From me.minus at gmail.com Sat Aug 1 13:25:20 2015 From: me.minus at gmail.com (Magnus Toneby) Date: Sat, 1 Aug 2015 15:25:20 +0200 Subject: [Pkg-freeipa-devel] ipa-server-installation fails on 'issuing RA agent certificate' step Message-ID: I'm trying to install FreeIPA on a debian unstable box (updated today). I got the changes for getProtocol and they seems to work, but a later stage fails. Do any of you see the same failure? I get this in the console: [18/26]: restarting certificate server [19/26]: requesting RA certificate from CA [20/26]: issuing RA agent certificate ['"ipa-ca-agent" [CN=ipa-ca-agent,O=HEMMA]', '', ''] [] ['/usr/bin/sslget', '-v', '-n', 'ipa-ca-agent', '-p', 'XXXXXX', '-d', '/tmp/tmp-FZybjv', '-r', u'/ca/agent/ca/profileReview?requestId=7', 'host.hostname:8443'] Unexpected error - see /var/log/ipaserver-install.log for details: CalledProcessError: Command ''/usr/bin/sslget' '-v' '-n' 'ipa-ca-agent' '-p' XXXXXXXX '-d' '/tmp/tmp-FZybjv' '-r' '/ca/agent/ca/profileReview?requestId=7' 'host.hostname:8443'' returned non-zero exit status 3 When running the sslget command by hand I get: Apache Tomcat/7.0.63 (Debian) - Error report

HTTP Status 500 - Servlet execution threw an exception

type Exception report

message Servlet execution threw an exception

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException:
Servlet execution threw an exception

root cause

java.lang.AbstractMethodError:
org.apache.tomcat.util.net.jss.JSSSupport.getPeerCertificateChain(Z)[Ljava/lang/Object;
org.apache.coyote.http11.Http11Processor.actionInternal(Http11Processor.java:256)
org.apache.coyote.http11.AbstractHttp11Processor.action(AbstractHttp11Processor.java:911)
org.apache.coyote.Request.action(Request.java:347)
org.apache.catalina.connector.Request.getAttribute(Request.java:956)
org.apache.catalina.connector.RequestFacade.getAttribute(RequestFacade.java:283)
com.netscape.cms.servlet.base.CMSServlet.getSSLClientCertificate(CMSServlet.java:858)
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1743)
com.netscape.cms.servlet.base.CMSServlet.authenticate(CMSServlet.java:1685)
com.netscape.cms.servlet.profile.ProfileReviewServlet.process(ProfileReviewServlet.java:114)
com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet.java:513)
javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

note The full stack trace of the root cause is available in the Apache Tomcat/7.0.63 (Debian) logs.

Apache Tomcat/7.0.63 (Debian)

/minus -------------- next part -------------- An HTML attachment was scrubbed... URL: From noreply at release.debian.org Sun Aug 9 04:39:04 2015 From: noreply at release.debian.org (Debian testing autoremoval watch) Date: Sun, 09 Aug 2015 04:39:04 +0000 Subject: [Pkg-freeipa-devel] slapi-nis is marked for autoremoval from testing Message-ID: slapi-nis 0.54.2-1 is marked for autoremoval from testing on 2015-09-14 It (build-)depends on packages with these RC bugs: 794301: 389-console: missing bogus dependency 794332: sssd-common: deletes conffile owned by sssd: /etc/logrotate.d/sssd From ftpmaster at ftp-master.debian.org Tue Aug 11 02:42:06 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 11 Aug 2015 02:42:06 +0000 Subject: [Pkg-freeipa-devel] Processing of nuxwdog_1.0.3-1_amd64.changes Message-ID: nuxwdog_1.0.3-1_amd64.changes uploaded successfully to localhost along with the files: nuxwdog_1.0.3-1.dsc nuxwdog_1.0.3.orig.tar.gz nuxwdog_1.0.3-1.debian.tar.xz libnuxwdog-dev_1.0.3-1_amd64.deb libnuxwdog-java_1.0.3-1_amd64.deb libnuxwdog0_1.0.3-1_amd64.deb nuxwdog_1.0.3-1_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Aug 11 03:34:45 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 11 Aug 2015 03:34:45 +0000 Subject: [Pkg-freeipa-devel] nuxwdog_1.0.3-1_amd64.changes REJECTED Message-ID: nuxwdog_1.0.3-1.dsc: Does not match file already existing in the pool. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. From tjaalton at moszumanska.debian.org Tue Aug 11 06:07:21 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Tue, 11 Aug 2015 06:07:21 +0000 Subject: [Pkg-freeipa-devel] nuxwdog: Changes to 'master' Message-ID: debian/changelog | 7 +++++++ debian/control | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) New commits: commit 92a6ff9a174fec2703df216c82338034b3070091 Author: Timo Aaltonen Date: Tue Aug 11 09:03:22 2015 +0300 releasing package nuxwdog version 1.0.3-2 diff --git a/debian/changelog b/debian/changelog index 1f48c3c..0ad8e1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +nuxwdog (1.0.3-2) unstable; urgency=medium + + * Fix copyright. + * control: Fix Depends, and Maintainer. + + -- Timo Aaltonen Tue, 11 Aug 2015 09:03:12 +0300 + nuxwdog (1.0.3-1) unstable; urgency=low * Initial release (Closes: #793782) commit c77819450888ce64e0cda9c7bf3e90bd76143927 Author: Timo Aaltonen Date: Wed Jul 29 09:40:55 2015 +0300 fix maintainer diff --git a/debian/control b/debian/control index a490621..caea920 100644 --- a/debian/control +++ b/debian/control @@ -1,7 +1,8 @@ Source: nuxwdog Section: admin Priority: optional -Maintainer: Timo Aaltonen +Maintainer: Debian FreeIPA Team +Uploaders: Timo Aaltonen Build-Depends: ant, chrpath, From tjaalton at moszumanska.debian.org Tue Aug 11 06:07:29 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Tue, 11 Aug 2015 06:07:29 +0000 Subject: [Pkg-freeipa-devel] nuxwdog: Changes to 'refs/tags/debian/1.0.3-2' Message-ID: Tag 'debian/1.0.3-2' created by Timo Aaltonen at 2015-08-11 06:03 +0000 tagging package nuxwdog version debian/1.0.3-2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJVyZAqAAoJEMtwMWWoiYTcU9AP/0zhUS1MtD/5lNXG+EFacejK IEQ+9Osg4VKcQWmbbUXCzYq3+5b0OgsP3L6f/SyYHGqt0k54fum2Evf9X7ORVqUq kfdfQn3SqCz0gLO3n7td5VLizufYrJwMZ0tczwPC937AxIj82jKOoz+AghwSWNSZ inPeoQpweDVqTtE8SOSwt0j/Z/ieMMy5dJOtP34rt8/aNVM4sgGGqXCj63mfewWx KSJfTXWwHmwuF7s8gE/U1DXcuxZ0FexR8Hp2D6OE3knVQJIzbLrgoGnPr90WyROC l+7Y0duDj2veqvQWqzVgx2ck6niXoN4GExtV/1I0cEhjs6HJt+S7kHaWidSOpiSj dh+n/PA4iRT/8FNUM5zufwXUMS8InadPRd29CXGeosesNH+vWRZEbfugc/jd7KKM Bb3PnCurzwrBgHgus+KyN0QEseHbTbhXZ6hFHCofSJNxe41wkXF0YzfjSHsxvj6v wBmbjrlQFtvV8R69FF6BxO1swZfZtYIZmKZx/UYzUtimZkSBA/qr4pwewobozph6 5nT/UZp1yGf6eiqAtafBWlT/jDB0jMvp/LTQK7QhfG9Ebeg0RYgNYOZG0YK36EMC oiFUATGLrydswjWabxLzUKfM98sHoLUDYuyi6p6CepUX2bfjzZU8Cdu552vAVdXV c17WbPlc5HX+1rFujw0C =5Sgs -----END PGP SIGNATURE----- Changes since the dawn of time: Timo Aaltonen (9): Imported Upstream version 1.0.3 remove autogenerated files initial packaging run wrap-and-sort -s releasing package nuxwdog version 1.0.3-1 fix copyright jni depends on the lib, add it fix maintainer releasing package nuxwdog version 1.0.3-2 From ftpmaster at ftp-master.debian.org Tue Aug 11 06:07:34 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 11 Aug 2015 06:07:34 +0000 Subject: [Pkg-freeipa-devel] Processing of nuxwdog_1.0.3-2_amd64.changes Message-ID: nuxwdog_1.0.3-2_amd64.changes uploaded successfully to localhost along with the files: nuxwdog_1.0.3-2.dsc nuxwdog_1.0.3.orig.tar.gz nuxwdog_1.0.3-2.debian.tar.xz libnuxwdog-dev_1.0.3-2_amd64.deb libnuxwdog-java_1.0.3-2_amd64.deb libnuxwdog0_1.0.3-2_amd64.deb nuxwdog_1.0.3-2_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Tue Aug 11 06:19:01 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 11 Aug 2015 06:19:01 +0000 Subject: [Pkg-freeipa-devel] nuxwdog_1.0.3-2_amd64.changes is NEW Message-ID: binary:libnuxwdog-dev is NEW. binary:libnuxwdog-java is NEW. binary:libnuxwdog0 is NEW. binary:nuxwdog is NEW. source:nuxwdog is NEW. nuxwdog_1.0.3.orig.tar.gz is only available in NEW. nuxwdog_1.0.3.orig.tar.gz is only available in NEW. Your package has been put into the NEW queue, which requires manual action from the ftpteam to process. The upload was otherwise valid (it had a good OpenPGP signature and file hashes are valid), so please be patient. Packages are routinely processed through to the archive, and do feel free to browse the NEW queue[1]. If there is an issue with the upload, you will recieve an email from a member of the ftpteam. If you have any questions, you may reply to this email. [1]: https://ftp-master.debian.org/new.html From ftpmaster at ftp-master.debian.org Tue Aug 11 13:00:24 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Tue, 11 Aug 2015 13:00:24 +0000 Subject: [Pkg-freeipa-devel] nuxwdog_1.0.3-2_amd64.changes ACCEPTED into unstable, unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Tue, 11 Aug 2015 09:03:12 +0300 Source: nuxwdog Binary: nuxwdog libnuxwdog0 libnuxwdog-dev libnuxwdog-java Architecture: source amd64 Version: 1.0.3-2 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Description: libnuxwdog-dev - Watchdog server -- development headers libnuxwdog-java - Watchdog server -- Java class libnuxwdog0 - Watchdog server -- shared library nuxwdog - Watchdog server -- daemon Changes: nuxwdog (1.0.3-2) unstable; urgency=medium . * Fix copyright. * control: Fix Depends, and Maintainer. Checksums-Sha1: d25f2dc35820912866c345de6e8d5d360af01e57 2203 nuxwdog_1.0.3-2.dsc 149794e21409fd96f1c735e8ae096695614acf18 371188 nuxwdog_1.0.3.orig.tar.gz 74024395a31fa3a37027faa077d071ac7cdae7ff 3668 nuxwdog_1.0.3-2.debian.tar.xz cf5513ea61e410682523e47dcee33968a06db068 5632 libnuxwdog-dev_1.0.3-2_amd64.deb 32f013463f0aedb3bac732fd696ada0d64413768 5118 libnuxwdog-java_1.0.3-2_amd64.deb fd9c9fbfab51f21835f40200975bb8e0516c45f3 10016 libnuxwdog0_1.0.3-2_amd64.deb 09aeb2f386d4da71b1cad5cbe898f94b58b0ba54 27308 nuxwdog_1.0.3-2_amd64.deb Checksums-Sha256: c9bbcfbc22c49d06195e0fa99f402b139900212dc259cfc30e57ead0a2a49ada 2203 nuxwdog_1.0.3-2.dsc c9909c18d34489a56613149fccfa780cd92e5a70881c31f4b960765b4acca3f7 371188 nuxwdog_1.0.3.orig.tar.gz 63f354dfb608fcf8c155c33b58fc1a37459c33983b4a803c5ddba2a18db98248 3668 nuxwdog_1.0.3-2.debian.tar.xz 452b595f2d3dd405ae7666ec3e0c35b2f48abe7b8357bd6db8310fddca9040d8 5632 libnuxwdog-dev_1.0.3-2_amd64.deb 9e04b5e15f59c6184c6b49664b0767bee7be47a0ce5c2360c1c90209084e3493 5118 libnuxwdog-java_1.0.3-2_amd64.deb d5acfd81e520c70db8e5ee072fc4f9551ad74d36238952d0dd54f5bf41f39d27 10016 libnuxwdog0_1.0.3-2_amd64.deb a4724c22b02ae0b86efaf8dd2ca688c73ae5afbfbcff26c09fabd0e1c06a897a 27308 nuxwdog_1.0.3-2_amd64.deb Files: 3a3d3e75be634aa8f38851eb5034b06d 2203 admin optional nuxwdog_1.0.3-2.dsc ba299fbd7efe9dc7efd963441c0cd825 371188 admin optional nuxwdog_1.0.3.orig.tar.gz bc91da146e0713dbf709d035439cc291 3668 admin optional nuxwdog_1.0.3-2.debian.tar.xz e1a8e7e900c27840c71257382bfd5f64 5632 libdevel optional libnuxwdog-dev_1.0.3-2_amd64.deb 34fbe91cd421626f0b0b62ad24445966 5118 java optional libnuxwdog-java_1.0.3-2_amd64.deb d56c4d1c3d5fb96c28829c0c60ecbdd6 10016 admin optional libnuxwdog0_1.0.3-2_amd64.deb db84ec21c25c892461234d2d745a0107 27308 admin optional nuxwdog_1.0.3-2_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVyZD/AAoJEMtwMWWoiYTcrmsP+wfT5/LKFYqWbC3pTQ3cOdsG ByIR4m/z4rWteyF6Onr60EF6LKD9cSGoUV9rCu3BXuNJ5yrPxWh1xqSZYI0BLYeY QNLxy0H3yZY+V5DnTq9gKkVpMq31ivlPOXHdofZX28IagObC4ZkSIH5RKg2Ko1Rn QQ7BPUYVTQ8l9W7SiPMn0gqOm6xDr+Nxvp1WrDgaNXYo5x5JZwqF2bRch8eunpD4 l+nBTy8STbwnHft8i57jIF2LARSkWfTJ3gIBS6AX5yny/b56m82PAlVW8y0tJbZ/ tWm9CKQTDHdw4htR97cyzB+YJ28BB4H6lR/so8yTwf6/hdWOV32mE8FOuJFbZiv+ 8sauehrCGm0P+KmD+TBeRrqUDKfhfrh0vAU7pqlljnQeoI6l0p3TxxnKMXEuNi1T 6ooJGn3dwinREgOV1i+vZ2LeRuHUj9pMGLDh4AX8ox5cy0jApeojTyKX18L30q2R J7hci1UWCKWVZOi2RYImeM/gTUYVD3B00XdDsH6wJVpRXGXJ5ASwBagy+ZLUabHK BuPk/EXonKTKrwrn69FVTwqTgd55OVK2hXAbUDzy6pgFUOljasmSIQqoviDPXMcI yyN5YlKyds1uAp5QkWlNuWaSJBYllWFR6s8RftSM1+v+ZLHvoGQIx4mWq9gGIcDD fA5ZqQX0OFj0ohxNmQlU =6F1k -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From noreply at release.debian.org Tue Aug 11 16:39:10 2015 From: noreply at release.debian.org (Debian testing watch) Date: Tue, 11 Aug 2015 16:39:10 +0000 Subject: [Pkg-freeipa-devel] certmonger 0.75.14-4 MIGRATED to testing Message-ID: FYI: The status of the certmonger source package in Debian's testing distribution has changed. Previous version: 0.75.14-3 Current version: 0.75.14-4 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From carnil at debian.org Thu Aug 13 17:33:56 2015 From: carnil at debian.org (Salvatore Bonaccorso) Date: Thu, 13 Aug 2015 19:33:56 +0200 Subject: [Pkg-freeipa-devel] Bug#795399: freeipa: CVE-2015-5179: non-printable characters aren't check in every case of user data Message-ID: <20150813173356.13513.60506.reportbug@eldamar.local> Source: freeipa Version: 4.0.5-5 Severity: important Tags: security upstream Hi Timo, the following vulnerability was published for freeipa. I cannot easily test it for older version 4.0.5, could you confirm that? CVE-2015-5179[0]: non-printable characters aren't check in every case of user data If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2015-5179 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1252567 Regards, Salvatore From tjaalton at moszumanska.debian.org Sun Aug 16 08:08:03 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Sun, 16 Aug 2015 08:08:03 +0000 Subject: [Pkg-freeipa-devel] certmonger: Changes to 'master' Message-ID: certmonger.spec | 7 ++++++- configure.ac | 2 +- debian/changelog | 4 ++-- src/getcert.c | 14 ++++++++++++++ src/scep.c | 18 +++++++++--------- 5 files changed, 32 insertions(+), 13 deletions(-) New commits: commit 306f13c5f9f41dfbfb26b3d0734abf52232f7cf5 Author: Timo Aaltonen Date: Sun Aug 16 11:02:26 2015 +0300 releasing package certmonger version 0.78.4-1 diff --git a/debian/changelog b/debian/changelog index ca6b9a0..31d0435 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,9 @@ -certmonger (0.78.4-1) UNRELEASED; urgency=medium +certmonger (0.78.4-1) unstable; urgency=medium * New upstream release. * control: Add libpopt-dev to build-depends. - -- Timo Aaltonen Tue, 21 Jul 2015 15:15:53 +0300 + -- Timo Aaltonen Sun, 16 Aug 2015 11:02:04 +0300 certmonger (0.75.14-4) unstable; urgency=medium commit cd752bfb06326d2153b252fc53796c6eb20a37fb Author: Timo Aaltonen Date: Sun Aug 16 11:01:58 2015 +0300 update the changelog diff --git a/debian/changelog b/debian/changelog index d7d4473..ca6b9a0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -certmonger (0.78.3-1) UNRELEASED; urgency=medium +certmonger (0.78.4-1) UNRELEASED; urgency=medium * New upstream release. * control: Add libpopt-dev to build-depends. commit 6d8d43041605e178b9aff00229aec6abd83f6c1b Author: Nalin Dahyabhai Date: Tue Aug 4 11:15:37 2015 -0400 tag 0.78.4 diff --git a/certmonger.spec b/certmonger.spec index 0f91fea..2850554 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -25,7 +25,7 @@ %endif Name: certmonger -Version: 0.78.3 +Version: 0.78.4 Release: 1%{?dist} Summary: Certificate status monitor and PKI enrollment client @@ -242,6 +242,11 @@ exit 0 %endif %changelog +* Tue Aug 4 2015 Nalin Dahyabhai 0.78.4-1 +- fix the "getcert start-tracking" -L and -l options (#1249753) +- output diagnostics about the second request when scep-submit encounters an + error during a second request to the SCEP server + * Mon Jul 20 2015 Nalin Dahyabhai 0.78.3-1 - call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit and the -O and -o flags to dogtag-submit (#1244914) diff --git a/configure.ac b/configure.ac index cc5dcae..986169b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(certmonger,0.78.3) +AC_INIT(certmonger,0.78.4) AM_INIT_AUTOMAKE([foreign subdir-objects]) AC_CONFIG_MACRO_DIR(m4) AM_MAINTAINER_MODE([enable]) commit a8f847f10f66fc6e0fea45a863827f67132b5fce Author: Nalin Dahyabhai Date: Tue Aug 4 10:58:42 2015 -0400 Fix "getcert start-tracking"'s -L and -l options When "getcert start-tracking" was passing changes in enrollment options to the "modify" API, it was forgetting to pass in new challenge password and challenge password file names. Add them (#1249753). diff --git a/src/getcert.c b/src/getcert.c index c67d618..49840dd 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -2178,6 +2178,20 @@ set_tracking(const char *argv0, const char *category, } else { capath = NULL; } + if (cpass != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = cpass; + params[i] = ¶m[i]; + i++; + } + if (cpassfile != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD_FILE; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = cpassfile; + params[i] = ¶m[i]; + i++; + } if (profile != NULL) { param[i].key = CM_DBUS_PROP_TEMPLATE_PROFILE; param[i].value_type = cm_tdbusm_dict_s; commit fd18c558656c241b806af5c726b873b7fbcad7d3 Author: Nalin Dahyabhai Date: Mon Jul 27 13:08:59 2015 -0400 When we get an error from a pkcsReq, log correctly When we get an error in response to a pkcsReq or GetInitialCert message, log the response text from that request, rather than the capabilities request that preceded it. diff --git a/src/scep.c b/src/scep.c index c5db5dc..d3bbc05 100644 --- a/src/scep.c +++ b/src/scep.c @@ -1031,8 +1031,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1046,8 +1046,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1061,8 +1061,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1079,8 +1079,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1100,7 +1100,7 @@ main(int argc, const char **argv) } else { printf(_("Server reply was of unexpected MIME type " "\"%s\".\n"), content_type); - printf("Full reply:\n%.*s", results_length, results); + printf("Full reply:\n%.*s", results_length2, results2); return CM_SUBMIT_STATUS_UNREACHABLE; } break; From tjaalton at moszumanska.debian.org Sun Aug 16 08:08:03 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Sun, 16 Aug 2015 08:08:03 +0000 Subject: [Pkg-freeipa-devel] certmonger: Changes to 'upstream' Message-ID: certmonger.spec | 7 ++++++- configure.ac | 2 +- src/getcert.c | 14 ++++++++++++++ src/scep.c | 18 +++++++++--------- 4 files changed, 30 insertions(+), 11 deletions(-) New commits: commit 6d8d43041605e178b9aff00229aec6abd83f6c1b Author: Nalin Dahyabhai Date: Tue Aug 4 11:15:37 2015 -0400 tag 0.78.4 diff --git a/certmonger.spec b/certmonger.spec index 0f91fea..2850554 100644 --- a/certmonger.spec +++ b/certmonger.spec @@ -25,7 +25,7 @@ %endif Name: certmonger -Version: 0.78.3 +Version: 0.78.4 Release: 1%{?dist} Summary: Certificate status monitor and PKI enrollment client @@ -242,6 +242,11 @@ exit 0 %endif %changelog +* Tue Aug 4 2015 Nalin Dahyabhai 0.78.4-1 +- fix the "getcert start-tracking" -L and -l options (#1249753) +- output diagnostics about the second request when scep-submit encounters an + error during a second request to the SCEP server + * Mon Jul 20 2015 Nalin Dahyabhai 0.78.3-1 - call poptGetOptArg() correctly, to fix parsing of the -R flag to scep-submit and the -O and -o flags to dogtag-submit (#1244914) diff --git a/configure.ac b/configure.ac index cc5dcae..986169b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -AC_INIT(certmonger,0.78.3) +AC_INIT(certmonger,0.78.4) AM_INIT_AUTOMAKE([foreign subdir-objects]) AC_CONFIG_MACRO_DIR(m4) AM_MAINTAINER_MODE([enable]) commit a8f847f10f66fc6e0fea45a863827f67132b5fce Author: Nalin Dahyabhai Date: Tue Aug 4 10:58:42 2015 -0400 Fix "getcert start-tracking"'s -L and -l options When "getcert start-tracking" was passing changes in enrollment options to the "modify" API, it was forgetting to pass in new challenge password and challenge password file names. Add them (#1249753). diff --git a/src/getcert.c b/src/getcert.c index c67d618..49840dd 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -2178,6 +2178,20 @@ set_tracking(const char *argv0, const char *category, } else { capath = NULL; } + if (cpass != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = cpass; + params[i] = ¶m[i]; + i++; + } + if (cpassfile != NULL) { + param[i].key = CM_DBUS_PROP_TEMPLATE_CHALLENGE_PASSWORD_FILE; + param[i].value_type = cm_tdbusm_dict_s; + param[i].value.s = cpassfile; + params[i] = ¶m[i]; + i++; + } if (profile != NULL) { param[i].key = CM_DBUS_PROP_TEMPLATE_PROFILE; param[i].value_type = cm_tdbusm_dict_s; commit fd18c558656c241b806af5c726b873b7fbcad7d3 Author: Nalin Dahyabhai Date: Mon Jul 27 13:08:59 2015 -0400 When we get an error from a pkcsReq, log correctly When we get an error in response to a pkcsReq or GetInitialCert message, log the response text from that request, rather than the capabilities request that preceded it. diff --git a/src/scep.c b/src/scep.c index c5db5dc..d3bbc05 100644 --- a/src/scep.c +++ b/src/scep.c @@ -1031,8 +1031,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1046,8 +1046,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1061,8 +1061,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1079,8 +1079,8 @@ main(int argc, const char **argv) cm_log(1, "%s\n", buf); } s = cm_store_base64_from_bin(ctx, - (unsigned char *) results, - results_length); + (unsigned char *) results2, + results_length2); s = cm_submit_u_pem_from_base64("PKCS7", 0, s); fprintf(stderr, "Full reply:\n%s", s); free(s); @@ -1100,7 +1100,7 @@ main(int argc, const char **argv) } else { printf(_("Server reply was of unexpected MIME type " "\"%s\".\n"), content_type); - printf("Full reply:\n%.*s", results_length, results); + printf("Full reply:\n%.*s", results_length2, results2); return CM_SUBMIT_STATUS_UNREACHABLE; } break; From tjaalton at moszumanska.debian.org Sun Aug 16 08:08:09 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Sun, 16 Aug 2015 08:08:09 +0000 Subject: [Pkg-freeipa-devel] certmonger: Changes to 'refs/tags/debian/0.78.4-1' Message-ID: Tag 'debian/0.78.4-1' created by Timo Aaltonen at 2015-08-16 08:02 +0000 tagging package certmonger version debian/0.78.4-1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJV0EOSAAoJEMtwMWWoiYTcq6EP/jNtq62vBQMfzyduFF1lew/e NUmADs22LkgzS21TqvY+PQro50tLqJMkwOsBiEqGbjW51sBJHIXuTnaco6gGIfHu mVbTdddLGDGEEQ9zKftEYhX4Zq1sdS7a+oucfK7GWJlnfH6v/tGosshN+KO3ah+S /tnOjhDokx2j/yViCQ1e5cIHT08tUXFLhrFQk3LtJk2mAk61v+99RL+E6QTs69cg znN2+VwZHEGPP5ya/nrxBdWyYCayF8OwVVPlGvUtb7kkmyrbpLMJbhcpTHpFtq6J na3avtOJYAKnTfzBhNlHKTcTbD8WY4IJt/6ZvEzcLjXIOwW5zHn0j4tDFwnuq1af 8EQZplSY4lcETL1fgmlECl+i49znxprKeNyYZ2mwBthNF1eLMYDmxDS35BY03ps+ 7gj4ENwcFgM+CKSAQKCn5c81qDnhxFlepHV7kK6HsYcptheyoV9qeLRfw0CxkBBr D860/6y4SQHyzQZyHpMZPmDH/gdyX6JWcaf4MAKRuFrEragyWVSmr7pKwdElElS/ A4l+1Z4Tf/OjG7aYe6hg+JTYl1irBLpcIQ1HNWaKNtODbq4XHN5P5jCwhQhDUQuF psTKKmNnMPgpFoBWMA+nKWMigWIgiNuaf+ZOYHB2EhN+FcQ4GBg1F96TkbyDNICD SfdjiiSgoNx7eBQ7Xyr+ =vzqt -----END PGP SIGNATURE----- Changes since debian/0.75.14-4: David Kupka (1): Retrieve string value from DBus property interface reply correctly. Jan Cholasta (1): Allow overriding parameter values in Dogtag request approval Nalin Dahyabhai (438): getcert status: fix a crash with no request Up the minimum poll time from 30m to 60m Loosen name matching for property names First pass at private server mode Rename bus "other" to "private", fix connecting Avoid closing stdio on gating commands Reset watch handlers after handling them Refactor bus/listener setup and reconnection logic Ignore "private" requests from other users Make it possible to specify the listener socket Fixup copy/paste errors in help output Default to a briefer default help message Add a fallback mode to getcert -S Pass verbose level in as certmonger -d level Reset signal handlers for the gate command Include the helper command in log messages Document certmonger's -L/-l/-P options Document that CERTMONGER_PVT_ADDRESS matters Also use a lock in system mode Make we'll launch a temporary daemon clearer Finish a comment tag 0.76 Updated translations Minor tweaks to help debug listener mode better Let people specify abstract locations, too tag 0.76.1 Note the UID has to match when describing -l/-L clients Change priorities of XXX_uri/host/server settings Adjust whitespace Use SRV lookups to locate IPA's LDAP server IPA: prefer specified URIs over configured server Factor out submit/poll and fetch-roots Factor out locate-directory-server logic Factor out find-default-naming-context Add missing newlines for error messages Fix some error handling code Add some missing initializers Add missing #includes Use discovery for XMLRPC servers, too Detect support for resolving SRV records Clean up status messages for init system data Update translations Finish conditionalizing SRV support tag 0.76.2 Update translations Add a notify case for saved-but-CA-not-saved Rename the SRV test program Save CA certs *before* running post-save hooks This is done: we have a "local" signer now Add some missing cases Split off a generic dogtag-submit helper Remove unused dogtag_version port-guessing Only error out on missing -A when it's an error Describe the "local" signer in getting-started.txt Don't forget to mention $CERTMONGER_CA_PROFILE Fix a pile of argument-order errors Fix a static analysis warning initializing keygen Fix some static analysis leaks Handle IDN when doing service location Fix build errors created by the previous commit tag 0.76.3 Update translations Update for previous changes to dparse tag 0.76.4 Call _exit() instead of exit() in canalyze tag 0.76.5 Call _exit() instead of exit() on OOM in CA save Avoid exit() hooks on normal subproc exit Remove leftover code forcing SRV priority to 50 Fix compiling without OpenSSL tag 0.76.6 Update translations Fix another pair of memory leaks in the IPA helper Fix reporting of CA not-valid-after times tag 0.76.7 Update translations Set a CM_DELAY_CA_POLL_MAXIMUM Replace a hard-coded value with the macro Correct a comment Abort FETCH-ROOTS if there's no IPA domain Handle the IPA-not-configured case correctly Output help for underspecified "status" commands Go back to retrying when cadata is unconfigured Drop a duplicate call to time() Fix a typo in a comment Formatting fixes dogtag: check for agent creds when given options Update dogtag man pages for the -O option Update translations and their sources tag 0.76.8 Add missing bug ID reference to the changelog Add a note about supporting (parts of) ACME Add missing bug ID to changelog Fix a static analysis warning Fix a typo Update reference for kx509 Try to better enforce DSA key sizes Add a bug reference for #1180978 Add some bookkeeping request fields for rekeying First pass at rekey-friendly keygen behavior Sanitize candidate key filenames and nicknames Fix detection of candidate key permission errors Add support for reading candidate keyinfo First pass at rekey support for CSR generation First pass at self-signing while rekeying First pass at saving while rekeying Add data fields for storing SCEP-specific CA data Add logic to ask helpers for SCEP-specific CA data Teach submit-h to return binary-safe data Generate SCEP transactionIDs when generating CSRs Add part of the SCEP submission helper More SCEP helper bits, mostly TODO notes Fix talloc/free mismatch Fix a missing #include Fix an infinite loop sending the request Add a note about removing old candidates Make sure we clear the candidate marker on save Make preserving keys on rekey an option Finish cleaning up rekey renaming Fix various warnings and static analysis bugs Fix a couple of static analysis warnings Auto-spawn a server when there is no server socket Auto-launch a daemon for "request", too Fix a timing issue with this self-test Fix computation of the buffer size for PEM wrapper Generate mini-certificates for signing SCEP reqs Correct the serial number in minicerts Add logic for pulling certs out of PKCS7 blobs Correctly parse PKCS#7 SCEP GetCACert replies Accept redirection on HTTP with no client auth Add a function for wrapping a CSR in an envelope Get even more flexible parsing PKCS#7 signed-data Refactor enveloping code Add issuer-and-subject envelopes, use binary mode Set a default SCEP CA ID for GetCACert messages Also retrieve and cache an SCEP server's CA's cert Add storage for SCEP request data Encode the right subject name First part of SCEP request generation Tweak parsing PKCS#7 lists of certificates Extend the pile-of-certificate parsing API Fix and test sorting of certificate chains Fetch an SCEP server's CA chain, too Add the signer's chain to signed-data for SCEP In-progress changes to handle chains better in NSS Refactor the code to make reusing the signing easier Work around NSS's always-verify behavior Add SCEP attributes to signed messages Add the ability to check for RSA keys Wire in new states to trigger SCEP generation Restart any waiting scepgen tasks with new certs Let helpers see SCEP data, cache SCEP CA IDs Encode pkiMessages when talking to SCEP servers We don't have a place to put other certs yet Shorten the wait after realizing we need SCEP data Only restart when encryption certs *change* Add a couple of diagnostics for now, clarify names Always generate fresh SCEP data Stop depending on PKCS7_SIGNER_INFO_sign() Quick fix for a test on older RHEL Include a missing header Include a missing header Add missing script Really fix that timing issue this time Strip out random blank lines in issued certificate Send the right operation type for SCEP enrollments Add a content-type signed attribute to SCEP reqs Expand on ChallengePassword handling Fix a few subprocess exit status values Be ready to refresh SCEP server certificates PEM-encode application/x-pki-message SCEP replies Send verbose messages to stderr Add logic for parsing SCEP PKCS#7 signed-data Use defined names for SCEP protocol constants Verify SCEP requests, start parsing SCEP replies Put contentInfo inside of encapsulatedContentInfo Understand md5, des, and des3 as preferences Improve algorithm selection when generating SCEP Clean up parsing of SCEP CA data Fix a couple of warnings, expand SCEP failure text Refactor passing of args to external helpers Postprocess helper "success" output Check for handling of binary helper output Add more error checking to the HTTP part of SCEP Use the right macro; drop an unused variable Add hooks for decrypting PKCS#7 EnvelopedData Add a framework for decrypting enveloped-data Add missing source files Rewrite parsing of enveloped-data using NSS Avoid EVP_PKEY_CTX, which wasn't there on EL5 Avoid X509_ALGOR_set0(), which wasn't on EL5 Right, so PK11_PrivDecrypt() wasn't always there Fix a few compiler warnings Avoid crashing the test harness Fix a string comparison (static analysis) Fix a dereference-before-check (static analysis) Add a missing include header Check key_from_file()'s return (static analysis) Skip a redundant check (static analysis) Free some memory before _exit() (static analysis) Handle not having an RA cert (static analysis) Tweak some logic to make static analysis happy Drop a redundant goto to the next line (static analysis) Drop some dead code (static analysis) Drop some dead code (static analysis) Whoops, missing a break; (static analysis) Call va_end() even on error (static analysis) Fix a copy/paste error (static analysis) Free an error string in the IPA helper (static analysis) Free memory returned by cm_submit_u_pem_from_base64() (static analysis) Open the right "next" key (static analysis) Fix an uninitialized pointer compare (static analysis) Set the recipient_nonce correctly (static analysis) Correct result (static analysis) Also do a run-through with SCEP ops Accept a passed-in CA certificate as an anchor Whoops, getcert should accept -l/-L properly Avoid an integer expression overflow on 32-bit Fix the width of the format specifier Add a man page for scep-submit(8). Remove a redundant check for no old key (static analysis) Document scep-submit's -i option Correctly select the SCEP request digest Store SCEP request data in PEM form Expose SCEP CA data as properties Display an SCEP CA's certificate's thumbprint Display thumbprint values for SCEP, as appropriate Refresh all of a CA's data when its helper changes Add tests for reading ssvs arguments Make the scep-ca-identifier property settable Drop an errant sed invocation Add getcert add-ca/add-scep-ca/modify-ca/remove-ca Update status docs Add a bit of docs on how to use SCEP SCEP needs OpenSSL in many places, so require it Fix a syntax error Drop cadata when a helper reports "unsupported" Cache the last-transmitted SCEP nonce value Update helper documentation NUL-terminate the result string properly Only generate "new key" SCEP data with a new key Rework which keys we prefer for SCEP Add framework for PIN, token certsave errors Fix a couple of memory leaks (static analysis) Remove a line of dead code (static analysis) Remove logically dead code (static analysis) Call BIO_new_mem_buf() with length -1 for strings Add more PKCS#7/SCEP debug logging Clean up the SCEP -R/-r options Correct use of certsave-specific status codes Test rekey saving with encrypted keys, too Log in to NSS key databases for cert saving Set a PIN, if one hasn't been set, during certsave Move from Transifex to Zanata Update translations Have "getcert list" print the certificate profile Drop Transifex config, since we're using Zanata The CA profile is supposed to be read-only Clear SCEP data when we generate a new CSR Whoops, we use cmsutil in tests now Handle "rejected" status from CA data requests Try to sanity-check capabilities CA data by size Try to accommodate Dogtag's GetCACert results Break out of the cert retrieval loop on duplicates Learn about Dogtag's SCEP failInfo status codes Debug log SCEP replies in base64-encoded form Update translations Tag 0.77 Whoops, tag 0.77.1 A slide on using SCEP Separate local validity lifetime's from selfsign's Read nsCertType extension, write EnrollmentProfile Note that SCEP usually wants a ChallengePassword Expose certificate validity as D-Bus properties Add plumbing for "long long" D-Bus properties Fix potential segfault when parsing helper output Document the dogtag helper's -N and -R flags Update translations tag 0.77.2 Retrieve the list of profiles from Dogtag CAs Handle success from Dogtag's submit endpoint Rename some variables Learn to pass submission params to Dogtag Add more auth options to dogtag-submit Wire valgrind in to self-tests Whitespace fixup Fix a self-test uninitialized memory bug Avoid using xmlXPathNodeEval(), not in EL 5 Add a barely-working "ls" knockoff Manage ownership and permissions on keys and certs Fix a potential crash in the local signer Fix certificate retrieval in dogtag-submit Update self-tests Don't use O_NOFOLLOW Silence a static analysis warning Try to address a static analysis TOC-TOU warning Start switching to popt Add $POPT_CFLAGS and $POPT_LIBS to the test tools Switch base2pem test tool to popt Switch base64 test tool to popt Switch the cadata test tool to popt Switch the casave test tool to popt Switch the hooks test tool to popt Drop an unused #include header Whitespace edits for makefiles Port toklist sample to popt Port the tlslayer WIP code to popt Port the tdbusm-check tool to popt Port the submit-x tool to popt Port submit-h to using popt Port the SCEP submit helper to use popt Port the submit-d tool to popt Port the certmaster submit helper to use popt Port the local signer to use popt Port the dogtag submit helper to use popt Port the IPA submit helper to use popt Port the main certmonger binary to popt Port "getcert" to popt Fix a static analysis warning Check for error results from fcntl() and remove() Fix a static analysis warning Fix a memory leak in cm_submit_d_submit_result() Remember to close a descriptor when saving to NSS Update translations Pass the template/profile to IPA as a "profile" Default to re-using ns-certtype values configure should error out without popt Fix a typo in a self-test error message Work around changes in OpenSSL 1.0.2a Handle properties with no value in self-test Handle setting template ns-certtype, key/cert perms Wire {key,cert}_{owner,perms} into getcert Also track per-certificate CA sets When saving CA certs, also save per-request certs Add a 'getcert rekey' option Double-check that keys were changed in rekey test Actualy test the 'modify' D-Bus method Add a debug message if we're ignoring idle timeout Fix an overrun gathering arguments Add some JSON support Update translations Correct the wrong flag in a man page Whoops, actually run those new tests Add one more invalid sample to the json test cases Update the expected output for that last test Check for strtold(), use strtod() otherwise Don't depend on getline(), in case it isn't there Be consistent about using our stpcpy() knockoff Fix a possible NULL dereference Remove an unused variable (static analysis) Fix the prototype for the getline() stand-in Silence some dead-code warnings Don't assign one uninitialized pointer to another Have the self-test check the file size after open Fix a read-after-close in a self-test Handle 0 bytes in JSON strings Handle setting NULL to remove items from JSON objs Catch invalid expressions when parsing JSON Add more type-safety to the JSON bits When parsing possibly-PKCS#7, handle length==1 Add some more PKCS#7 parsing cases Add another expected-to-fail-to-parse JSON sample Add entry callbacks to the 'iterate' test tool Make sure leafs aren't tops when parsing PKCS#7 When saving CA certs fails, add a couple of logs Add a way for helpers to provide per-cert roots Give helpers a way to force us to rekey Handle CERT_ImportCerts() returning an empty array Start keeping track of key lifetimes and usage Catch unterminated string values in JSON Catch up the test helper on new helper exit codes Only record next-key info when we have a next-key Add debug log checking for key/cert pubkey matches Handle cases where the CA reuses a key on us Remove an unused OID variable Add some comments tag 0.77.3 Fix an uninitialized pointer error (valgrind) Correct a self-test error Let NSS's safeguards against key deletion work Fix the -c flag for vanilla getcert Add a --wait-timeout flag for use with the -w flag New test: getcert request/resubmit/rekey Add some more info to this test run's output Make the getcert test include preserving rekey Suppress PINs in "getcert list" output (#42) Expose key generation time and use count as props Add test cases for CA-reuses-key-on-rekey-request Trigger rekeying on key lifetime or use count getcert: correctly pass the command to certmonger Display the right command in help output Rework how we clean up after rekeys with NSS Extend a post-0.77 test case for that last change merge changelog from 0.77.4 scep-submit: always keep track of the mode Mention exit status 17 (need-rekey) in helper mans Provide requested IP addresses to helpers Handle more unusual PKCS#7 verification for SCEP Handle CERTMONGER_REQ_IP_ADDRESS in requirements Use preprocessor names for document elements Add some JSON type checking in submit-e Accept CA roots as a JSON object Expand on comments for 481811e76908f50b Guess "profile_id" instead of "profile" for IPA Add a -v/--version option to the daemon Rework parsing of JSON enrollment results Tweak the accepted CA JSON format Resync .spec file with Fedora Add logic for SCEP renewal with key change Document the helper interface from the helper PoV Add more expected-to-parse-correctly JSON samples Check generated key size after checking for NULL Fix a signedness comparison problem Require that binary decoding leaves no leftovers Add an alternate accepted result for DSA keygen Accept 1016 instead of 1024 bit for DSA keygen Add a missing flag to the synopsis in the scep man Whitespace fixup Update translations Log more about what's going on in SCEP tag 0.78 Update translations Add some bugzilla/tracs references to the chglog Get vague about what we expect from certutil Tag 0.78.1 Add a wrapper to avoid passing NULL to setenv() Don't check a never-NULL pointer for being NULL Fix checking for errors when fetching SCEP chain Don't forget to close the output file structure Register our bus name after setting up handlers Rework how we do system bus activation Updated translations tag 0.78.2 Use poptGetOptArg() correctly tag 0.78.3 When we get an error from a pkcsReq, log correctly Fix "getcert start-tracking"'s -L and -l options tag 0.78.4 Timo Aaltonen (6): Merge branch 'upstream' bump the version control: Add libpopt-dev to build-depends. Merge branch 'upstream' update the changelog releasing package certmonger version 0.78.4-1 vagrant (1): Print the full gate command in debug mode --- Makefile.am | 3 STATUS | 17 certmonger.spec | 171 + configure.ac | 131 + debian/changelog | 7 debian/control | 1 doc/api.txt | 4 doc/design.txt | 215 +- doc/getting-started.txt | 45 doc/helpers.txt | 227 ++ doc/scep.odp |binary doc/scep.txt | 38 doc/selinux.txt | 2 doc/submit.txt | 48 po/ach.po | 1339 +++++++++++--- po/af.po | 1339 +++++++++++--- po/af_ZA.po | 1307 +++++++++++--- po/aln.po | 1339 +++++++++++--- po/am.po | 1339 +++++++++++--- po/ar.po | 1342 +++++++++++--- po/as.po | 1339 +++++++++++--- po/ast.po | 1339 +++++++++++--- po/az.po | 1339 +++++++++++--- po/bal.po | 1339 +++++++++++--- po/be.po | 1342 +++++++++++--- po/bg.po | 1454 ++++++++++++---- po/bn.po | 1339 +++++++++++--- po/bn_IN.po | 1339 +++++++++++--- po/bo.po | 1339 +++++++++++--- po/br.po | 1339 +++++++++++--- po/brx.po | 1339 +++++++++++--- po/bs.po | 1342 +++++++++++--- po/ca.po | 1843 ++++++++++++++------ po/certmonger.pot | 1309 +++++++++++--- po/cs.po | 1339 +++++++++++--- po/cs_CZ.po | 1307 +++++++++++--- po/cy.po | 1342 +++++++++++--- po/da.po | 1395 +++++++++++---- po/de.po | 1457 ++++++++++++---- po/de_CH.po | 1339 +++++++++++--- po/dz.po | 1339 +++++++++++--- po/el.po | 1339 +++++++++++--- po/en_GB.po | 1339 +++++++++++--- po/eo.po | 1339 +++++++++++--- po/es.po | 1559 +++++++++++++---- po/es_ES.po | 1307 +++++++++++--- po/et.po | 1339 +++++++++++--- po/eu.po | 1344 +++++++++++---- po/eu_ES.po | 1307 +++++++++++--- po/fa.po | 1339 +++++++++++--- po/fa_IR.po | 1307 +++++++++++--- po/fi.po | 1339 +++++++++++--- po/fr.po | 1507 ++++++++++++---- po/ga.po | 1342 +++++++++++--- po/gl.po | 1339 +++++++++++--- po/gu.po | 1344 +++++++++++---- po/he.po | 1339 +++++++++++--- po/hi.po | 1339 +++++++++++--- po/hr.po | 1342 +++++++++++--- po/hr_HR.po | 1307 +++++++++++--- po/hu.po | 1490 ++++++++++++---- po/hy.po | 1339 +++++++++++--- po/ia.po | 1339 +++++++++++--- po/id.po | 1381 +++++++++++---- po/ilo.po | 1339 +++++++++++--- po/is.po | 1339 +++++++++++--- po/it.po | 1425 ++++++++++++--- po/it_IT.po | 1307 +++++++++++--- po/ja.po | 1388 +++++++++++---- po/ja_JP.po | 1307 +++++++++++--- po/ka.po | 1339 +++++++++++--- po/kk.po | 1339 +++++++++++--- po/km.po | 1339 +++++++++++--- po/kn.po | 1339 +++++++++++--- po/ko.po | 1339 +++++++++++--- po/ks.po | 1339 +++++++++++--- po/ku.po | 1339 +++++++++++--- po/ky.po | 1339 +++++++++++--- po/la.po | 1339 +++++++++++--- po/lo.po | 1339 +++++++++++--- po/lt.po | 1406 ++++++++++++--- po/lv.po | 1342 +++++++++++--- po/mai.po | 1339 +++++++++++--- po/mg.po | 1339 +++++++++++--- po/mk.po | 1339 +++++++++++--- po/ml.po | 1339 +++++++++++--- po/mn.po | 1339 +++++++++++--- po/mr.po | 1339 +++++++++++--- po/ms.po | 1339 +++++++++++--- po/ms_MY.po | 1307 +++++++++++--- po/my.po | 1339 +++++++++++--- po/nb.po | 1344 +++++++++++---- po/nds.po | 1339 +++++++++++--- po/ne.po | 1339 +++++++++++--- po/nl.po | 1504 ++++++++++++---- po/nn.po | 1339 +++++++++++--- po/no.po | 1339 +++++++++++--- po/nso.po | 1339 +++++++++++--- po/or.po | 1339 +++++++++++--- po/pa.po | 1339 +++++++++++--- po/pl.po | 1479 ++++++++++++---- po/pt.po | 1412 ++++++++++++--- po/pt_BR.po | 1541 +++++++++++++---- po/ro.po | 1342 +++++++++++--- po/ru.po | 1360 +++++++++++---- po/ru_RU.po | 1344 +++++++++++---- po/si.po | 1339 +++++++++++--- po/sk.po | 1339 +++++++++++--- po/sl.po | 1342 +++++++++++--- po/sq.po | 1339 +++++++++++--- po/sr.po | 1342 +++++++++++--- po/sr at latin.po | 1342 +++++++++++--- po/sv.po | 1428 ++++++++++++--- po/ta.po | 1342 +++++++++++--- po/ta_IN.po | 1307 +++++++++++--- po/te.po | 1339 +++++++++++--- po/tg.po | 1339 +++++++++++--- po/th.po | 1339 +++++++++++--- po/tl.po | 1339 +++++++++++--- po/tr.po | 1342 +++++++++++--- po/uk.po | 1524 ++++++++++++----- po/uk_UA.po | 1307 +++++++++++--- po/ur.po | 1339 +++++++++++--- po/uz.po | 1339 +++++++++++--- po/vi.po | 1339 +++++++++++--- po/wo.po | 1339 +++++++++++--- po/xh.po | 1339 +++++++++++--- po/zh_CN.GB2312.po | 1931 +++++++++++++++++++++ po/zh_CN.po | 1377 +++++++++++---- po/zh_HK.po | 1339 +++++++++++--- po/zh_TW.Big5.po | 1931 +++++++++++++++++++++ po/zh_TW.po | 1353 +++++++++++---- po/zu.po | 1339 +++++++++++--- src/Makefile.am | 107 - src/cadata.c | 449 ++++- src/cadata.h | 5 src/canalyze.c | 108 + src/canalyze.h | 3 src/casave.c | 140 + src/certext.c | 246 ++ src/certmaster-getcert.1.in | 14 src/certmaster.c | 79 src/certmonger-certmaster-submit.8.in | 11 src/certmonger-dogtag-ipa-renew-agent-submit.8.in | 32 src/certmonger-dogtag-submit.8.in | 239 ++ src/certmonger-ipa-submit.8.in | 29 src/certmonger-local-submit.8.in | 12 src/certmonger-scep-submit.8.in | 146 + src/certmonger.8.in | 41 src/certmonger.conf.5.in | 43 src/certmonger.conf.in | 3 src/certread-n.c | 10 src/certread-o.c | 7 src/certread.c | 12 src/certsave-int.h | 10 src/certsave-n.c | 312 +++ src/certsave-o.c | 353 +++ src/certsave.c | 21 src/certsave.h | 7 src/cm.c | 51 src/cm.h | 4 src/csrgen-int.h | 3 src/csrgen-n.c | 499 +++++ src/csrgen-o.c | 170 + src/csrgen.c | 69 src/dogtag-ipa.c | 50 src/dogtag-ipa.h | 23 src/dogtag.c | 426 +++- src/env-session.c | 6 src/env-shared.c | 6 src/env-system.c | 11 src/getcert-add-ca.1.in | 52 src/getcert-add-scep-ca.1.in | 84 src/getcert-list-cas.1.in | 9 src/getcert-list.1.in | 65 src/getcert-modify-ca.1.in | 47 src/getcert-refresh-ca.1.in | 9 src/getcert-refresh.1.in | 9 src/getcert-remove-ca.1.in | 45 src/getcert-request.1.in | 22 src/getcert-resubmit.1.in | 22 src/getcert-start-tracking.1.in | 22 src/getcert-status.1.in | 11 src/getcert-stop-tracking.1.in | 11 src/getcert.1.in | 25 src/getcert.c | 1969 +++++++++++++++++++--- src/hook.c | 2 src/introspect.sh.in | 15 src/ipa-getcert.1.in | 12 src/ipa.c | 837 ++++++--- src/iterate.c | 625 +++++- src/json.c | 1155 ++++++++++++ src/json.h | 78 src/keygen-n.c | 245 ++ src/keygen-o.c | 160 + src/keyiread-n.c | 94 - src/keyiread-n.h | 6 src/keyiread-o.c | 78 src/keyiread.c | 60 src/local-getcert.1.in | 12 src/local.c | 71 src/log.h | 2 src/main.c | 200 +- src/notify.c | 41 src/notify.h | 1 src/pkcs7.c | 1208 +++++++++++++ src/pkcs7.h | 66 src/prefs-n.c | 56 src/prefs-n.h | 4 src/prefs-o.c | 29 src/prefs-o.h | 2 src/prefs.c | 71 src/prefs.h | 11 src/scep-o.c | 82 src/scep-o.h | 28 src/scep.c | 1109 ++++++++++++ src/scep.h | 47 src/scepgen-int.h | 51 src/scepgen-n.c | 475 +++++ src/scepgen-o.c | 855 +++++++++ src/scepgen.c | 115 + src/scepgen.h | 57 src/selfsign-getcert.1.in | 12 src/srvloc.c | 249 ++ src/srvloc.h | 31 src/store-files.c | 509 +++++ src/store-gen.c | 42 src/store-int.h | 76 src/store.h | 2 src/submit-d.c | 393 +++- src/submit-d.h | 12 src/submit-e.c | 831 +++++++-- src/submit-e.h | 13 src/submit-h.c | 140 - src/submit-h.h | 5 src/submit-int.h | 25 src/submit-n.c | 471 +++++ src/submit-o.c | 109 + src/submit-o.h | 3 src/submit-sn.c | 48 src/submit-so.c | 50 src/submit-u.c | 33 src/submit-x.c | 108 - src/submit.c | 14 src/submit.h | 6 src/subproc.c | 35 src/subproc.h | 2 src/tdbus.c | 371 +++- src/tdbus.h | 29 src/tdbush.c | 743 ++++++++ src/tdbush.h | 3 src/tdbusm-check.c | 46 src/tdbusm.c | 61 src/tdbusm.h | 3 src/tlslayer.c | 75 src/toklist.c | 44 src/util-m.h | 4 src/util-n.c | 191 ++ src/util-n.h | 10 src/util-o.c | 119 + src/util-o.h | 12 systemd/Makefile.am | 5 systemd/certmonger.path.in | 9 systemd/org.fedorahosted.certmonger.service.in | 4 tests/001-keyiread-dsa/expected.out | 36 tests/001-keyiread-dsa/run.sh | 10 tests/002-keygen-dsa/expected.out.2 | 45 tests/002-keygen-dsa/expected.out.3 | 45 tests/002-keygen/expected.out | 72 tests/002-keygen/run.sh | 22 tests/003-csrgen-dsa/expected.out | 2 tests/003-csrgen-dsa/run.sh | 7 tests/003-csrgen-ec/expected.out | 2 tests/003-csrgen-ec/run.sh | 7 tests/003-csrgen/expected.out | 48 tests/003-csrgen/run.sh | 94 - tests/004-selfsign/run.sh | 3 tests/005-dbusm/expected.out | 1 tests/008-certread/expected.out | 1 tests/010-iterate/expected.out | 232 ++ tests/010-iterate/run.sh | 237 ++ tests/019-dparse/expected.out | 162 + tests/019-dparse/good.profileList | 1028 +++++++++++ tests/019-dparse/good.profileSubmit.issued | 1 tests/019-dparse/run.sh | 4 tests/021-resume/expected.out | 436 +++- tests/021-resume/run.sh | 23 tests/023-cadata/expected.out | 24 tests/023-cadata/run.sh | 23 tests/024-citerate/expected.out | 200 ++ tests/024-citerate/run.sh | 8 tests/025-casave/expected.out | 62 tests/025-casave/run.sh | 186 ++ tests/028-dbus/entry | 6 tests/028-dbus/expected.out | 62 tests/028-dbus/run.sh | 1 tests/028-dbus/walk.py | 47 tests/030-rekey/expected.out | 345 +++ tests/030-rekey/run.sh | 246 ++ tests/031-pkcs7/expected.out | 209 ++ tests/031-pkcs7/prequal.sh | 2 tests/031-pkcs7/run.sh | 252 ++ tests/032-chain/expected.out | 1 tests/032-chain/run.sh | 54 tests/033-scep/expected.out | 24 tests/033-scep/run.sh | 213 ++ tests/034-perms-dbm/expected.out | 94 + tests/034-perms-dbm/run.sh | 2 tests/034-perms-sql/expected.out | 94 + tests/034-perms-sql/run.sh | 2 tests/034-perms/expected.out | 94 + tests/034-perms/run.sh | 199 ++ tests/035-json/bad.1 | 14 tests/035-json/bad.15 | 1 tests/035-json/bad.1a | 14 tests/035-json/bad.1b | 14 tests/035-json/bad.1c | 14 tests/035-json/bad.1d | 13 tests/035-json/bad.1e | 14 tests/035-json/bad.2 |binary tests/035-json/bad.3 | 1 tests/035-json/bad.4 | 60 tests/035-json/bad.5 | 1 tests/035-json/bad.6 | 1 tests/035-json/bad.8 | 1 tests/035-json/bad.9 | 1 tests/035-json/expected.out | 66 tests/035-json/good.1 | 14 tests/035-json/good.10 | 1 tests/035-json/good.11 | 1 tests/035-json/good.12 | 1 tests/035-json/good.13 | 1 tests/035-json/good.14 | 1 tests/035-json/good.15 | 1 tests/035-json/good.16 | 22 tests/035-json/good.17 | 23 tests/035-json/good.18 | 22 tests/035-json/good.19 | 11 tests/035-json/good.2 | 23 tests/035-json/good.20 | 26 tests/035-json/good.21 | 88 tests/035-json/good.22 | 27 tests/035-json/good.2a | 10 tests/035-json/good.2b | 10 tests/035-json/good.2c | 12 tests/035-json/good.3 | 1 tests/035-json/good.4 | 1 tests/035-json/good.5 | 1 tests/035-json/good.6 | 1 tests/035-json/good.7 | 1 tests/035-json/good.8 | 1 tests/035-json/good.9 | 1 tests/035-json/run.sh | 20 tests/036-getcert/expected.out | 74 tests/036-getcert/run.sh | 190 ++ tests/037-rekey2/expected.out | 233 ++ tests/037-rekey2/run.sh | 205 ++ tests/Makefile.am | 48 tests/run-tests.sh | 16 tests/tools/Makefile.am | 18 tests/tools/addcinfo.c | 109 + tests/tools/base2pem.c | 29 tests/tools/base64.c | 46 tests/tools/cachain.sh | 90 + tests/tools/cadata.c | 72 tests/tools/casave.c | 58 tests/tools/dparse.c | 27 tests/tools/hooks.c | 58 tests/tools/iterate.c | 68 tests/tools/json-utf8.c | 112 + tests/tools/json.c | 187 ++ tests/tools/keyiread.c | 85 tests/tools/ls.c | 82 tests/tools/pk7decrypt.c | 106 + tests/tools/pk7env.c | 183 ++ tests/tools/pk7parse.c | 102 + tests/tools/pk7verify.c | 159 + tests/tools/prefs.c | 9 tests/tools/printenv.c | 40 tests/tools/scepgen.c | 142 + tests/tools/srv.c | 53 tests/tools/submit.c | 22 zanata.xml | 106 + 383 files changed, 151966 insertions(+), 38948 deletions(-) --- From ftpmaster at ftp-master.debian.org Sun Aug 16 08:08:32 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 16 Aug 2015 08:08:32 +0000 Subject: [Pkg-freeipa-devel] Processing of certmonger_0.78.4-1_amd64.changes Message-ID: certmonger_0.78.4-1_amd64.changes uploaded successfully to localhost along with the files: certmonger_0.78.4-1.dsc certmonger_0.78.4.orig.tar.gz certmonger_0.78.4-1.diff.gz certmonger_0.78.4-1_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Sun Aug 16 09:34:34 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 16 Aug 2015 09:34:34 +0000 Subject: [Pkg-freeipa-devel] certmonger_0.78.4-1_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 16 Aug 2015 11:02:04 +0300 Source: certmonger Binary: certmonger Architecture: source amd64 Version: 0.78.4-1 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Description: certmonger - D-Bus -based service to simplify interaction with certificate aut Changes: certmonger (0.78.4-1) unstable; urgency=medium . * New upstream release. * control: Add libpopt-dev to build-depends. Checksums-Sha1: 95ab49f8f5ddd40ee379d54941f75b3261c316ef 2244 certmonger_0.78.4-1.dsc 277aca37d5ee3b693108ce7d9398ec3b44beb634 1848610 certmonger_0.78.4.orig.tar.gz 9ef0fc7cdff48b19092c6b70eb6a8f3184327f78 955251 certmonger_0.78.4-1.diff.gz e368fb6160243612ad0cf58b5f25fce29186cee8 434000 certmonger_0.78.4-1_amd64.deb Checksums-Sha256: bdeaf1da3cf33069056a843185bfd7281cab47e8ca9431bac868fe8efb1991f7 2244 certmonger_0.78.4-1.dsc 45eeac6b4176a605b1a12fead6415c09af16c25382a87edc2bfe7d666a2c3915 1848610 certmonger_0.78.4.orig.tar.gz 19842b64a923f74a5998edf908d536dc51f5b252faa8805536b4f957ae6a27ac 955251 certmonger_0.78.4-1.diff.gz 46b877082897a09fa01fc1c262288f3d29c6d065498134de1a57eb799a12b803 434000 certmonger_0.78.4-1_amd64.deb Files: 0d31b0d1d2e8d2a5dda23cb23a0b8864 2244 utils extra certmonger_0.78.4-1.dsc 976149477a82e0db959bfe2b81967d20 1848610 utils extra certmonger_0.78.4.orig.tar.gz 07a9cd193cdbac22f2125d9e48f1bc30 955251 utils extra certmonger_0.78.4-1.diff.gz 75cc32e4b53c21f956b7e2e565edb078 434000 utils extra certmonger_0.78.4-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJV0EStAAoJEMtwMWWoiYTcANcP/jaWT5AkPEp1XQ29p6neYRnh RARwF6Ni5S6w9ZXtHfl9OrZEsjBsErO3jTKM+GcOfe9XHPXI09//b0HZCqOhMgIz 4ddB/bMBZRMGVZOCohC2X+br832XBlPUAaNtiCsg+O5n7XsKnB1GjLFPJKaBQU73 VGvz+iIfFwX2FfiVEfSjyjZXYaz2T/5e8pAT9S51GsqWmGuk0QWAKwUTrI3V3fvd 68/IullJRpVjd3nGqhcQCelqkOkhsH+MdIx+JrF1YT6GcffYJ2a/dgvSzbRJlELp j01cEZrtY4gKPdmHGGKgc3dRYSjtAm4FHaGHD8GmPbvvy34kZYQ8y9oe0+XjypBn N8uBZgGwUsltfb+l3PmbHuYG/VHHHRYbVHsQcXWv4k2YhuuVZY06qz2wh8DQjiRR Dwfs9Gqwq3ri0iZJWCDDBigRsFiEJiWq6AFQ76Ubw+jdtBRRHua73Y0l0/aY7bqF 2+MbEA8SV4pSDauybSf2rUcv7zc9OD76wijfZA0XEw4cpDMkQd3DSvAj64PZO5Lq u3WQhsdzOwWvsAOsDtRLkk0QZPp0IQu8EuGBaYQYCesGfg+A5RdHoVgk7eFqz3EX wbGCs6Y2hN5KjUkRakookyqhp6uNc0g16j0vVk4A85QE84aII1C7KQhyrmgRojgo U/aWyljBVwFqF+sxGfI/ =04dS -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From tjaalton at moszumanska.debian.org Sun Aug 16 18:33:41 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Sun, 16 Aug 2015 18:33:41 +0000 Subject: [Pkg-freeipa-devel] python-nss: Changes to 'master' Message-ID: .hgtags | 8 debian/changelog | 6 doc/ChangeLog | 203 +++ doc/examples/cert_trust.py | 165 ++ doc/examples/ssl_example.py | 43 doc/examples/ssl_version_range.py | 122 + doc/examples/verify_server.py | 44 setup.py | 2 src/SECerrs.h | 12 src/SSLerrs.h | 29 src/__init__.py | 14 src/py_nspr_common.h | 153 ++ src/py_nss.c | 486 +++++-- src/py_nss.h | 44 src/py_shared_doc.h | 43 src/py_ssl.c | 2359 ++++++++++++++++++++++++++++++++++---- src/py_ssl.h | 25 test/test_client_server.py | 9 18 files changed, 3319 insertions(+), 448 deletions(-) New commits: commit 0f971ac56378be8384e781dacb4d476d19d98e94 Author: Timo Aaltonen Date: Sun Aug 16 11:18:41 2015 +0300 releasing package python-nss version 0.16.0-1 diff --git a/debian/changelog b/debian/changelog index 87dc59f..7c28d32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,8 @@ -python-nss (0.16.0-1) UNRELEASED; urgency=medium +python-nss (0.16.0-1) unstable; urgency=medium * New upstream release. - -- Timo Aaltonen Sun, 16 Aug 2015 11:12:06 +0300 + -- Timo Aaltonen Sun, 16 Aug 2015 11:18:20 +0300 python-nss (0.15.0-1) unstable; urgency=medium commit 91ddae5ebc8244212c82ddd0f287d011044a55a6 Author: Timo Aaltonen Date: Sun Aug 16 11:12:26 2015 +0300 update the changelog diff --git a/debian/changelog b/debian/changelog index 715043b..87dc59f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +python-nss (0.16.0-1) UNRELEASED; urgency=medium + + * New upstream release. + + -- Timo Aaltonen Sun, 16 Aug 2015 11:12:06 +0300 + python-nss (0.15.0-1) unstable; urgency=medium * New upstream release. commit 841f576de6afae22380b505af33135dafd0c50ae Author: John Dennis Date: Tue Oct 28 14:50:39 2014 -0400 add py_shared_doc.h to MANIFEST diff --git a/MANIFEST b/MANIFEST index 297bb58..5f1d623 100644 --- a/MANIFEST +++ b/MANIFEST @@ -34,6 +34,7 @@ src/py_nspr_io.c src/py_nspr_io.h src/py_nss.c src/py_nss.h +src/py_shared_doc.h src/py_ssl.c src/py_ssl.h src/py_traceback.h commit 564ec92dbeac04a5475ed5a415e7f7e1c1635c84 Author: John Dennis Date: Mon Oct 27 11:19:14 2014 -0400 Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b diff --git a/.hgtags b/.hgtags index b209bbe..3ee56fd 100644 --- a/.hgtags +++ b/.hgtags @@ -20,3 +20,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0 +e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0 +07759f773c0b643e0543ed3cf8168cd2937966dd PYNSS_RELEASE_0_16_0 commit 8f6b727f4cd5ba50b95800cd9520d181e95a852c Author: John Dennis Date: Mon Oct 27 11:19:00 2014 -0400 Fix doc typos diff --git a/src/__init__.py b/src/__init__.py index 42c2534..c1506fb 100644 --- a/src/__init__.py +++ b/src/__init__.py @@ -66,18 +66,6 @@ should not be used, they will be removed in a subsequent release. not respected, port will be value when `HostEntry` object was created. -`ssl.nssinit()` - nssinit has been moved to the nss module, use `nss.nss_init()` - instead of ssl.nssinit - -`ssl.nss_init()` - nss_init has been moved to the nss module, use `nss.nss_init()` - instead of ssl.nssinit - -`ssl.nss_shutdown()` - nss_shutdown() has been moved to the nss module, use - `nss.nss_shutdown()` instead of ssl.nss_shutdown() - `io.Socket()` and `ssl.SSLSocket()` without explicit family parameter Socket initialization will require the family parameter in the future. The default family parameter of PR_AF_INET is deprecated because diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h index 9a57279..79b4b83 100644 --- a/src/py_shared_doc.h +++ b/src/py_shared_doc.h @@ -30,13 +30,13 @@ representing the indentation level for that line. Any remaining items\n\ in the tuple are strings to be output on that line.\n\ \n\ The output of this function can be formatted into a single string by\n\ -calling `indented_format()`, e.g.:\n\ +calling `nss.nss.indented_format()`, e.g.:\n\ \n\ print indented_format(obj.format_lines())\n\ \n\ The reason this function returns a tuple as opposed to an single\n\ indented string is to support other text formatting systems such as\n\ -GUI's with indentation controls. See `indented_format()` for a\n\ +GUI's with indentation controls. See `nss.nss.indented_format()` for a\n\ complete explanation.\n\ "); diff --git a/src/py_ssl.c b/src/py_ssl.c index 3e0dbf6..c345b6c 100644 --- a/src/py_ssl.c +++ b/src/py_ssl.c @@ -3107,9 +3107,6 @@ SSLChannelInformation_dealloc(SSLChannelInformation* self) PyDoc_STRVAR(SSLChannelInformation_doc, "SSLChannelInformation(obj)\n\ \n\ -:Parameters:\n\ - obj : xxx\n\ -\n\ An object representing SSLChannelInformation.\n\ "); @@ -3902,7 +3899,7 @@ PyDoc_STRVAR(SSL_get_ssl_version_from_major_minor_doc, :Parameters:\n\ major : int\n\ The major version number.\n\ - mainor : int\n\ + minor : int\n\ The minor version number.\n\ repr_kind : RepresentationKind constant\n\ Specifies what format the return value will be in.\n\ @@ -4177,7 +4174,7 @@ PyDoc_STRVAR(SSL_get_cipher_suite_info_doc, suite : int\n\ a cipher suite enumerated constant\n\ \n\ -Returns a `SSLCipherSuiteInfo object`.\n\ +Returns a `ssl.SSLCipherSuiteInfo`.\n\ "); static PyObject * commit f9ecf9c3855a5f2b32ca1f1cb02b31a749cb3ed3 Author: John Dennis Date: Mon Oct 27 10:03:47 2014 -0400 Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d diff --git a/.hgtags b/.hgtags index 7f6f84c..b209bbe 100644 --- a/.hgtags +++ b/.hgtags @@ -18,3 +18,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 +58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 +e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0 commit e1e4f1a74f5cc4d234e992290f52fe8373ffd25a Author: John Dennis Date: Mon Oct 27 10:02:59 2014 -0400 Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a diff --git a/.hgtags b/.hgtags index 17e02d6..7f6f84c 100644 --- a/.hgtags +++ b/.hgtags @@ -16,3 +16,5 @@ e9302e97739fc677b660d6324efadea8294131ea PYNSS_RELEASE_0_14_1 f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1 73d6871d2b0770fa7f00e691c85f314bc0849309 PYNSS_RELEASE_0_15_0 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 +288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 +58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 commit d11afcac6fa541ae2e629d70ad5e71d8dcef682c Author: John Dennis Date: Mon Oct 27 10:02:19 2014 -0400 Add SSLCipherSuiteInfo, SSLChannelInfo classes. Add SSLSocket.connection_info* diff --git a/doc/ChangeLog b/doc/ChangeLog index c03df82..dcf5260 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,20 +1,49 @@ 2014-10-21 John Dennis 0.16.0 The primary enhancements in this version is adding support for the - setting trust attributes on a Certificate and the SSL version range API. + setting trust attributes on a Certificate, the SSL version range API, + information on the SSL cipher suites and information on the SSL connection. * The following module functions were added: - - get_default_ssl_version_range - - get_supported_ssl_version_range - - set_default_ssl_version_range - - ssl_library_version_from_name - - ssl_library_version_name + + - ssl.get_ssl_version_from_major_minor + - ssl.get_default_ssl_version_range + - ssl.get_supported_ssl_version_range + - ssl.set_default_ssl_version_range + - ssl.ssl_library_version_from_name + - ssl.ssl_library_version_name + - ssl.get_cipher_suite_info + - ssl.ssl_cipher_suite_name + - ssl.ssl_cipher_suite_from_name + + * The following deprecated module functions were removed: + + - ssl.nssinit + - ssl.nss_ini + - ssl.nss_shutdown + + * The following classes were added: + + - SSLCipherSuiteInfo + - SSLChannelInfo * The following class methods were added: - Certificate.trust_flags - Certificate.set_trust_attributes + - SSLSocket.set_ssl_version_range - SSLSocket.get_ssl_version_range + - SSLSocket.get_ssl_channel_info + - SSLSocket.get_negotiated_host + - SSLSocket.connection_info_format_lines + - SSLSocket.connection_info_format + - SSLSocket.connection_info_str + + - SSLCipherSuiteInfo.format_lines + - SSLCipherSuiteInfo.format + + - SSLChannelInfo.format_lines + - SSLChannelInfo.format * The following class properties were added: @@ -22,6 +51,42 @@ - Certificate.email_trust_flags - Certificate.signing_trust_flags + - SSLCipherSuiteInfo.cipher_suite + - SSLCipherSuiteInfo.cipher_suite_name + - SSLCipherSuiteInfo.auth_algorithm + - SSLCipherSuiteInfo.auth_algorithm_name + - SSLCipherSuiteInfo.kea_type + - SSLCipherSuiteInfo.kea_type_name + - SSLCipherSuiteInfo.symmetric_cipher + - SSLCipherSuiteInfo.symmetric_cipher_name + - SSLCipherSuiteInfo.symmetric_key_bits + - SSLCipherSuiteInfo.symmetric_key_space + - SSLCipherSuiteInfo.effective_key_bits + - SSLCipherSuiteInfo.mac_algorithm + - SSLCipherSuiteInfo.mac_algorithm_name + - SSLCipherSuiteInfo.mac_bits + - SSLCipherSuiteInfo.is_fips + - SSLCipherSuiteInfo.is_exportable + - SSLCipherSuiteInfo.is_nonstandard + + - SSLChannelInfo.protocol_version + - SSLChannelInfo.protocol_version_str + - SSLChannelInfo.protocol_version_enum + - SSLChannelInfo.major_protocol_version + - SSLChannelInfo.minor_protocol_version + - SSLChannelInfo.cipher_suite + - SSLChannelInfo.auth_key_bits + - SSLChannelInfo.kea_key_bits + - SSLChannelInfo.creation_time + - SSLChannelInfo.creation_time_utc + - SSLChannelInfo.last_access_time + - SSLChannelInfo.last_access_time_utc + - SSLChannelInfo.expiration_time + - SSLChannelInfo.expiration_time_utc + - SSLChannelInfo.compression_method + - SSLChannelInfo.compression_method_name + - SSLChannelInfo.session_id + * The following files were added: - doc/examples/cert_trust.py @@ -131,6 +196,7 @@ - ssl.tls1.3 * The following methods were missing thread locks, this has been fixed. + - nss.nss_initialize - nss.nss_init_context - nss.nss_shutdown_context diff --git a/doc/examples/ssl_example.py b/doc/examples/ssl_example.py index 74b83d7..e5084bb 100755 --- a/doc/examples/ssl_example.py +++ b/doc/examples/ssl_example.py @@ -40,7 +40,13 @@ def password_callback(slot, retry, password): return getpass.getpass("Enter password: "); def handshake_callback(sock): - print "handshake complete, peer = %s" % (sock.get_peer_name()) + print "-- handshake complete --" + print "peer: %s" % (sock.get_peer_name()) + print "negotiated host: %s" % (sock.get_negotiated_host()) + print + print sock.connection_info_str() + print "-- handshake complete --" + print def auth_certificate_callback(sock, check_sig, is_server, certdb): print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server) @@ -382,6 +388,12 @@ parser.add_argument('--request-cert-once', dest='client_cert_action', parser.add_argument('--request-cert-always', dest='client_cert_action', action='store_const', const=REQUEST_CLIENT_CERT_ALWAYS) +parser.add_argument('--min-ssl-version', + help='minimum SSL version') + +parser.add_argument('--max-ssl-version', + help='minimum SSL version') + parser.set_defaults(client = False, server = False, db_name = 'sql:pki', @@ -413,7 +425,34 @@ else: ssl.set_domestic_policy() nss.set_password_callback(password_callback) -# Run as a client or as a server +min_ssl_version, max_ssl_version = \ + ssl.get_supported_ssl_version_range(repr_kind=nss.AsString) +print "Supported SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + +min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) +print "Default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + +if options.min_ssl_version is not None or \ + options.max_ssl_version is not None: + + if options.min_ssl_version is not None: + min_ssl_version = options.min_ssl_version + if options.max_ssl_version is not None: + max_ssl_version = options.max_ssl_version + + print "Setting default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version) + + min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) + print "Default SSL version range now: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + +# Run as a client or as a serveri if options.client: print "starting as client" Client() diff --git a/doc/examples/ssl_version_range.py b/doc/examples/ssl_version_range.py index 11fe85e..c784a99 100644 --- a/doc/examples/ssl_version_range.py +++ b/doc/examples/ssl_version_range.py @@ -118,3 +118,5 @@ for name in names: enum = ssl.ssl_library_version_from_name(name) enum_name = ssl.ssl_library_version_name(enum, nss.AsString) print "name='%s' -> %s (%#06x)" % (name, enum_name, enum) + + diff --git a/doc/examples/verify_server.py b/doc/examples/verify_server.py index e58c21e..3318ed7 100755 --- a/doc/examples/verify_server.py +++ b/doc/examples/verify_server.py @@ -27,7 +27,13 @@ GET /index.html HTTP/1.0 # ----------------------------------------------------------------------------- def handshake_callback(sock): - print "handshake complete, peer = %s" % (sock.get_peer_name()) + print "-- handshake complete --" + print "peer: %s" % (sock.get_peer_name()) + print "negotiated host: %s" % (sock.get_negotiated_host()) + print + print sock.connection_info_str() + print "-- handshake complete --" + print def auth_certificate_callback(sock, check_sig, is_server, certdb): print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server) @@ -170,14 +176,48 @@ parser.set_defaults(db_name = 'sql:pki', port = 443, ) +parser.add_argument('--min-ssl-version', + help='minimum SSL version') + +parser.add_argument('--max-ssl-version', + help='minimum SSL version') + options = parser.parse_args() # Perform basic configuration and setup try: nss.nss_init(options.db_name) ssl.set_domestic_policy() + + min_ssl_version, max_ssl_version = \ + ssl.get_supported_ssl_version_range(repr_kind=nss.AsString) + print "Supported SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + + min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) + print "Default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + + if options.min_ssl_version is not None or \ + options.max_ssl_version is not None: + + if options.min_ssl_version is not None: + min_ssl_version = options.min_ssl_version + if options.max_ssl_version is not None: + max_ssl_version = options.max_ssl_version + + print "Setting default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version) + + min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) + print "Default SSL version range now: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + except Exception, e: - print >>sys.stderr, e.strerror + print >>sys.stderr, str(e) sys.exit(1) client() diff --git a/src/SECerrs.h b/src/SECerrs.h index 04d0c11..8b6b36f 100644 --- a/src/SECerrs.h +++ b/src/SECerrs.h @@ -115,7 +115,7 @@ ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35), ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36), "Issuer certificate is invalid.") - + ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37), "Certificate path length constraint is invalid.") @@ -343,7 +343,7 @@ ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109), ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110), "New KRL is not later than the current one.") - + ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111), "New CKL has different issuer than current CKL. Delete current CKL.") @@ -515,9 +515,6 @@ ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION, (SEC_ERROR_BASE + 165), ER3(SEC_ERROR_LIBPKIX_INTERNAL, (SEC_ERROR_BASE + 166), "Libpkix internal error occurred during cert validation.") -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13) - - ER3(SEC_ERROR_PKCS11_GENERAL_ERROR, (SEC_ERROR_BASE + 167), "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.") @@ -545,10 +542,6 @@ ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR, (SEC_ERROR_BASE + 174), ER3(SEC_ERROR_BAD_CRL_DP_URL, (SEC_ERROR_BASE + 175), "Invalid or unsupported URL in CRL distribution point name.") -#endif - -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14) - ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 176), "The certificate was signed using a signature algorithm that is disabled because it is not secure.") @@ -558,4 +551,3 @@ ER3(SEC_ERROR_LEGACY_DATABASE, (SEC_ERROR_BASE + 177), ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178), "The certificate was rejected by extra checks in the application.") -#endif diff --git a/src/SSLerrs.h b/src/SSLerrs.h index 7e05af2..174037b 100644 --- a/src/SSLerrs.h +++ b/src/SSLerrs.h @@ -359,8 +359,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109), ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110), "SSL received a malformed New Session Ticket handshake message.") -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13) - ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111), "SSL received a compressed record that could not be decompressed.") @@ -376,10 +374,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114), ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115), "SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.") -#endif - -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14) - ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116), "SSL received invalid NPN extension data.") @@ -407,11 +401,24 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123), ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124), "SSL feature not supported for the protocol version.") -#endif - -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 15) - ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 125), "SSL received an unexpected Certificate Status handshake message.") -#endif +ER3(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, (SSL_ERROR_BASE + 126), +"Unsupported hash algorithm used by TLS peer.") + +ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR_BASE + 127), +"Digest function failed.") + +ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), +"Incorrect signature algorithm specified in a digitally-signed element.") + +ER3(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK, (SSL_ERROR_BASE + 129), +"The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.") + +ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130), +"The server supports no protocols that the client advertises in the ALPN extension.") + +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131), +"The server rejected the handshake because the client downgraded to a lower " +"TLS version than the server supports.") diff --git a/src/py_nspr_common.h b/src/py_nspr_common.h index b576d15..d123139 100644 --- a/src/py_nspr_common.h +++ b/src/py_nspr_common.h @@ -4,6 +4,8 @@ //#define DEBUG +typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds); + typedef enum RepresentationKindEnum { AsObject, AsString, @@ -50,6 +52,107 @@ do { \ } while (0) +/******************************************************************************/ + +#define OCTETS_PER_LINE_DEFAULT 16 +#define HEX_SEPARATOR_DEFAULT ":" + +#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \ +{ \ + PyObject *fmt_tuple = NULL; \ + \ + if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \ + goto fail; \ + } \ + if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ + Py_DECREF(fmt_tuple); \ + goto fail; \ + } \ +} + +#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \ +{ \ + PyObject *fmt_tuple = NULL; \ + \ + if ((fmt_tuple = fmt_label(level, label)) == NULL) { \ + goto fail; \ + } \ + if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ + Py_DECREF(fmt_tuple); \ + goto fail; \ + } \ +} + +#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \ +{ \ + PyObject *src_obj; \ + Py_ssize_t len, i; \ + if (src_fmt_tuples) { \ + len = PyList_Size(src_fmt_tuples); \ + for (i = 0; i < len; i++) { \ + src_obj = PyList_GetItem(src_fmt_tuples, i); \ + PyList_Append(dst_fmt_tuples, src_obj); \ + } \ + Py_CLEAR(src_fmt_tuples); \ + } \ +} + +#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \ +{ \ + PyObject *src_obj; \ + Py_ssize_t len, i; \ + if (src_lines) { \ + len = PySequence_Size(src_lines); \ + for (i = 0; i < len; i++) { \ + src_obj = PySequence_GetItem(src_lines, i); \ + FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \ + Py_DECREF(src_obj); \ + } \ + Py_CLEAR(src_lines); \ + } \ +} + +#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \ +{ \ + PyObject *obj_line_fmt_tuples; \ + \ + if ((obj_line_fmt_tuples = \ + PyObject_CallMethod(obj, "format_lines", \ + "(i)", level)) == NULL) { \ + goto fail; \ + } \ + \ + APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \ +} + + +#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \ +{ \ + PyObject *obj_lines; \ + \ + if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \ + HEX_SEPARATOR_DEFAULT)) == NULL) { \ + goto fail; \ + } \ + Py_CLEAR(obj); \ + APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \ +} + +#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \ +{ \ + PyObject *obj_lines = NULL; \ + SecItem *item = (SecItem *)obj; \ + \ + FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \ + if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \ + goto fail; \ + } \ + Py_CLEAR(obj); \ + APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \ +} + +/******************************************************************************/ + // Gettext #ifndef _ #define _(s) s diff --git a/src/py_nss.c b/src/py_nss.c index 95d3958..a34fae3 100644 --- a/src/py_nss.c +++ b/src/py_nss.c @@ -355,10 +355,12 @@ NewType_new_from_NSSType(NSSType *id) #define PY_SSIZE_T_CLEAN #include "Python.h" #include "structmember.h" +#include "datetime.h" #include "py_nspr_common.h" #define NSS_NSS_MODULE #include "py_nss.h" +#include "py_shared_doc.h" #include "py_nspr_error.h" #include "secder.h" @@ -379,8 +381,6 @@ NewType_new_from_NSSType(NSSType *id) #define MAX_AVAS 10 #define MAX_RDNS 10 -#define OCTETS_PER_LINE_DEFAULT 16 -#define HEX_SEPARATOR_DEFAULT ":" #ifdef DEBUG #include "py_traceback.h" @@ -534,8 +534,6 @@ PyString_UTF8(PyObject *obj, char *name); /* ========================================================================== */ -typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds); - static PyObject * line_fmt_tuple(int level, const char *label, PyObject *py_value); @@ -554,140 +552,6 @@ format_from_lines(format_lines_func formatter, PyObject *self, PyObject *args, P static PyObject * py_indented_format(PyObject *self, PyObject *args, PyObject *kwds); -#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \ -{ \ - PyObject *fmt_tuple = NULL; \ - \ - if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \ - goto fail; \ - } \ - if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ - Py_DECREF(fmt_tuple); \ - goto fail; \ - } \ -} - -#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \ -{ \ - PyObject *fmt_tuple = NULL; \ - \ - if ((fmt_tuple = fmt_label(level, label)) == NULL) { \ - goto fail; \ - } \ - if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ - Py_DECREF(fmt_tuple); \ - goto fail; \ - } \ -} - -#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \ -{ \ - PyObject *src_obj; \ - Py_ssize_t len, i; \ - if (src_fmt_tuples) { \ - len = PyList_Size(src_fmt_tuples); \ - for (i = 0; i < len; i++) { \ - src_obj = PyList_GetItem(src_fmt_tuples, i); \ - PyList_Append(dst_fmt_tuples, src_obj); \ - } \ - Py_CLEAR(src_fmt_tuples); \ - } \ -} - -#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \ -{ \ - PyObject *src_obj; \ - Py_ssize_t len, i; \ - if (src_lines) { \ - len = PySequence_Size(src_lines); \ - for (i = 0; i < len; i++) { \ - src_obj = PySequence_GetItem(src_lines, i); \ - FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \ - Py_DECREF(src_obj); \ - } \ - Py_CLEAR(src_lines); \ - } \ -} - -#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \ -{ \ - PyObject *obj_line_fmt_tuples; \ - \ - if ((obj_line_fmt_tuples = \ - PyObject_CallMethod(obj, "format_lines", \ - "(i)", level)) == NULL) { \ - goto fail; \ - } \ - \ - APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \ -} - - -#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \ -{ \ - PyObject *obj_lines; \ - \ - if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \ - HEX_SEPARATOR_DEFAULT)) == NULL) { \ - goto fail; \ - } \ - Py_CLEAR(obj); \ - APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \ -} - -#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \ -{ \ - PyObject *obj_lines = NULL; \ - SecItem *item = (SecItem *)obj; \ - \ - FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \ - if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \ - goto fail; \ - } \ - Py_CLEAR(obj); \ - APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \ -} - -PyDoc_STRVAR(generic_format_doc, -"format(level=0, indent=' ') -> string)\n\ -\n\ -:Parameters:\n\ - level : integer\n\ - Initial indentation level, all subsequent indents are relative\n\ - to this starting level.\n\ - indent : string\n\ - string replicated once for each indent level then prepended to output line\n\ -\n\ -This is equivalent to:\n\ -indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\ -"); - -PyDoc_STRVAR(generic_format_lines_doc, -"format_lines(level=0) -> [(level, string),...]\n\ -\n\ -:Parameters:\n\ - level : integer\n\ - Initial indentation level, all subsequent indents are relative\n\ - to this starting level.\n\ -\n\ -Formats the object into a sequence of lines with indent level\n\ -information. The return value is a list where each list item is a\n\ -tuple. The first item in the tuple is an integer\n\ -representing the indentation level for that line. Any remaining items\n\ -in the tuple are strings to be output on that line.\n\ -\n\ -The output of this function can be formatted into a single string by\n\ -calling `indented_format()`, e.g.:\n\ -\n\ - print indented_format(obj.format_lines())\n\ -\n\ -The reason this function returns a tuple as opposed to an single\n\ -indented string is to support other text formatting systems such as\n\ -GUI's with indentation controls. See `indented_format()` for a\n\ -complete explanation.\n\ -"); - - /* Steals reference to obj_str */ static PyObject * line_fmt_tuple(int level, const char *label, PyObject *py_value) @@ -1794,6 +1658,9 @@ CERTCertExtensions_from_CERTAttribute(PRArenaPool *arena, static SECStatus My_CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, CERTCertExtension ***exts); +static PyObject * +timestamp_to_DateTime(time_t timestamp, bool utc); + /* ==================================== */ typedef struct BitStringTableStr { @@ -1844,6 +1711,23 @@ static BitStringTable CertTypeDef[] = { BITSTRING_TBL_INIT(NS_CERT_TYPE_OBJECT_SIGNING_CA, _("Object Signing CA") ), /* bit 7 */ }; +static PyObject * +timestamp_to_DateTime(time_t timestamp, bool utc) +{ + double d_timestamp = timestamp; + PyObject *py_datetime = NULL; + char *method; + + method = utc ? "utcfromtimestamp" : "fromtimestamp"; + if ((py_datetime = + PyObject_CallMethod((PyObject *)PyDateTimeAPI->DateTimeType, + method, "(d)", d_timestamp)) == NULL) { + return NULL; + } + + return py_datetime; +} + /* returns new reference or NULL on error */ PyObject * PyString_UTF8(PyObject *obj, char *name) @@ -5209,6 +5093,8 @@ SecItem_str(SecItem *self) break; case SECITEM_algorithm: return oid_secitem_to_pystr_desc(&self->item); + case SECITEM_buffer: + return secitem_to_pystr_hex(&self->item); default: return der_any_secitem_to_pystr(&self->item); break; @@ -23973,6 +23859,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api = cert_distnames_as_CERTDistNames, _AddIntConstantWithLookup, _AddIntConstantAlias, + format_from_lines, + line_fmt_tuple, + obj_sprintf, + obj_to_hex, + raw_data_to_hex, + fmt_label, + timestamp_to_DateTime }; /* ============================== Module Construction ============================= */ @@ -23991,6 +23884,8 @@ initnss(void) return; } + PyDateTime_IMPORT; + if ((m = Py_InitModule3("nss.nss", module_methods, module_doc)) == NULL) { return; } diff --git a/src/py_nss.h b/src/py_nss.h index c9661e2..1fb858a 100644 --- a/src/py_nss.h +++ b/src/py_nss.h @@ -414,6 +414,18 @@ typedef struct { PyObject *value_to_name); int (*_AddIntConstantAlias)(const char *name, long value, PyObject *name_to_value); + PyObject *(*format_from_lines)(format_lines_func formatter, PyObject *self, + PyObject *args, PyObject *kwds); + PyObject *(*line_fmt_tuple)(int level, const char *label, + PyObject *py_value); + PyObject *(*obj_sprintf)(const char *fmt, ...); + PyObject *(*obj_to_hex)(PyObject *obj, + int octets_per_line, char *separator); + PyObject *(*raw_data_to_hex)(unsigned char *data, int data_len, + int octets_per_line, char *separator); + PyObject *(*fmt_label)(int level, char *label); + PyObject *(*timestamp_to_DateTime)(time_t timestamp, bool utc); + } PyNSPR_NSS_C_API_Type; @@ -452,6 +464,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api; #define cert_distnames_as_CERTDistNames (*nspr_nss_c_api.cert_distnames_as_CERTDistNames) #define _AddIntConstantWithLookup (*nspr_nss_c_api._AddIntConstantWithLookup) #define _AddIntConstantAlias (*nspr_nss_c_api._AddIntConstantAlias) +#define format_from_lines (*nspr_nss_c_api.format_from_lines) +#define line_fmt_tuple (*nspr_nss_c_api.line_fmt_tuple) +#define obj_sprintf (*nspr_nss_c_api.obj_sprintf) +#define obj_to_hex (*nspr_nss_c_api.obj_to_hex) +#define raw_data_to_hex (*nspr_nss_c_api.raw_data_to_hex) +#define fmt_label (*nspr_nss_c_api.fmt_label) +#define timestamp_to_DateTime (*nspr_nss_c_api.timestamp_to_DateTime) static int import_nspr_nss_c_api(void) diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h new file mode 100644 index 0000000..9a57279 --- /dev/null +++ b/src/py_shared_doc.h @@ -0,0 +1,43 @@ +#ifndef PY_SHARED_DOC_H +#define PY_SHARED_DOC_H + +PyDoc_STRVAR(generic_format_doc, +"format(level=0, indent=' ') -> string)\n\ +\n\ +:Parameters:\n\ + level : integer\n\ + Initial indentation level, all subsequent indents are relative\n\ + to this starting level.\n\ + indent : string\n\ From tjaalton at moszumanska.debian.org Sun Aug 16 18:33:41 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Sun, 16 Aug 2015 18:33:41 +0000 Subject: [Pkg-freeipa-devel] python-nss: Changes to 'upstream' Message-ID: .hgtags | 8 MANIFEST | 3 doc/ChangeLog | 203 +++ doc/examples/cert_trust.py | 165 ++ doc/examples/ssl_example.py | 43 doc/examples/ssl_version_range.py | 122 + doc/examples/verify_server.py | 44 setup.py | 2 src/SECerrs.h | 12 src/SSLerrs.h | 29 src/__init__.py | 14 src/py_nspr_common.h | 153 ++ src/py_nss.c | 486 +++++-- src/py_nss.h | 44 src/py_shared_doc.h | 43 src/py_ssl.c | 2359 ++++++++++++++++++++++++++++++++++---- src/py_ssl.h | 25 test/test_client_server.py | 9 18 files changed, 3316 insertions(+), 448 deletions(-) New commits: commit 841f576de6afae22380b505af33135dafd0c50ae Author: John Dennis Date: Tue Oct 28 14:50:39 2014 -0400 add py_shared_doc.h to MANIFEST diff --git a/MANIFEST b/MANIFEST index 297bb58..5f1d623 100644 --- a/MANIFEST +++ b/MANIFEST @@ -34,6 +34,7 @@ src/py_nspr_io.c src/py_nspr_io.h src/py_nss.c src/py_nss.h +src/py_shared_doc.h src/py_ssl.c src/py_ssl.h src/py_traceback.h commit 564ec92dbeac04a5475ed5a415e7f7e1c1635c84 Author: John Dennis Date: Mon Oct 27 11:19:14 2014 -0400 Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b diff --git a/.hgtags b/.hgtags index b209bbe..3ee56fd 100644 --- a/.hgtags +++ b/.hgtags @@ -20,3 +20,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0 +e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0 +07759f773c0b643e0543ed3cf8168cd2937966dd PYNSS_RELEASE_0_16_0 commit 8f6b727f4cd5ba50b95800cd9520d181e95a852c Author: John Dennis Date: Mon Oct 27 11:19:00 2014 -0400 Fix doc typos diff --git a/src/__init__.py b/src/__init__.py index 42c2534..c1506fb 100644 --- a/src/__init__.py +++ b/src/__init__.py @@ -66,18 +66,6 @@ should not be used, they will be removed in a subsequent release. not respected, port will be value when `HostEntry` object was created. -`ssl.nssinit()` - nssinit has been moved to the nss module, use `nss.nss_init()` - instead of ssl.nssinit - -`ssl.nss_init()` - nss_init has been moved to the nss module, use `nss.nss_init()` - instead of ssl.nssinit - -`ssl.nss_shutdown()` - nss_shutdown() has been moved to the nss module, use - `nss.nss_shutdown()` instead of ssl.nss_shutdown() - `io.Socket()` and `ssl.SSLSocket()` without explicit family parameter Socket initialization will require the family parameter in the future. The default family parameter of PR_AF_INET is deprecated because diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h index 9a57279..79b4b83 100644 --- a/src/py_shared_doc.h +++ b/src/py_shared_doc.h @@ -30,13 +30,13 @@ representing the indentation level for that line. Any remaining items\n\ in the tuple are strings to be output on that line.\n\ \n\ The output of this function can be formatted into a single string by\n\ -calling `indented_format()`, e.g.:\n\ +calling `nss.nss.indented_format()`, e.g.:\n\ \n\ print indented_format(obj.format_lines())\n\ \n\ The reason this function returns a tuple as opposed to an single\n\ indented string is to support other text formatting systems such as\n\ -GUI's with indentation controls. See `indented_format()` for a\n\ +GUI's with indentation controls. See `nss.nss.indented_format()` for a\n\ complete explanation.\n\ "); diff --git a/src/py_ssl.c b/src/py_ssl.c index 3e0dbf6..c345b6c 100644 --- a/src/py_ssl.c +++ b/src/py_ssl.c @@ -3107,9 +3107,6 @@ SSLChannelInformation_dealloc(SSLChannelInformation* self) PyDoc_STRVAR(SSLChannelInformation_doc, "SSLChannelInformation(obj)\n\ \n\ -:Parameters:\n\ - obj : xxx\n\ -\n\ An object representing SSLChannelInformation.\n\ "); @@ -3902,7 +3899,7 @@ PyDoc_STRVAR(SSL_get_ssl_version_from_major_minor_doc, :Parameters:\n\ major : int\n\ The major version number.\n\ - mainor : int\n\ + minor : int\n\ The minor version number.\n\ repr_kind : RepresentationKind constant\n\ Specifies what format the return value will be in.\n\ @@ -4177,7 +4174,7 @@ PyDoc_STRVAR(SSL_get_cipher_suite_info_doc, suite : int\n\ a cipher suite enumerated constant\n\ \n\ -Returns a `SSLCipherSuiteInfo object`.\n\ +Returns a `ssl.SSLCipherSuiteInfo`.\n\ "); static PyObject * commit f9ecf9c3855a5f2b32ca1f1cb02b31a749cb3ed3 Author: John Dennis Date: Mon Oct 27 10:03:47 2014 -0400 Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d diff --git a/.hgtags b/.hgtags index 7f6f84c..b209bbe 100644 --- a/.hgtags +++ b/.hgtags @@ -18,3 +18,5 @@ f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 +58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 +e07c4d352c1dd1ab78bdc73b4002e9724db5d0ec PYNSS_RELEASE_0_16_0 commit e1e4f1a74f5cc4d234e992290f52fe8373ffd25a Author: John Dennis Date: Mon Oct 27 10:02:59 2014 -0400 Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a diff --git a/.hgtags b/.hgtags index 17e02d6..7f6f84c 100644 --- a/.hgtags +++ b/.hgtags @@ -16,3 +16,5 @@ e9302e97739fc677b660d6324efadea8294131ea PYNSS_RELEASE_0_14_1 f2e11eec0c32dea551baf152b88b621c6b2bf8ad PYNSS_RELEASE_0_14_1 73d6871d2b0770fa7f00e691c85f314bc0849309 PYNSS_RELEASE_0_15_0 288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 +288f6ba8cd7148cc0b18be609d5a2466f6c4e49e PYNSS_RELEASE_0_16_0 +58faa8ba467adc3a9f60c888671b8d5e9220801c PYNSS_RELEASE_0_16_0 commit d11afcac6fa541ae2e629d70ad5e71d8dcef682c Author: John Dennis Date: Mon Oct 27 10:02:19 2014 -0400 Add SSLCipherSuiteInfo, SSLChannelInfo classes. Add SSLSocket.connection_info* diff --git a/doc/ChangeLog b/doc/ChangeLog index c03df82..dcf5260 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,20 +1,49 @@ 2014-10-21 John Dennis 0.16.0 The primary enhancements in this version is adding support for the - setting trust attributes on a Certificate and the SSL version range API. + setting trust attributes on a Certificate, the SSL version range API, + information on the SSL cipher suites and information on the SSL connection. * The following module functions were added: - - get_default_ssl_version_range - - get_supported_ssl_version_range - - set_default_ssl_version_range - - ssl_library_version_from_name - - ssl_library_version_name + + - ssl.get_ssl_version_from_major_minor + - ssl.get_default_ssl_version_range + - ssl.get_supported_ssl_version_range + - ssl.set_default_ssl_version_range + - ssl.ssl_library_version_from_name + - ssl.ssl_library_version_name + - ssl.get_cipher_suite_info + - ssl.ssl_cipher_suite_name + - ssl.ssl_cipher_suite_from_name + + * The following deprecated module functions were removed: + + - ssl.nssinit + - ssl.nss_ini + - ssl.nss_shutdown + + * The following classes were added: + + - SSLCipherSuiteInfo + - SSLChannelInfo * The following class methods were added: - Certificate.trust_flags - Certificate.set_trust_attributes + - SSLSocket.set_ssl_version_range - SSLSocket.get_ssl_version_range + - SSLSocket.get_ssl_channel_info + - SSLSocket.get_negotiated_host + - SSLSocket.connection_info_format_lines + - SSLSocket.connection_info_format + - SSLSocket.connection_info_str + + - SSLCipherSuiteInfo.format_lines + - SSLCipherSuiteInfo.format + + - SSLChannelInfo.format_lines + - SSLChannelInfo.format * The following class properties were added: @@ -22,6 +51,42 @@ - Certificate.email_trust_flags - Certificate.signing_trust_flags + - SSLCipherSuiteInfo.cipher_suite + - SSLCipherSuiteInfo.cipher_suite_name + - SSLCipherSuiteInfo.auth_algorithm + - SSLCipherSuiteInfo.auth_algorithm_name + - SSLCipherSuiteInfo.kea_type + - SSLCipherSuiteInfo.kea_type_name + - SSLCipherSuiteInfo.symmetric_cipher + - SSLCipherSuiteInfo.symmetric_cipher_name + - SSLCipherSuiteInfo.symmetric_key_bits + - SSLCipherSuiteInfo.symmetric_key_space + - SSLCipherSuiteInfo.effective_key_bits + - SSLCipherSuiteInfo.mac_algorithm + - SSLCipherSuiteInfo.mac_algorithm_name + - SSLCipherSuiteInfo.mac_bits + - SSLCipherSuiteInfo.is_fips + - SSLCipherSuiteInfo.is_exportable + - SSLCipherSuiteInfo.is_nonstandard + + - SSLChannelInfo.protocol_version + - SSLChannelInfo.protocol_version_str + - SSLChannelInfo.protocol_version_enum + - SSLChannelInfo.major_protocol_version + - SSLChannelInfo.minor_protocol_version + - SSLChannelInfo.cipher_suite + - SSLChannelInfo.auth_key_bits + - SSLChannelInfo.kea_key_bits + - SSLChannelInfo.creation_time + - SSLChannelInfo.creation_time_utc + - SSLChannelInfo.last_access_time + - SSLChannelInfo.last_access_time_utc + - SSLChannelInfo.expiration_time + - SSLChannelInfo.expiration_time_utc + - SSLChannelInfo.compression_method + - SSLChannelInfo.compression_method_name + - SSLChannelInfo.session_id + * The following files were added: - doc/examples/cert_trust.py @@ -131,6 +196,7 @@ - ssl.tls1.3 * The following methods were missing thread locks, this has been fixed. + - nss.nss_initialize - nss.nss_init_context - nss.nss_shutdown_context diff --git a/doc/examples/ssl_example.py b/doc/examples/ssl_example.py index 74b83d7..e5084bb 100755 --- a/doc/examples/ssl_example.py +++ b/doc/examples/ssl_example.py @@ -40,7 +40,13 @@ def password_callback(slot, retry, password): return getpass.getpass("Enter password: "); def handshake_callback(sock): - print "handshake complete, peer = %s" % (sock.get_peer_name()) + print "-- handshake complete --" + print "peer: %s" % (sock.get_peer_name()) + print "negotiated host: %s" % (sock.get_negotiated_host()) + print + print sock.connection_info_str() + print "-- handshake complete --" + print def auth_certificate_callback(sock, check_sig, is_server, certdb): print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server) @@ -382,6 +388,12 @@ parser.add_argument('--request-cert-once', dest='client_cert_action', parser.add_argument('--request-cert-always', dest='client_cert_action', action='store_const', const=REQUEST_CLIENT_CERT_ALWAYS) +parser.add_argument('--min-ssl-version', + help='minimum SSL version') + +parser.add_argument('--max-ssl-version', + help='minimum SSL version') + parser.set_defaults(client = False, server = False, db_name = 'sql:pki', @@ -413,7 +425,34 @@ else: ssl.set_domestic_policy() nss.set_password_callback(password_callback) -# Run as a client or as a server +min_ssl_version, max_ssl_version = \ + ssl.get_supported_ssl_version_range(repr_kind=nss.AsString) +print "Supported SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + +min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) +print "Default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + +if options.min_ssl_version is not None or \ + options.max_ssl_version is not None: + + if options.min_ssl_version is not None: + min_ssl_version = options.min_ssl_version + if options.max_ssl_version is not None: + max_ssl_version = options.max_ssl_version + + print "Setting default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version) + + min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) + print "Default SSL version range now: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + +# Run as a client or as a serveri if options.client: print "starting as client" Client() diff --git a/doc/examples/ssl_version_range.py b/doc/examples/ssl_version_range.py index 11fe85e..c784a99 100644 --- a/doc/examples/ssl_version_range.py +++ b/doc/examples/ssl_version_range.py @@ -118,3 +118,5 @@ for name in names: enum = ssl.ssl_library_version_from_name(name) enum_name = ssl.ssl_library_version_name(enum, nss.AsString) print "name='%s' -> %s (%#06x)" % (name, enum_name, enum) + + diff --git a/doc/examples/verify_server.py b/doc/examples/verify_server.py index e58c21e..3318ed7 100755 --- a/doc/examples/verify_server.py +++ b/doc/examples/verify_server.py @@ -27,7 +27,13 @@ GET /index.html HTTP/1.0 # ----------------------------------------------------------------------------- def handshake_callback(sock): - print "handshake complete, peer = %s" % (sock.get_peer_name()) + print "-- handshake complete --" + print "peer: %s" % (sock.get_peer_name()) + print "negotiated host: %s" % (sock.get_negotiated_host()) + print + print sock.connection_info_str() + print "-- handshake complete --" + print def auth_certificate_callback(sock, check_sig, is_server, certdb): print "auth_certificate_callback: check_sig=%s is_server=%s" % (check_sig, is_server) @@ -170,14 +176,48 @@ parser.set_defaults(db_name = 'sql:pki', port = 443, ) +parser.add_argument('--min-ssl-version', + help='minimum SSL version') + +parser.add_argument('--max-ssl-version', + help='minimum SSL version') + options = parser.parse_args() # Perform basic configuration and setup try: nss.nss_init(options.db_name) ssl.set_domestic_policy() + + min_ssl_version, max_ssl_version = \ + ssl.get_supported_ssl_version_range(repr_kind=nss.AsString) + print "Supported SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + + min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) + print "Default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + + if options.min_ssl_version is not None or \ + options.max_ssl_version is not None: + + if options.min_ssl_version is not None: + min_ssl_version = options.min_ssl_version + if options.max_ssl_version is not None: + max_ssl_version = options.max_ssl_version + + print "Setting default SSL version range: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + ssl.set_default_ssl_version_range(min_ssl_version, max_ssl_version) + + min_ssl_version, max_ssl_version = \ + ssl.get_default_ssl_version_range(repr_kind=nss.AsString) + print "Default SSL version range now: min=%s, max=%s" % \ + (min_ssl_version, max_ssl_version) + except Exception, e: - print >>sys.stderr, e.strerror + print >>sys.stderr, str(e) sys.exit(1) client() diff --git a/src/SECerrs.h b/src/SECerrs.h index 04d0c11..8b6b36f 100644 --- a/src/SECerrs.h +++ b/src/SECerrs.h @@ -115,7 +115,7 @@ ER3(SEC_ERROR_EXTENSION_NOT_FOUND, (SEC_ERROR_BASE + 35), ER3(SEC_ERROR_CA_CERT_INVALID, (SEC_ERROR_BASE + 36), "Issuer certificate is invalid.") - + ER3(SEC_ERROR_PATH_LEN_CONSTRAINT_INVALID, (SEC_ERROR_BASE + 37), "Certificate path length constraint is invalid.") @@ -343,7 +343,7 @@ ER3(SEC_ERROR_JS_DEL_MOD_FAILURE, (SEC_ERROR_BASE + 109), ER3(SEC_ERROR_OLD_KRL, (SEC_ERROR_BASE + 110), "New KRL is not later than the current one.") - + ER3(SEC_ERROR_CKL_CONFLICT, (SEC_ERROR_BASE + 111), "New CKL has different issuer than current CKL. Delete current CKL.") @@ -515,9 +515,6 @@ ER3(SEC_ERROR_BAD_INFO_ACCESS_LOCATION, (SEC_ERROR_BASE + 165), ER3(SEC_ERROR_LIBPKIX_INTERNAL, (SEC_ERROR_BASE + 166), "Libpkix internal error occurred during cert validation.") -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13) - - ER3(SEC_ERROR_PKCS11_GENERAL_ERROR, (SEC_ERROR_BASE + 167), "A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.") @@ -545,10 +542,6 @@ ER3(SEC_ERROR_UNKNOWN_PKCS11_ERROR, (SEC_ERROR_BASE + 174), ER3(SEC_ERROR_BAD_CRL_DP_URL, (SEC_ERROR_BASE + 175), "Invalid or unsupported URL in CRL distribution point name.") -#endif - -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14) - ER3(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 176), "The certificate was signed using a signature algorithm that is disabled because it is not secure.") @@ -558,4 +551,3 @@ ER3(SEC_ERROR_LEGACY_DATABASE, (SEC_ERROR_BASE + 177), ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178), "The certificate was rejected by extra checks in the application.") -#endif diff --git a/src/SSLerrs.h b/src/SSLerrs.h index 7e05af2..174037b 100644 --- a/src/SSLerrs.h +++ b/src/SSLerrs.h @@ -359,8 +359,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 109), ER3(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET, (SSL_ERROR_BASE + 110), "SSL received a malformed New Session Ticket handshake message.") -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 13) - ER3(SSL_ERROR_DECOMPRESSION_FAILURE, (SSL_ERROR_BASE + 111), "SSL received a compressed record that could not be decompressed.") @@ -376,10 +374,6 @@ ER3(SSL_ERROR_RX_UNEXPECTED_UNCOMPRESSED_RECORD, (SSL_ERROR_BASE + 114), ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115), "SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.") -#endif - -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 14) - ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116), "SSL received invalid NPN extension data.") @@ -407,11 +401,24 @@ ER3(SSL_ERROR_RX_UNEXPECTED_HELLO_VERIFY_REQUEST, (SSL_ERROR_BASE + 123), ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION, (SSL_ERROR_BASE + 124), "SSL feature not supported for the protocol version.") -#endif - -#if (NSS_VMAJOR > 3) || (NSS_VMAJOR == 3 && NSS_VMINOR >= 15) - ER3(SSL_ERROR_RX_UNEXPECTED_CERT_STATUS, (SSL_ERROR_BASE + 125), "SSL received an unexpected Certificate Status handshake message.") -#endif +ER3(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, (SSL_ERROR_BASE + 126), +"Unsupported hash algorithm used by TLS peer.") + +ER3(SSL_ERROR_DIGEST_FAILURE, (SSL_ERROR_BASE + 127), +"Digest function failed.") + +ER3(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, (SSL_ERROR_BASE + 128), +"Incorrect signature algorithm specified in a digitally-signed element.") + +ER3(SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK, (SSL_ERROR_BASE + 129), +"The next protocol negotiation extension was enabled, but the callback was cleared prior to being needed.") + +ER3(SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL, (SSL_ERROR_BASE + 130), +"The server supports no protocols that the client advertises in the ALPN extension.") + +ER3(SSL_ERROR_INAPPROPRIATE_FALLBACK_ALERT, (SSL_ERROR_BASE + 131), +"The server rejected the handshake because the client downgraded to a lower " +"TLS version than the server supports.") diff --git a/src/py_nspr_common.h b/src/py_nspr_common.h index b576d15..d123139 100644 --- a/src/py_nspr_common.h +++ b/src/py_nspr_common.h @@ -4,6 +4,8 @@ //#define DEBUG +typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds); + typedef enum RepresentationKindEnum { AsObject, AsString, @@ -50,6 +52,107 @@ do { \ } while (0) +/******************************************************************************/ + +#define OCTETS_PER_LINE_DEFAULT 16 +#define HEX_SEPARATOR_DEFAULT ":" + +#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \ +{ \ + PyObject *fmt_tuple = NULL; \ + \ + if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \ + goto fail; \ + } \ + if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ + Py_DECREF(fmt_tuple); \ + goto fail; \ + } \ +} + +#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \ +{ \ + PyObject *fmt_tuple = NULL; \ + \ + if ((fmt_tuple = fmt_label(level, label)) == NULL) { \ + goto fail; \ + } \ + if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ + Py_DECREF(fmt_tuple); \ + goto fail; \ + } \ +} + +#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \ +{ \ + PyObject *src_obj; \ + Py_ssize_t len, i; \ + if (src_fmt_tuples) { \ + len = PyList_Size(src_fmt_tuples); \ + for (i = 0; i < len; i++) { \ + src_obj = PyList_GetItem(src_fmt_tuples, i); \ + PyList_Append(dst_fmt_tuples, src_obj); \ + } \ + Py_CLEAR(src_fmt_tuples); \ + } \ +} + +#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \ +{ \ + PyObject *src_obj; \ + Py_ssize_t len, i; \ + if (src_lines) { \ + len = PySequence_Size(src_lines); \ + for (i = 0; i < len; i++) { \ + src_obj = PySequence_GetItem(src_lines, i); \ + FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \ + Py_DECREF(src_obj); \ + } \ + Py_CLEAR(src_lines); \ + } \ +} + +#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \ +{ \ + PyObject *obj_line_fmt_tuples; \ + \ + if ((obj_line_fmt_tuples = \ + PyObject_CallMethod(obj, "format_lines", \ + "(i)", level)) == NULL) { \ + goto fail; \ + } \ + \ + APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \ +} + + +#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \ +{ \ + PyObject *obj_lines; \ + \ + if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \ + HEX_SEPARATOR_DEFAULT)) == NULL) { \ + goto fail; \ + } \ + Py_CLEAR(obj); \ + APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \ +} + +#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \ +{ \ + PyObject *obj_lines = NULL; \ + SecItem *item = (SecItem *)obj; \ + \ + FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \ + if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \ + goto fail; \ + } \ + Py_CLEAR(obj); \ + APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \ +} + +/******************************************************************************/ + // Gettext #ifndef _ #define _(s) s diff --git a/src/py_nss.c b/src/py_nss.c index 95d3958..a34fae3 100644 --- a/src/py_nss.c +++ b/src/py_nss.c @@ -355,10 +355,12 @@ NewType_new_from_NSSType(NSSType *id) #define PY_SSIZE_T_CLEAN #include "Python.h" #include "structmember.h" +#include "datetime.h" #include "py_nspr_common.h" #define NSS_NSS_MODULE #include "py_nss.h" +#include "py_shared_doc.h" #include "py_nspr_error.h" #include "secder.h" @@ -379,8 +381,6 @@ NewType_new_from_NSSType(NSSType *id) #define MAX_AVAS 10 #define MAX_RDNS 10 -#define OCTETS_PER_LINE_DEFAULT 16 -#define HEX_SEPARATOR_DEFAULT ":" #ifdef DEBUG #include "py_traceback.h" @@ -534,8 +534,6 @@ PyString_UTF8(PyObject *obj, char *name); /* ========================================================================== */ -typedef PyObject *(*format_lines_func)(PyObject *self, PyObject *args, PyObject *kwds); - static PyObject * line_fmt_tuple(int level, const char *label, PyObject *py_value); @@ -554,140 +552,6 @@ format_from_lines(format_lines_func formatter, PyObject *self, PyObject *args, P static PyObject * py_indented_format(PyObject *self, PyObject *args, PyObject *kwds); -#define FMT_OBJ_AND_APPEND(dst_fmt_tuples, label, src_obj, level, fail) \ -{ \ - PyObject *fmt_tuple = NULL; \ - \ - if ((fmt_tuple = line_fmt_tuple(level, label, src_obj)) == NULL) { \ - goto fail; \ - } \ - if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ - Py_DECREF(fmt_tuple); \ - goto fail; \ - } \ -} - -#define FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail) \ -{ \ - PyObject *fmt_tuple = NULL; \ - \ - if ((fmt_tuple = fmt_label(level, label)) == NULL) { \ - goto fail; \ - } \ - if (PyList_Append(dst_fmt_tuples, fmt_tuple) != 0) { \ - Py_DECREF(fmt_tuple); \ - goto fail; \ - } \ -} - -#define APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, src_fmt_tuples, fail) \ -{ \ - PyObject *src_obj; \ - Py_ssize_t len, i; \ - if (src_fmt_tuples) { \ - len = PyList_Size(src_fmt_tuples); \ - for (i = 0; i < len; i++) { \ - src_obj = PyList_GetItem(src_fmt_tuples, i); \ - PyList_Append(dst_fmt_tuples, src_obj); \ - } \ - Py_CLEAR(src_fmt_tuples); \ - } \ -} - -#define APPEND_LINES_AND_CLEAR(dst_fmt_tuples, src_lines, level, fail) \ -{ \ - PyObject *src_obj; \ - Py_ssize_t len, i; \ - if (src_lines) { \ - len = PySequence_Size(src_lines); \ - for (i = 0; i < len; i++) { \ - src_obj = PySequence_GetItem(src_lines, i); \ - FMT_OBJ_AND_APPEND(dst_fmt_tuples, NULL, src_obj, level, fail); \ - Py_DECREF(src_obj); \ - } \ - Py_CLEAR(src_lines); \ - } \ -} - -#define CALL_FORMAT_LINES_AND_APPEND(dst_fmt_tuples, obj, level, fail) \ -{ \ - PyObject *obj_line_fmt_tuples; \ - \ - if ((obj_line_fmt_tuples = \ - PyObject_CallMethod(obj, "format_lines", \ - "(i)", level)) == NULL) { \ - goto fail; \ - } \ - \ - APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_line_fmt_tuples, fail); \ -} - - -#define APPEND_OBJ_TO_HEX_LINES_AND_CLEAR(dst_fmt_tuples, obj, level, fail) \ -{ \ - PyObject *obj_lines; \ - \ - if ((obj_lines = obj_to_hex(obj, OCTETS_PER_LINE_DEFAULT, \ - HEX_SEPARATOR_DEFAULT)) == NULL) { \ - goto fail; \ - } \ - Py_CLEAR(obj); \ - APPEND_LINES_AND_CLEAR(dst_fmt_tuples, obj_lines, level, fail); \ -} - -#define FMT_SEC_INT_OBJ_APPEND_AND_CLEAR(dst_fmt_tuples, label, obj, level, fail) \ -{ \ - PyObject *obj_lines = NULL; \ - SecItem *item = (SecItem *)obj; \ - \ - FMT_LABEL_AND_APPEND(dst_fmt_tuples, label, level, fail); \ - if ((obj_lines = secitem_integer_format_lines(&item->item, level+1)) == NULL) { \ - goto fail; \ - } \ - Py_CLEAR(obj); \ - APPEND_LINE_TUPLES_AND_CLEAR(dst_fmt_tuples, obj_lines, fail); \ -} - -PyDoc_STRVAR(generic_format_doc, -"format(level=0, indent=' ') -> string)\n\ -\n\ -:Parameters:\n\ - level : integer\n\ - Initial indentation level, all subsequent indents are relative\n\ - to this starting level.\n\ - indent : string\n\ - string replicated once for each indent level then prepended to output line\n\ -\n\ -This is equivalent to:\n\ -indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\ -"); - -PyDoc_STRVAR(generic_format_lines_doc, -"format_lines(level=0) -> [(level, string),...]\n\ -\n\ -:Parameters:\n\ - level : integer\n\ - Initial indentation level, all subsequent indents are relative\n\ - to this starting level.\n\ -\n\ -Formats the object into a sequence of lines with indent level\n\ -information. The return value is a list where each list item is a\n\ -tuple. The first item in the tuple is an integer\n\ -representing the indentation level for that line. Any remaining items\n\ -in the tuple are strings to be output on that line.\n\ -\n\ -The output of this function can be formatted into a single string by\n\ -calling `indented_format()`, e.g.:\n\ -\n\ - print indented_format(obj.format_lines())\n\ -\n\ -The reason this function returns a tuple as opposed to an single\n\ -indented string is to support other text formatting systems such as\n\ -GUI's with indentation controls. See `indented_format()` for a\n\ -complete explanation.\n\ -"); - - /* Steals reference to obj_str */ static PyObject * line_fmt_tuple(int level, const char *label, PyObject *py_value) @@ -1794,6 +1658,9 @@ CERTCertExtensions_from_CERTAttribute(PRArenaPool *arena, static SECStatus My_CERT_GetCertificateRequestExtensions(CERTCertificateRequest *req, CERTCertExtension ***exts); +static PyObject * +timestamp_to_DateTime(time_t timestamp, bool utc); + /* ==================================== */ typedef struct BitStringTableStr { @@ -1844,6 +1711,23 @@ static BitStringTable CertTypeDef[] = { BITSTRING_TBL_INIT(NS_CERT_TYPE_OBJECT_SIGNING_CA, _("Object Signing CA") ), /* bit 7 */ }; +static PyObject * +timestamp_to_DateTime(time_t timestamp, bool utc) +{ + double d_timestamp = timestamp; + PyObject *py_datetime = NULL; + char *method; + + method = utc ? "utcfromtimestamp" : "fromtimestamp"; + if ((py_datetime = + PyObject_CallMethod((PyObject *)PyDateTimeAPI->DateTimeType, + method, "(d)", d_timestamp)) == NULL) { + return NULL; + } + + return py_datetime; +} + /* returns new reference or NULL on error */ PyObject * PyString_UTF8(PyObject *obj, char *name) @@ -5209,6 +5093,8 @@ SecItem_str(SecItem *self) break; case SECITEM_algorithm: return oid_secitem_to_pystr_desc(&self->item); + case SECITEM_buffer: + return secitem_to_pystr_hex(&self->item); default: return der_any_secitem_to_pystr(&self->item); break; @@ -23973,6 +23859,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api = cert_distnames_as_CERTDistNames, _AddIntConstantWithLookup, _AddIntConstantAlias, + format_from_lines, + line_fmt_tuple, + obj_sprintf, + obj_to_hex, + raw_data_to_hex, + fmt_label, + timestamp_to_DateTime }; /* ============================== Module Construction ============================= */ @@ -23991,6 +23884,8 @@ initnss(void) return; } + PyDateTime_IMPORT; + if ((m = Py_InitModule3("nss.nss", module_methods, module_doc)) == NULL) { return; } diff --git a/src/py_nss.h b/src/py_nss.h index c9661e2..1fb858a 100644 --- a/src/py_nss.h +++ b/src/py_nss.h @@ -414,6 +414,18 @@ typedef struct { PyObject *value_to_name); int (*_AddIntConstantAlias)(const char *name, long value, PyObject *name_to_value); + PyObject *(*format_from_lines)(format_lines_func formatter, PyObject *self, + PyObject *args, PyObject *kwds); + PyObject *(*line_fmt_tuple)(int level, const char *label, + PyObject *py_value); + PyObject *(*obj_sprintf)(const char *fmt, ...); + PyObject *(*obj_to_hex)(PyObject *obj, + int octets_per_line, char *separator); + PyObject *(*raw_data_to_hex)(unsigned char *data, int data_len, + int octets_per_line, char *separator); + PyObject *(*fmt_label)(int level, char *label); + PyObject *(*timestamp_to_DateTime)(time_t timestamp, bool utc); + } PyNSPR_NSS_C_API_Type; @@ -452,6 +464,13 @@ static PyNSPR_NSS_C_API_Type nspr_nss_c_api; #define cert_distnames_as_CERTDistNames (*nspr_nss_c_api.cert_distnames_as_CERTDistNames) #define _AddIntConstantWithLookup (*nspr_nss_c_api._AddIntConstantWithLookup) #define _AddIntConstantAlias (*nspr_nss_c_api._AddIntConstantAlias) +#define format_from_lines (*nspr_nss_c_api.format_from_lines) +#define line_fmt_tuple (*nspr_nss_c_api.line_fmt_tuple) +#define obj_sprintf (*nspr_nss_c_api.obj_sprintf) +#define obj_to_hex (*nspr_nss_c_api.obj_to_hex) +#define raw_data_to_hex (*nspr_nss_c_api.raw_data_to_hex) +#define fmt_label (*nspr_nss_c_api.fmt_label) +#define timestamp_to_DateTime (*nspr_nss_c_api.timestamp_to_DateTime) static int import_nspr_nss_c_api(void) diff --git a/src/py_shared_doc.h b/src/py_shared_doc.h new file mode 100644 index 0000000..9a57279 --- /dev/null +++ b/src/py_shared_doc.h @@ -0,0 +1,43 @@ +#ifndef PY_SHARED_DOC_H +#define PY_SHARED_DOC_H + +PyDoc_STRVAR(generic_format_doc, +"format(level=0, indent=' ') -> string)\n\ +\n\ +:Parameters:\n\ + level : integer\n\ + Initial indentation level, all subsequent indents are relative\n\ + to this starting level.\n\ + indent : string\n\ + string replicated once for each indent level then prepended to output line\n\ +\n\ +This is equivalent to:\n\ +indented_format(obj.format_lines()) on an object providing a format_lines() method.\n\ +"); + +PyDoc_STRVAR(generic_format_lines_doc, +"format_lines(level=0) -> [(level, string),...]\n\ +\n\ +:Parameters:\n\ + level : integer\n\ + Initial indentation level, all subsequent indents are relative\n\ + to this starting level.\n\ +\n\ +Formats the object into a sequence of lines with indent level\n\ +information. The return value is a list where each list item is a\n\ +tuple. The first item in the tuple is an integer\n\ +representing the indentation level for that line. Any remaining items\n\ +in the tuple are strings to be output on that line.\n\ +\n\ +The output of this function can be formatted into a single string by\n\ +calling `indented_format()`, e.g.:\n\ +\n\ + print indented_format(obj.format_lines())\n\ +\n\ +The reason this function returns a tuple as opposed to an single\n\ +indented string is to support other text formatting systems such as\n\ +GUI's with indentation controls. See `indented_format()` for a\n\ +complete explanation.\n\ +"); + +#endif // PY_SHARED_DOC_H diff --git a/src/py_ssl.c b/src/py_ssl.c index a1dbdce..3e0dbf6 100644 --- a/src/py_ssl.c +++ b/src/py_ssl.c @@ -15,12 +15,18 @@ #define NSS_SSL_MODULE #include "py_ssl.h" #include "py_nss.h" +#include "py_shared_doc.h" #include "py_nspr_error.h" From tjaalton at moszumanska.debian.org Sun Aug 16 18:33:48 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Sun, 16 Aug 2015 18:33:48 +0000 Subject: [Pkg-freeipa-devel] python-nss: Changes to 'refs/tags/debian/0.16.0-1' Message-ID: Tag 'debian/0.16.0-1' created by Timo Aaltonen at 2015-08-16 08:18 +0000 tagging package python-nss version debian/0.16.0-1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJV0EdhAAoJEMtwMWWoiYTcHRwP+wWJ/Hfi1YfFUtpZnLKJ7pbu GzXWjHEfsEPsXkc0oXrlJ/lkP0FGzCxI8QP5fyfSf4iaWMQc94pMZ1OZgvXlVonk S1dtJcoPvEx5fQp9cIleassLKQgkYz4MMmMiGCk6HSH33xnPSl7KyatX14zHARnE ceOG7aJBUzrBoQg3Vng7HMuM/iC07lcqO6upxVmJ6Vx5cI4BnqLcbmXi//sYt+bn 21ovrU99YiQ++MNDyF8hh3otLcDFDh1CMC0GkF3/g2zm4nnbSEjXSHtOdNvH1jOn ThYUtw8ENvKcYq8WlEUD6SQUm9Iwf1YvSu8LdpV5GPwdnJy+98PS2a1HQfzbl9dm 08JLn7eYuLGWEEVDsjcew4E7usTj7KawZIc3WcVup/szVCJrkGirPJRqYcFHVPDD I3xsyeYNDP4gQfQlJA4Dz2jue+s01HZbgn5FG/todqpWqUnepiik3qczs5q3ZiPB cMtbYMTlpdNoV0SYBecK9gPBdBaWP1AHoudMSd1PmBXo/NIahPobAe9x4nL3udxH HZi/IqcH1Clp0ouJlxFepHqvEVZKcZ9cLF4ahaBhp9cwzjrml8ObTk4lG4MTxXp2 akNNgIHTGzuaUrtBiqEzc+ZfM0LmtZIeS7hsMJ7m6G4FD6I6XcRBnIsGm46vS6gk 80frRACLJRX2AM6AJnJ2 =ZhoD -----END PGP SIGNATURE----- Changes since debian/0.15.0-1: John Dennis (11): Added tag PYNSS_RELEASE_0_15_0 for changeset 73d6871d2b07 Permit setting Certificate trust & query Certificate trust Add support for the SSL version range API Add ssl_version_range.py, missed it in previous commit. Added tag PYNSS_RELEASE_0_16_0 for changeset 288f6ba8cd71 Add SSLCipherSuiteInfo, SSLChannelInfo classes. Added tag PYNSS_RELEASE_0_16_0 for changeset 58faa8ba467a Added tag PYNSS_RELEASE_0_16_0 for changeset e07c4d352c1d Fix doc typos Added tag PYNSS_RELEASE_0_16_0 for changeset 07759f773c0b add py_shared_doc.h to MANIFEST Timo Aaltonen (3): Merge branch 'upstream' update the changelog releasing package python-nss version 0.16.0-1 --- .hgtags | 8 debian/changelog | 6 doc/ChangeLog | 203 +++ doc/examples/cert_trust.py | 165 ++ doc/examples/ssl_example.py | 43 doc/examples/ssl_version_range.py | 122 + doc/examples/verify_server.py | 44 setup.py | 2 src/SECerrs.h | 12 src/SSLerrs.h | 29 src/__init__.py | 14 src/py_nspr_common.h | 153 ++ src/py_nss.c | 486 +++++-- src/py_nss.h | 44 src/py_shared_doc.h | 43 src/py_ssl.c | 2359 ++++++++++++++++++++++++++++++++++---- src/py_ssl.h | 25 test/test_client_server.py | 9 18 files changed, 3319 insertions(+), 448 deletions(-) --- From ftpmaster at ftp-master.debian.org Sun Aug 16 18:35:34 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 16 Aug 2015 18:35:34 +0000 Subject: [Pkg-freeipa-devel] Processing of python-nss_0.16.0-1_amd64.changes Message-ID: python-nss_0.16.0-1_amd64.changes uploaded successfully to localhost along with the files: python-nss_0.16.0-1.dsc python-nss_0.16.0.orig.tar.bz2 python-nss_0.16.0-1.debian.tar.xz python-nss_0.16.0-1_amd64.deb Greetings, Your Debian queue daemon (running on host franck.debian.org) From ftpmaster at ftp-master.debian.org Sun Aug 16 19:07:06 2015 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Sun, 16 Aug 2015 19:07:06 +0000 Subject: [Pkg-freeipa-devel] python-nss_0.16.0-1_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sun, 16 Aug 2015 11:18:20 +0300 Source: python-nss Binary: python-nss Architecture: source amd64 Version: 0.16.0-1 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Description: python-nss - Python bindings for Network Security Services (NSS) Changes: python-nss (0.16.0-1) unstable; urgency=medium . * New upstream release. Checksums-Sha1: 0a7c8498d6692ccfc843b880eaf27a1669baf58b 2019 python-nss_0.16.0-1.dsc f1f760f478bb784472675e77a433a01bb3da050f 208535 python-nss_0.16.0.orig.tar.bz2 2b605a7b8fd6cbce1e7f38cfce41f9cf31577b3c 2484 python-nss_0.16.0-1.debian.tar.xz 8f352a75dcd1f8a93fd7223cab1632f66a7f0e9c 197076 python-nss_0.16.0-1_amd64.deb Checksums-Sha256: c49ab82d98bc12c21168e953ec5392b0bc6699f9158cbaaed882d67b4ebc3d76 2019 python-nss_0.16.0-1.dsc cecd3a33c4cb4ab0f5a3c303a733b2eb62a3760b500e6b411313ab3b30f8e575 208535 python-nss_0.16.0.orig.tar.bz2 c8a0cfe1859cc3802362d01bf11fb08f9b55212f1f90528127f9b869f0e93d81 2484 python-nss_0.16.0-1.debian.tar.xz 7fd8422fccd47806fec1e950a25a384a659c64ce9bc6fd6cbe387b7e9591d6d7 197076 python-nss_0.16.0-1_amd64.deb Files: 4d40054190ad7b0ede62b405db8e76bc 2019 python extra python-nss_0.16.0-1.dsc 4fb3c230c7ea0b0ea860f713145c4422 208535 python extra python-nss_0.16.0.orig.tar.bz2 c2ba8ac7a3e361046a793aa99a919367 2484 python extra python-nss_0.16.0-1.debian.tar.xz 28e74981d8664b7f3202313df018d3ce 197076 python extra python-nss_0.16.0-1_amd64.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJV0NczAAoJEMtwMWWoiYTcX50P/2J3wgFLfFAmjrWqzcQ/4jGP j46bt7ZC3qYMs+w/ZWSeIow/8aoQU7m2sNgfYD26+TcKY0SZ9E7Z24SGgr8deacC jlYSN4WSMCYkRO9D2V/koR+TOd0xahFcvo816uUnNaZEALdtTVIBmhqSQ5BKysOs KSQDLo3Qu/Hizm0irKTJZu29IZl20s4Wn2PlU1yZbOESA2aWX02a7EdnS8y8BsFw adJ8l+bOPEMDm1FZchHt+dGoAjwj/ynZvkAIaKGrJ1iVoMhwyer4CS71PD3IU+qW iMwnbX/5MBNRfVWs1DyAaQEO3iOpUiqPkeaeixbQzet/ZAMd0AJuJV4Rypinl92F kK4Ho96WxGM7iAJAuVTIyuStD6GnKme5gt/IwgHZlHYHLNobpMmRb7q1w7FWF1Xl KlIGifCfKz46vaZcj5+ye/DcwqvVLvP31qSBY4Zbd7a1Jl25HAQyuc9uvv8c+ylq eeNHttwz36xNinnDx/3YLd/dW49r5UdXtaT18PU90RmgFZGgQRPNN6Ip2n5Va94W kplfGXR/+IiYIAl6JIGziTXLEpdJu7ZCg0wNimyBiTd6VxLsRLDRtPbuuJu9o7cI bjyVCISUD0vfk1RjPpFXZf1h3s1NMagpwRdG+cqdtzm4B9vWr3R9zJFc44hN/rRk ccm9W2kpAsWnGJWjn/zo =vOi3 -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From tjaalton at moszumanska.debian.org Mon Aug 17 07:23:30 2015 From: tjaalton at moszumanska.debian.org (Timo Aaltonen) Date: Mon, 17 Aug 2015 07:23:30 +0000 Subject: [Pkg-freeipa-devel] tomcatjss: Changes to 'master' Message-ID: build.xml | 4 +- debian/changelog | 7 ++++ debian/patches/add-dummy-getprotocol.diff | 31 --------------------- debian/patches/series | 1 src/org/apache/tomcat/util/net/jss/JSSSupport.java | 4 ++ tomcatjss.spec | 8 ++++- 6 files changed, 20 insertions(+), 35 deletions(-) New commits: commit 5e21dba1c84d59a30105d79345a937defae6c783 Author: Timo Aaltonen Date: Mon Aug 17 10:23:20 2015 +0300 releasing package tomcatjss version 7.1.3-1 diff --git a/debian/changelog b/debian/changelog index c57c1b2..888db07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,9 @@ -tomcatjss (7.1.3-1) UNRELEASED; urgency=medium +tomcatjss (7.1.3-1) unstable; urgency=medium * New upstream release. * add-dummy-getprotocol.diff: Removed, upstream. - -- Timo Aaltonen Mon, 17 Aug 2015 08:43:19 +0300 + -- Timo Aaltonen Mon, 17 Aug 2015 08:45:11 +0300 tomcatjss (7.1.2-1) unstable; urgency=medium commit 0c4f4371acbc7b396f378e01816f7076aeb7710b Author: Timo Aaltonen Date: Mon Aug 17 08:45:04 2015 +0300 new upstream, remove patch diff --git a/debian/changelog b/debian/changelog index 67513a5..c57c1b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +tomcatjss (7.1.3-1) UNRELEASED; urgency=medium + + * New upstream release. + * add-dummy-getprotocol.diff: Removed, upstream. + + -- Timo Aaltonen Mon, 17 Aug 2015 08:43:19 +0300 + tomcatjss (7.1.2-1) unstable; urgency=medium * New upstream release diff --git a/debian/patches/add-dummy-getprotocol.diff b/debian/patches/add-dummy-getprotocol.diff deleted file mode 100644 index a7c9620..0000000 --- a/debian/patches/add-dummy-getprotocol.diff +++ /dev/null @@ -1,31 +0,0 @@ -From 4bd20b44e0fa191c059f6b311663e7f8b396a5cb Mon Sep 17 00:00:00 2001 -From: "Endi S. Dewata" -Date: Wed, 22 Jul 2015 15:17:04 +0200 -Subject: [PATCH] Added JSSSupport.getProtocol(). - -A dummy getProtocol() has been added to JSSSupport in order -to build with newer Tomcat. - -https://bugzilla.redhat.com/show_bug.cgi?id=1245786 ---- - src/org/apache/tomcat/util/net/jss/JSSSupport.java | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/org/apache/tomcat/util/net/jss/JSSSupport.java b/src/org/apache/tomcat/util/net/jss/JSSSupport.java -index e243ca134852cefe7e8353d9b92eb5915004b0e8..4c04034d25396c3f6f3641b2844adb70d6c89100 100755 ---- a/src/org/apache/tomcat/util/net/jss/JSSSupport.java -+++ b/src/org/apache/tomcat/util/net/jss/JSSSupport.java -@@ -97,6 +97,10 @@ class JSSSupport implements SSLSupport { - return null; - } - -+ public String getProtocol() throws IOException { -+ return null; -+ } -+ - public String getSessionId() throws IOException { - return null; - } --- -2.4.6 - diff --git a/debian/patches/series b/debian/patches/series index 8104d92..6116b9d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ fix-build.diff -add-dummy-getprotocol.diff commit fe66739e5485875cc68ba178bff855656adc72cb Author: Timo Aaltonen Date: Mon Aug 17 08:41:46 2015 +0300 Imported Upstream version 7.1.3 diff --git a/build.xml b/build.xml index eaa3bda..4bd13ec 100755 --- a/build.xml +++ b/build.xml @@ -37,8 +37,8 @@ - - + +