_path), -- str(zlib_config.libz_path), -+ str('%%OPENSSLLIB%%/libssl.so'), -+ str('%%OPENSSLLIB%%/libcrypt.so'), -+ str('/usr/lib/libz.so'), - ], - } - ) -@@ -136,18 +89,11 @@ MODERN_NASSL_EXT_SETUP["sources"].append( - ) # API only available in modern nassl - - --if CURRENT_PLATFORM in [SupportedPlatformEnum.WINDOWS_32, SupportedPlatformEnum.WINDOWS_64]: -- if SHOULD_BUILD_FOR_DEBUG: -- LEGACY_NASSL_EXT_SETUP.update({"extra_compile_args": ["/Zi"], "extra_link_args": ["/DEBUG"]}) -- MODERN_NASSL_EXT_SETUP.update({"extra_compile_args": ["/Zi"], "extra_link_args": ["/DEBUG"]}) --else: -- # Add arguments specific to Unix builds -- LEGACY_NASSL_EXT_SETUP["include_dirs"].append(str(Path("nassl") / "_nassl")) -- MODERN_NASSL_EXT_SETUP["include_dirs"].append(str(Path("nassl") / "_nassl")) -+MODERN_NASSL_EXT_SETUP["include_dirs"].append(str(Path("nassl") / "_nassl")) - - - NASSL_SETUP.update( -- {"ext_modules": [Extension(**LEGACY_NASSL_EXT_SETUP), Extension(**MODERN_NASSL_EXT_SETUP)]} -+ {"ext_modules": [Extension(**MODERN_NASSL_EXT_SETUP)]} - ) - - ---- tests/SSL_CTX_test.py.orig 2023-09-24 06:39:12 UTC -+++ tests/SSL_CTX_test.py -@@ -2,11 +2,11 @@ import tempfile - - import pytest - --from nassl import _nassl, _nassl_legacy -+from nassl import _nassl - from nassl.ssl_client import OpenSslVersionEnum, OpenSslVerifyEnum, OpenSslFileTypeEnum - - --@pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy]) -+@pytest.mark.parametrize("nassl_module", [_nassl]) - class TestCommonSSL_CTX: - def test_new(self, nassl_module): - assert nassl_module.SSL_CTX(OpenSslVersionEnum.SSLV23.value) ---- tests/SSL_test.py.orig 2023-09-24 06:39:12 UTC -+++ tests/SSL_test.py -@@ -1,11 +1,10 @@ - import pytest - - from nassl import _nassl --from nassl import _nassl_legacy - from nassl.ssl_client import SslClient, OpenSslVersionEnum, OpenSslVerifyEnum - - --@pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy]) -+@pytest.mark.parametrize("nassl_module", [_nassl]) - class TestCommonSSL: - def test_new(self, nassl_module): - nassl_module.SSL(nassl_module.SSL_CTX(OpenSslVersionEnum.SSLV23.value)) -@@ -134,34 +133,3 @@ class TestModernSSL: - test_ssl = _nassl.SSL(_nassl.SSL_CTX(OpenSslVersionEnum.TLSV1_2.value)) - with pytest.raises(_nassl.OpenSSLError, match="no cipher match"): - test_ssl.set_ciphersuites("lol") -- -- --class TestLegacySSL: -- -- # The following tests don't pass with modern OpenSSL - the API might have changed -- def test_set_cipher_list_bad(self): -- # Invalid cipher string -- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value)) -- with pytest.raises(_nassl.OpenSSLError): -- test_ssl.set_cipher_list("badcipherstring") -- -- def test_do_handshake_bad_eof(self): -- # No BIO attached to the SSL object -- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value)) -- test_ssl.set_connect_state() -- with pytest.raises(_nassl.SslError, match="An EOF was observed that violates the protocol"): -- test_ssl.do_handshake() -- -- def test_read_bad(self): -- # No BIO attached to the SSL object -- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value)) -- test_ssl.set_connect_state() -- with pytest.raises(_nassl.OpenSSLError, match="ssl handshake failure"): -- test_ssl.read(128) -- -- def test_write_bad(self): -- # No BIO attached to the SSL object -- test_ssl = _nassl_legacy.SSL(_nassl_legacy.SSL_CTX(OpenSslVersionEnum.SSLV23.value)) -- test_ssl.set_connect_state() -- with pytest.raises(_nassl.OpenSSLError, match="ssl handshake failure"): -- test_ssl.write("tests") ---- tests/X509_test.py.orig 2023-09-24 06:39:12 UTC -+++ tests/X509_test.py -@@ -1,10 +1,9 @@ - import pytest - - from nassl import _nassl --from nassl import _nassl_legacy - - --@pytest.mark.parametrize("nassl_module", [_nassl, _nassl_legacy]) -+@pytest.mark.parametrize("nassl_module", [_nassl]) - class TestX509: - def test_from_pem(self, nassl_module): - # Given a PEM-formatted certificate ---- tests/ocsp_response_test.py.orig 2023-09-24 06:39:12 UTC -+++ tests/ocsp_response_test.py -@@ -5,7 +5,6 @@ import pytest - import socket - import tempfile - --from nassl.legacy_ssl_client import LegacySslClient - from nassl.ocsp_response import OcspResponseNotTrustedError, verify_ocsp_response - from nassl.ssl_client import SslClient, OpenSslVerifyEnum - -@@ -31,7 +30,7 @@ Pd2eQ9+DkopOz3UGU7c= - -----END CERTIFICATE-----""" - - --@pytest.mark.parametrize("ssl_client_cls", [SslClient, LegacySslClient]) -+@pytest.mark.parametrize("ssl_client_cls", [SslClient]) - class TestCommonOcspResponseOnline: - def test(self, ssl_client_cls): - # Given a website that support OCSP stapling ---- tests/ssl_client_test.py.orig 2023-09-24 06:39:12 UTC -+++ tests/ssl_client_test.py -@@ -4,7 +4,6 @@ from pathlib import Path - import pytest - - from nassl import _nassl --from nassl.legacy_ssl_client import LegacySslClient - from nassl.ssl_client import ( - ClientCertificateRequested, - OpenSslVersionEnum, -@@ -21,75 +20,10 @@ from nassl.ephemeral_key_info import ( - EcDhEphemeralKeyInfo, - ) - from nassl.cert_chain_verifier import CertificateChainVerificationFailed --from tests.openssl_server import ModernOpenSslServer, ClientAuthConfigEnum, LegacyOpenSslServer -+from tests.openssl_server import ModernOpenSslServer, ClientAuthConfigEnum - - --# TODO(AD): Switch to legacy server and add a TODO; skip tests for TLS 1.3 --@pytest.mark.parametrize("ssl_client_cls", [SslClient, LegacySslClient]) --class TestSslClientClientAuthentication: -- def test_client_authentication_no_certificate_supplied(self, ssl_client_cls): -- # Given a server that requires client authentication -- with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: -- # And the client does NOT provide a client certificate -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) -- -- ssl_client = ssl_client_cls( -- ssl_version=OpenSslVersionEnum.TLSV1_2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- ) -- # When doing the handshake the right error is returned -- with pytest.raises(ClientCertificateRequested): -- ssl_client.do_handshake() -- -- ssl_client.shutdown() -- -- def test_client_authentication_no_certificate_supplied_but_ignore(self, ssl_client_cls): -- # Given a server that accepts optional client authentication -- with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.OPTIONAL) as server: -- # And the client does NOT provide a client cert but is configured to ignore the client auth request -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) -- -- ssl_client = ssl_client_cls( -- ssl_version=OpenSslVersionEnum.TLSV1_2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- ignore_client_authentication_requests=True, -- ) -- # When doing the handshake, it succeeds -- try: -- ssl_client.do_handshake() -- finally: -- ssl_client.shutdown() -- -- def test_client_authentication_succeeds(self, ssl_client_cls): -- # Given a server that requires client authentication -- with LegacyOpenSslServer(client_auth_config=ClientAuthConfigEnum.REQUIRED) as server: -- # And the client provides a client certificate -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) -- -- ssl_client = ssl_client_cls( -- ssl_version=OpenSslVersionEnum.TLSV1_2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- client_certificate_chain=server.get_client_certificate_path(), -- client_key=server.get_client_key_path(), -- ) -- -- # When doing the handshake, it succeeds -- try: -- ssl_client.do_handshake() -- finally: -- ssl_client.shutdown() -- -- --@pytest.mark.parametrize("ssl_client_cls", [SslClient, LegacySslClient]) -+@pytest.mark.parametrize("ssl_client_cls", [SslClient]) - class TestSslClientOnline: - def test(self, ssl_client_cls): - # Given an SslClient connecting to Google -@@ -118,80 +52,7 @@ class TestSslClientOnline: - finally: - ssl_client.shutdown() - -- def test_get_dh_info_ecdh(self, ssl_client_cls): -- with LegacyOpenSslServer(cipher="ECDHE-RSA-AES256-SHA") as server: -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) - -- ssl_client = ssl_client_cls( -- ssl_version=OpenSslVersionEnum.TLSV1_2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- ) -- -- try: -- ssl_client.do_handshake() -- finally: -- ssl_client.shutdown() -- -- dh_info = ssl_client.get_ephemeral_key() -- -- assert isinstance(dh_info, NistEcDhKeyExchangeInfo) -- assert dh_info.type == OpenSslEvpPkeyEnum.EC -- assert dh_info.size > 0 -- assert len(dh_info.public_bytes) > 0 -- assert len(dh_info.x) > 0 -- assert len(dh_info.y) > 0 -- -- def test_get_dh_info_dh(self, ssl_client_cls): -- with LegacyOpenSslServer(cipher="DHE-RSA-AES256-SHA") as server: -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) -- -- ssl_client = ssl_client_cls( -- ssl_version=OpenSslVersionEnum.TLSV1_2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- ) -- -- try: -- ssl_client.do_handshake() -- finally: -- ssl_client.shutdown() -- -- dh_info = ssl_client.get_ephemeral_key() -- -- assert isinstance(dh_info, DhEphemeralKeyInfo) -- assert dh_info.type == OpenSslEvpPkeyEnum.DH -- assert dh_info.size > 0 -- assert len(dh_info.public_bytes) > 0 -- assert len(dh_info.prime) > 0 -- assert len(dh_info.generator) > 0 -- -- def test_get_dh_info_no_dh(self, ssl_client_cls): -- with LegacyOpenSslServer(cipher="AES256-SHA") as server: -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) -- -- ssl_client = ssl_client_cls( -- ssl_version=OpenSslVersionEnum.TLSV1_2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- ) -- -- try: -- ssl_client.do_handshake() -- finally: -- ssl_client.shutdown() -- -- dh_info = ssl_client.get_ephemeral_key() -- -- assert dh_info is None -- -- - class TestModernSslClientOnline: - def test_get_verified_chain(self): - # Given an SslClient connecting to Google -@@ -352,27 +213,6 @@ class TestModernSslClientOnline: - assert dh_info.type == OpenSslEvpPkeyEnum.X448 - assert dh_info.size == 448 - assert len(dh_info.public_bytes) == 56 -- -- --class TestLegacySslClientOnline: -- def test_ssl_2(self): -- # Given a server that supports SSL 2.0 -- with LegacyOpenSslServer() as server: -- sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) -- sock.settimeout(5) -- sock.connect((server.hostname, server.port)) -- -- ssl_client = LegacySslClient( -- ssl_version=OpenSslVersionEnum.SSLV2, -- underlying_socket=sock, -- ssl_verify=OpenSslVerifyEnum.NONE, -- ignore_client_authentication_requests=True, -- ) -- # When doing the special SSL 2.0 handshake, it succeeds -- try: -- ssl_client.do_handshake() -- finally: -- ssl_client.shutdown() - - - class TestModernSslClientOnlineTls13: diff --git a/security/py-nassl/pkg-descr b/security/py-nassl/pkg-descr deleted file mode 100644 index 975693cd9959..000000000000 --- a/security/py-nassl/pkg-descr +++ /dev/null @@ -1 +0,0 @@ -nassl is an experimental OpenSSL wrapper for SSLyze.