Export keying material support by reaperhulk · Pull Request #725 · pyca/pyopenssl

reaperhulk · 2017-11-30T15:00:34Z

Continued from #686. Huge thanks to @kelbyludwig for doing all the work here.

alex · 2017-11-30T15:01:33Z

+        :return the exported key material bytes or None
+        """
+        outp = _no_zero_allocator("unsigned char[]", olen)
+        context_buf, context_len, use_context, success = _ffi.NULL, 0, 0, 0


Use normal assignment, not unpacking.

alex · 2017-11-30T15:02:50Z

+                                                  label, len(label),
+                                                  context_buf, context_len,
+                                                  use_context)
+        _openssl_assert(success == 1)


This function has error conditions on SSLv3 and some DTLS nonsense I didn't read very closely. Do we need to handle them?

alex

Can you add a test that changing the context/label causes the sides to compute different values?

codecov · 2017-11-30T15:27:01Z

Codecov Report

Merging #725 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #725      +/-   ##
==========================================
+ Coverage   97.04%   97.05%   +0.01%     
==========================================
  Files          18       18              
  Lines        5682     5711      +29     
  Branches      394      395       +1     
==========================================
+ Hits         5514     5543      +29     
  Misses        112      112              
  Partials       56       56

Impacted Files	Coverage Δ
src/OpenSSL/SSL.py	`94.95% <100%> (+0.06%)`	⬆️
tests/test_ssl.py	`99.12% <100%> (ø)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e738186...8d10090. Read the comment docs.

170: Scheduled weekly dependency update for week 49 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>cryptography</b></td> <td align="center">2.1.3</td> <td align="center">»</td> <td align="center">2.1.4</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/cryptography">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/cryptography">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/cryptography/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/cryptography/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://github.com/pyca/cryptography">Repo</a">https://github.com/pyca/cryptography">Repo</a> </td> <tr> <td><b>eliot</b></td> <td align="center">1.2.0</td> <td align="center">»</td> <td align="center">1.3.0</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/eliot">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/eliot">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/eliot/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/eliot/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://github.com/ClusterHQ/eliot/">Repo</a">https://github.com/ClusterHQ/eliot/">Repo</a> </td> <tr> <td><b>hypothesis</b></td> <td align="center">3.38.5</td> <td align="center">»</td> <td align="center">3.40.1</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/hypothesis">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/hypothesis">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/hypothesis/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/hypothesis/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://github.com/HypothesisWorks/hypothesis/issues">Repo</a">https://github.com/HypothesisWorks/hypothesis/issues">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.4.0</td> <td align="center">»</td> <td align="center">17.5.0</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/pyopenssl">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/pyopenssl/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyopenssl.org/">Homepage</a" rel="nofollow">https://pyopenssl.org/">Homepage</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"http://pythonhosted.org/pyOpenSSL/">Docs</a" rel="nofollow">http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> </tr> </table> ## Changelogs ### eliot 1.2.0 -> 1.3.0 >### 1.3.0 ### hypothesis 3.38.5 -> 3.40.1 >### 3.40.1 >------------------- >This release makes two changes: >* It makes the calculation of some of the metadata that Hypothesis uses for > shrinking occur lazily. This should speed up performance of test case > generation a bit because it no longer calculates information it doesn't need. >* It improves the shrinker for certain classes of nested examples. e.g. when > shrinking lists of lists, the shrinker is now able to concatenate two > adjacent lists together into a single list. As a result of this change, > shrinking may get somewhat slower when the minimal example found is large. >------------------- >### 3.40.0 >------------------- >This release improves how various ways of seeding Hypothesis interact with the >example database: >* Using the example database with :func:`~hypothesis.seed` is now deprecated. > You should set ``database=None`` if you are doing that. This will only warn > if you actually load examples from the database while using ``seed``. >* The :attr:`~hypothesis.settings.derandomize` will behave the same way as > ``seed``. >* Using ``--hypothesis-seed`` will disable use of the database. >* If a test used examples from the database, it will not suggest using a seed > to reproduce it, because that won't work. >This work was funded by `Smarkets <https://smarkets.com/>`_. >------------------- >### 3.39.0 >------------------- >This release adds a new health check that checks if the smallest "natural" >possible example of your test case is very large - this will tend to cause >Hypothesis to generate bad examples and be quite slow. >This work was funded by `Smarkets <https://smarkets.com/>`_. >------------------- >### 3.38.9 >------------------- >This is a documentation release to improve the documentation of shrinking >behaviour for Hypothesis's strategies. >------------------- >### 3.38.8 >------------------- >This release improves the performance of >:func:`~hypothesis.strategies.characters` when using ``blacklist_characters`` >and :func:`~hypothesis.strategies.from_regex` when using negative character >classes. >The problems this fixes were found in the course of work funded by >`Smarkets <https://smarkets.com/>`_. >------------------- >### 3.38.7 >------------------- >This is a patch release for :func:`~hypothesis.strategies.from_regex`, which >had a bug in handling of the :obj:`python:re.VERBOSE` flag (:issue:`992`). >Flags are now handled correctly when parsing regex. >------------------- >### 3.38.6 >------------------- >This patch changes a few byte-string literals from double to single quotes, >thanks to an update in :pypi:`unify`. There are no user-visible changes. >------------------- ### pyopenssl 17.4.0 -> 17.5.0 >### 17.5.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >* The minimum ``cryptography`` version is now 2.1.4. >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. > `723 <https://github.com/pyca/pyopenssl/pull/723>`_ >- Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. > `725 <https://github.com/pyca/pyopenssl/pull/725>`_ >---- That's it for now! Happy merging! 🤖

163: Scheduled weekly dependency update for week 49 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>cryptography</b></td> <td align="center">2.1.3</td> <td align="center">»</td> <td align="center">2.1.4</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/cryptography">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/cryptography">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/cryptography/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/cryptography/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://github.com/pyca/cryptography">Repo</a">https://github.com/pyca/cryptography">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.4.0</td> <td align="center">»</td> <td align="center">17.5.0</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/pyopenssl">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/pyopenssl/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyopenssl.org/">Homepage</a" rel="nofollow">https://pyopenssl.org/">Homepage</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"http://pythonhosted.org/pyOpenSSL/">Docs</a" rel="nofollow">http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> </tr> </table> ## Changelogs ### pyopenssl 17.4.0 -> 17.5.0 >### 17.5.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >* The minimum ``cryptography`` version is now 2.1.4. >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. > `723 <https://github.com/pyca/pyopenssl/pull/723>`_ >- Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. > `725 <https://github.com/pyca/pyopenssl/pull/725>`_ >---- That's it for now! Happy merging! 🤖

121: Scheduled weekly dependency update for week 49 r=mithrandi a=pyup-bot ## Updates Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need. <table align="center"> <tr> <td><b>cryptography</b></td> <td align="center">2.1.3</td> <td align="center">»</td> <td align="center">2.1.4</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/cryptography">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/cryptography">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/cryptography/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/cryptography/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://github.com/pyca/cryptography">Repo</a">https://github.com/pyca/cryptography">Repo</a> </td> <tr> <td><b>pyopenssl</b></td> <td align="center">17.4.0</td> <td align="center">»</td> <td align="center">17.5.0</td> <td> <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pypi.python.org/pypi/pyopenssl">PyPI</a" rel="nofollow">https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyup.io/changelogs/pyopenssl/">Changelog</a" rel="nofollow">https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"https://pyopenssl.org/">Homepage</a" rel="nofollow">https://pyopenssl.org/">Homepage</a> | <a href="proxy.php?url=https%3A%2F%2Fgithub-redirect.dependabot.com%2F%3Ca+href%3D"http://pythonhosted.org/pyOpenSSL/">Docs</a" rel="nofollow">http://pythonhosted.org/pyOpenSSL/">Docs</a> </td> </tr> </table> ## Changelogs ### pyopenssl 17.4.0 -> 17.5.0 >### 17.5.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >* The minimum ``cryptography`` version is now 2.1.4. >Deprecations: >^^^^^^^^^^^^^ >*none* >Changes: >^^^^^^^^ >- Fixed a potential use-after-free in the verify callback and resolved a memory leak when loading PKCS12 files with ``cacerts``. > `723 <https://github.com/pyca/pyopenssl/pull/723>`_ >- Added ``Connection.export_keying_material`` for RFC 5705 compatible export of keying material. > `725 <https://github.com/pyca/pyopenssl/pull/725>`_ >---- That's it for now! Happy merging! 🤖

kelbyludwig and others added 5 commits November 30, 2017 22:55

added method to export keying material from an ssl connection

e56e7ae

updated tests to use bytestrings to avoid breaking python3 tests

f767a50

added additional comments to test

95ec8c1

simplify export_keying_material

bc654d7

add changelog

ad7f375

reaperhulk mentioned this pull request Nov 30, 2017

added method to export keying material from an ssl connection #686

Closed

alex reviewed Nov 30, 2017

View reviewed changes

address review feedback

8d10090

alex approved these changes Nov 30, 2017

View reviewed changes

alex merged commit bdb7639 into pyca:master Nov 30, 2017

reaperhulk deleted the export-keying branch December 1, 2017 00:30

github-actions Bot locked as resolved and limited conversation to collaborators Aug 16, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Export keying material support#725

Export keying material support#725
alex merged 6 commits intopyca:masterfrom
reaperhulk:export-keying

reaperhulk commented Nov 30, 2017

Uh oh!

alex Nov 30, 2017

Uh oh!

alex Nov 30, 2017

Uh oh!

alex left a comment

Uh oh!

codecov Bot commented Nov 30, 2017 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

Conversation

reaperhulk commented Nov 30, 2017

Uh oh!

alex Nov 30, 2017

Choose a reason for hiding this comment

Uh oh!

alex Nov 30, 2017

Choose a reason for hiding this comment

Uh oh!

alex left a comment

Choose a reason for hiding this comment

Uh oh!

codecov Bot commented Nov 30, 2017 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

3 participants

codecov Bot commented Nov 30, 2017 •

edited

Loading