Avoid a double call to X509_STORE_CTX_init as it leaks memory #691
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes an issue where each instance of ``X509StoreContext`` would
leak a small amount of memory, but only if ``verify_certificate`` was
called.
The reason for this is that ``X509_STORE_CTX_init`` is called in
``X509StoreContext.__init__`` and at the start of
``X509StoreContext.verify_certificate``. According to the man page for
``X509_STORE_CTX_init``:
"X509_STORE_CTX_init() sets up ctx for a subsequent verification
operation. It must be called before each call to X509_verify_cert(),
i.e. a ctx is only good for one call to X509_verify_cert(); if you want
to verify a second certificate with the same ctx then you must call
X509_STORE_CTX_cleanup() and then X509_STORE_CTX_init() again before
the second call to X509_verify_cert()."
Prior to this commit, the following script would cause a memory leak:
```
from OpenSSL.crypto import (
X509Store, X509StoreContext, load_certificate, FILETYPE_PEM)
certificate = """
-----BEGIN CERTIFICATE-----
MIIESTCCA7KgAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdoMRcwFQYDVQQKEw5GZWRvcmEg
UHJvamVjdDEPMA0GA1UECxMGZmVkbXNnMQ8wDQYDVQQDEwZmZWRtc2cxDzANBgNV
BCkTBmZlZG1zZzEmMCQGCSqGSIb3DQEJARYXYWRtaW5AZmVkb3JhcHJvamVjdC5v
cmcwHhcNMTIwNzE1MjExODUyWhcNMjIwNzEzMjExODUyWjCB2DELMAkGA1UEBhMC
VVMxCzAJBgNVBAgTAk5DMRAwDgYDVQQHEwdSYWxlaWdoMRcwFQYDVQQKEw5GZWRv
cmEgUHJvamVjdDEPMA0GA1UECxMGZmVkbXNnMSswKQYDVQQDEyJzaGVsbC1hcHAw
MS5waHgyLmZlZG9yYXByb2plY3Qub3JnMSswKQYDVQQpEyJzaGVsbC1hcHAwMS5w
aHgyLmZlZG9yYXByb2plY3Qub3JnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBmZWRv
cmFwcm9qZWN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyV0ydvno
pITmFs0kfploKj6nW0/COzp0rDwwvuWZF2KDdl1AeRWzfspOQOWIK5V+o2qxYA6t
aiK4bPfylYL1IGIwlVP9ma5zwkRvWketWjGORp5B7g7oECQOBo3gnQt0Uf5TWAQ1
6Wn0bCrIQSqOWVKScK9vUk/oomUlAZbksEcCAwEAAaOCAVcwggFTMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQUd3FXBbD2JW3qcmq+5VP7GcuxHF4wgdUGA1UdIwSBzTCByoAU
AJil1efEVQ6Eo2f+ZkoW4AQV3SGhgaakgaMwgaAxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJOQzEQMA4GA1UEBxMHUmFsZWlnaDEXMBUGA1UEChMORmVkb3JhIFByb2pl
Y3QxDzANBgNVBAsTBmZlZG1zZzEPMA0GA1UEAxMGZmVkbXNnMQ8wDQYDVQQpEwZm
ZWRtc2cxJjAkBgkqhkiG9w0BCQEWF2FkbWluQGZlZG9yYXByb2plY3Qub3JnggkA
juso2KkTnXwwEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqG
SIb3DQEBBQUAA4GBABG1zG/lzYyz/phhROq6nzk3QUVeNGyxFdxxoB57j4xDi60y
zy2yAYe9swqlL1Gk94/Zf/lLPFxOM+NinTOh/o6z0bEBBCufwFKiS+ug/pjsI
o69vC03F21S0pquM8bQjcdoA5q5pdiY/Bq5HULmosyA+ENu69ovQGZZUiJb/
-----END CERTIFICATE-----
"""
ca_certificate = """
-----BEGIN CERTIFICATE-----
MIIDyzCCAzSgAwIBAgIJAI7rKNipE518MA0GCSqGSIb3DQEBBQUAMIGgMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCTkMxEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNVBAoT
DkZlZG9yYSBQcm9qZWN0MQ8wDQYDVQQLEwZmZWRtc2cxDzANBgNVBAMTBmZlZG1z
ZzEPMA0GA1UEKRMGZmVkbXNnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBmZWRvcmFw
cm9qZWN0Lm9yZzAeFw0xMjA3MTUyMTE4NTFaFw0yMjA3MTMyMTE4NTFaMIGgMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTkMxEDAOBgNVBAcTB1JhbGVpZ2gxFzAVBgNV
BAoTDkZlZG9yYSBQcm9qZWN0MQ8wDQYDVQQLEwZmZWRtc2cxDzANBgNVBAMTBmZl
ZG1zZzEPMA0GA1UEKRMGZmVkbXNnMSYwJAYJKoZIhvcNAQkBFhdhZG1pbkBmZWRv
cmFwcm9qZWN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9J6RmGr1
LzSJ5Fau2wdkVUiS5WXBcd0bNPyUJ9/G7t9SrycnLnEK4GQh2B525p4SCqvsHZtM
8rqii/Y2PPF5PbpgVjJLYsJk4SSv84aH+VPYcaEtYlPClXgHb3J9jgAxgHBHkJMQ
7mvxiIau7frKFqmJGZkxO2M+Sv8eLCKLJP8CAwEAAaOCAQkwggEFMB0GA1UdDgQW
BBQAmKXV58RVDoSjZ/5mShbgBBXdITCB1QYDVR0jBIHNMIHKgBQAmKXV58RVDoSj
Z/5mShbgBBXdIaGBpqSBozCBoDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5DMRAw
DgYDVQQHEwdSYWxlaWdoMRcwFQYDVQQKEw5GZWRvcmEgUHJvamVjdDEPMA0GA1UE
CxMGZmVkbXNnMQ8wDQYDVQQDEwZmZWRtc2cxDzANBgNVBCkTBmZlZG1zZzEmMCQG
CSqGSIb3DQEJARYXYWRtaW5AZmVkb3JhcHJvamVjdC5vcmeCCQCO6yjYqROdfDAM
BgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAN5r+1rbeTyGDdlelbqWOXBu
uS0a9BfusO0uwf3tHK9zeB5CDKFgxdfSZ+Fxg1w2HFRHhCOYoZ2ASPfbyANTzxUF
fVAId1uhBD1SlhXpTb3Ndo4uXfalf3W8MrQzFiVHbevvfsyd+RwoVT/PDokE3i4A
fftCd0uwvSqVgyE28SFt
-----END CERTIFICATE-----
"""
ca_cert = load_certificate(FILETYPE_PEM, ca_certificate)
cert = load_certificate(FILETYPE_PEM, certificate)
cert_store = X509Store()
cert_store.add_cert(ca_cert)
while True:
cert_store_context = X509StoreContext(cert_store, cert)
cert_store_context.verify_certificate()
```
Moving the creation of ``X509StoreContext`` outside the loop stops the
memory leak.
Signed-off-by: Jeremy Cline <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #691 +/- ##
==========================================
+ Coverage 97.01% 97.01% +<.01%
==========================================
Files 16 16
Lines 5630 5631 +1
Branches 391 391
==========================================
+ Hits 5462 5463 +1
Misses 112 112
Partials 56 56
Continue to review full report at Codecov.
|
reaperhulk
approved these changes
Sep 14, 2017
bors-fusion bot
referenced
this pull request
in fusionapp/entropy
Oct 2, 2017
155: Scheduled weekly dependency update for week 40 r=mithrandi
## Updates
Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.
<table align="center">
<tr>
<td><b>asn1crypto</b></td>
<td align="center">0.22.0</td>
<td align="center">»</td>
<td align="center">0.23.0</td>
<td>
<a href="https://pypi.python.org/pypi/asn1crypto">PyPI</a> | <a href="https://pyup.io/changelogs/asn1crypto/">Changelog</a> | <a href="https://github.com/wbond/asn1crypto/issues">Repo</a>
</td>
<tr>
<td><b>cffi</b></td>
<td align="center">1.10.0</td>
<td align="center">»</td>
<td align="center">1.11.0</td>
<td>
<a href="https://pypi.python.org/pypi/cffi">PyPI</a> | <a href="https://pyup.io/changelogs/cffi/">Changelog</a> | <a href="http://cffi.readthedocs.org">Docs</a>
</td>
<tr>
<td><b>lxml</b></td>
<td align="center">3.8.0</td>
<td align="center">»</td>
<td align="center">4.0.0</td>
<td>
<a href="https://pypi.python.org/pypi/lxml">PyPI</a> | <a href="https://pyup.io/changelogs/lxml/">Changelog</a> | <a href="http://lxml.de/">Homepage</a> | <a href="https://bugs.launchpad.net/lxml">Bugtracker</a>
</td>
<tr>
<td><b>pyasn1-modules</b></td>
<td align="center">0.1.1</td>
<td align="center">»</td>
<td align="center">0.1.4</td>
<td>
<a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a>
</td>
<tr>
<td><b>pyasn1</b></td>
<td align="center">0.3.3</td>
<td align="center">»</td>
<td align="center">0.3.6</td>
<td>
<a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a>
</td>
<tr>
<td><b>pyopenssl</b></td>
<td align="center">17.2.0</td>
<td align="center">»</td>
<td align="center">17.3.0</td>
<td>
<a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a>
</td>
<tr>
<td><b>six</b></td>
<td align="center">1.10.0</td>
<td align="center">»</td>
<td align="center">1.11.0</td>
<td>
<a href="https://pypi.python.org/pypi/six">PyPI</a> | <a href="https://pyup.io/changelogs/six/">Changelog</a> | <a href="http://pypi.python.org/pypi/six/">Homepage</a> | <a href="http://pythonhosted.org/six/">Docs</a>
</td>
<tr>
<td><b>twisted[conch,tls]</b></td>
<td align="center">17.5.0</td>
<td align="center">»</td>
<td align="center">17.9.0</td>
<td>
<a href="https://pypi.python.org/pypi/twisted">PyPI</a> | <a href="https://pyup.io/changelogs/twisted/">Changelog</a> | <a href="http://twistedmatrix.com/">Homepage</a> | <a href="https://twistedmatrix.com/trac/">Bugtracker</a>
</td>
<tr>
<td><b>zope.interface</b></td>
<td align="center">4.4.2</td>
<td align="center">»</td>
<td align="center">4.4.3</td>
<td>
<a href="https://pypi.python.org/pypi/zope.interface">PyPI</a> | <a href="https://pyup.io/changelogs/zope.interface/">Changelog</a> | <a href="https://github.com/zopefoundation/zope.interface">Repo</a>
</td>
</tr>
</table>
## Changelogs
### asn1crypto 0.22.0 -> 0.23.0
>### 0.23.0
> - Backwards compatibility break: the `tag_type`, `explicit_tag` and
> `explicit_class` attributes on `core.Asn1Value` no longer exist and were
> replaced by the `implicit` and `explicit` attributes. Field param dicts
> may use the new `explicit` and `implicit` keys, or the old `tag_type` and
> `tag` keys. The attribute changes will likely to have little to no impact
> since they were primarily an implementation detail.
> - Teletex strings used inside of X.509 certificates are now interpreted
> using Windows-1252 (a superset of ISO-8859-1). This enables compatibility
> with certificates generated by OpenSSL. Strict parsing of Teletex strings
> can be retained by using the `x509.strict_teletex()` context manager.
> - Added support for nested explicit tagging, supporting values that are
> defined with explicit tagging and then added as a field of another
> structure using explicit tagging.
> - Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency
> OpenSSL on Python 2
> - Fixed `next_update` field of `crl.TbsCertList` to be optional
> - Added the `x509.Certificate.sha256_fingerprint` property
> - `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now
> return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`.
> - Added CMS Attribute Protection definitions from RFC 6211
> - Added OIDs from RFC 6962
### cffi 1.10.0 -> 1.11.0
>### 1.11
>=====
>* Support the modern standard types ``char16_t`` and ``char32_t``.
> These work like ``wchar_t``: they represent one unicode character, or
> when used as ``charN_t *`` or ``charN_t[]`` they represent a unicode
> string. The difference with ``wchar_t`` is that they have a known,
> fixed size. They should work at all places that used to work with
> ``wchar_t`` (please report an issue if I missed something). Note
> that with ``set_source()``, you need to make sure that these types are
> actually defined by the C source you provide (if used in ``cdef()``).
>* Support the C99 types ``float _Complex`` and ``double _Complex``.
> Note that libffi doesn't support them, which means that in the ABI
> mode you still cannot call C functions that take complex numbers
> directly as arguments or return type.
>* Fixed a rare race condition when creating multiple ``FFI`` instances
> from multiple threads. (Note that you aren't meant to create many
> ``FFI`` instances: in inline mode, you should write ``ffi =
> cffi.FFI()`` at module level just after ``import cffi``; and in
> out-of-line mode you don't instantiate ``FFI`` explicitly at all.)
>* Windows: using callbacks can be messy because the CFFI internal error
> messages show up to stderr---but stderr goes nowhere in many
> applications. This makes it particularly hard to get started with the
> embedding mode. (Once you get started, you can at least use
> ``ffi.def_extern(onerror=...)`` and send the error logs where it
> makes sense for your application, or record them in log files, and so
> on.) So what is new in CFFI is that now, on Windows CFFI will try to
> open a non-modal MessageBox (in addition to sending raw messages to
> stderr). The MessageBox is only visible if the process stays alive:
> typically, console applications that crash close immediately, but that
> is also the situation where stderr should be visible anyway.
>* Progress on support for `callbacks in NetBSD`__.
>* Functions returning booleans would in some case still return 0 or 1
> instead of False or True. Fixed.
>* `ffi.gc()`__ now takes an optional third parameter, which gives an
> estimate of the size (in bytes) of the object. So far, this is only
> used by PyPy, to make the next GC occur more quickly (`issue 320`__).
> In the future, this might have an effect on CPython too (provided
> the CPython `issue 31105`__ is addressed).
>* Add a note to the documentation: the ABI mode gives function objects
> that are *slower* to call than the API mode does. For some reason it
> is often thought to be faster. It is not!
>.. __: https://bitbucket.org/cffi/cffi/issues/321/cffi-191-segmentation-fault-during-self
>.. __: ref.htmlffi-gc
>.. __: https://bitbucket.org/cffi/cffi/issues/320/improve-memory_pressure-management
>.. __: http://bugs.python.org/issue31105
>### 1.10.1
>=======
### lxml 3.8.0 -> 4.0.0
>### 4.0.0
>==================
>Features added
>--------------
>* The ElementPath implementation is now compiled using Cython,
> which speeds up the ``.find*()`` methods quite significantly.
>* The modules ``lxml.builder``, ``lxml.html.diff`` and ``lxml.html.clean``
> are also compiled using Cython in order to speed them up.
>* ``xmlfile()`` supports async coroutines using ``async with`` and ``await``.
>* ``iterwalk()`` has a new method ``skip_subtree()`` that prevents walking into
> the descendants of the current element.
>* ``RelaxNG.from_rnc_string()`` accepts a ``base_url`` argument to
> allow relative resource lookups.
>* The XSLT result object has a new method ``.write_output(file)`` that serialises
> output data into a file according to the ``<xsl:output>`` configuration.
>Bugs fixed
>----------
>* GH251: HTML comments were handled incorrectly by the soupparser.
> Patch by mozbugbox.
>* LP1654544: The html5parser no longer passes the ``useChardet`` option
> if the input is a Unicode string, unless explicitly requested. When parsing
> files, the default is to enable it when a URL or file path is passed (because
> the file is then opened in binary mode), and to disable it when reading from
> a file(-like) object.
> Note: This is a backwards incompatible change of the default configuration.
> If your code parses byte strings/streams and depends on character detection,
> please pass the option ``guess_charset=True`` explicitly, which already worked
> in older lxml versions.
>* LP1703810: ``etree.fromstring()`` failed to parse UTF-32 data with BOM.
>* LP1526522: Some RelaxNG errors were not reported in the error log.
>* LP1567526: Empty and plain text input raised a TypeError in soupparser.
>* LP1710429: Uninitialised variable usage in HTML diff.
>* LP1415643: The closing tags context manager in ``xmlfile()`` could continue
> to output end tags even after writing failed with an exception.
>* LP1465357: ``xmlfile.write()`` now accepts and ignores None as input argument.
>* Compilation under Py3.7-pre failed due to a modified function signature.
>Other changes
>-------------
>* The main module source files were renamed from ``lxml.*.pyx`` to plain
> ``*.pyx`` (e.g. ``etree.pyx``) to simplify their handling in the build
> process. Care was taken to keep the old header files as fallbacks for
> code that compiles against the public C-API of lxml, but it might still
> be worth validating that third-party code does not notice this change.
### pyopenssl 17.2.0 -> 17.3.0
>### 17.3.0
>-------------------
>Backward-incompatible changes:
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>- Dropped support for Python 3.3.
> `677 <https://github.com/pyca/pyopenssl/pull/677>`_
>- Removed the deprecated ``OpenSSL.rand`` module.
> This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.
> ``os.urandom()`` should be used instead.
> `675 <https://github.com/pyca/pyopenssl/pull/675>`_
>Deprecations:
>^^^^^^^^^^^^^
>- Deprecated ``OpenSSL.tsafe``.
> `673 <https://github.com/pyca/pyopenssl/pull/673>`_
>Changes:
>^^^^^^^^
>- Fixed a memory leak in ``OpenSSL.crypto.CRL``.
> `690 <https://github.com/pyca/pyopenssl/pull/690>`_
>- Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``.
> `691 <https://github.com/pyca/pyopenssl/pull/691>`_
>----
### six 1.10.0 -> 1.11.0
>### 1.11.0
>------
>- Pull request 178: `with_metaclass` now properly proxies `__prepare__` to the
> underlying metaclass.
>- Pull request 191: Allow `with_metaclass` to work with metaclasses implemented
> in C.
>- Pull request 203: Add parse_http_list and parse_keqv_list to moved
> urllib.request.
>- Pull request 172 and issue 171: Add unquote_to_bytes to moved urllib.parse.
>- Pull request 167: Add `six.moves.getoutput`.
>- Pull request 80: Add `six.moves.urllib_parse.splitvalue`.
>- Pull request 75: Add `six.moves.email_mime_image`.
>- Pull request 72: Avoid creating reference cycles through tracebacks in
> `reraise`.
### zope.interface 4.4.2 -> 4.4.3
>### 4.4.3
>------------------
>- Avoid exceptions when the ``__annotations__`` attribute is added to
> interface definitions with Python 3.x type hints. See `issue 98
> <https://github.com/zopefoundation/zope.interface/issues/98>`_.
>- Fix the possibility of a rare crash in the C extension when
> deallocating items. See `issue 100
> <https://github.com/zopefoundation/zope.interface/issues/100>`_.
That's it for now!
Happy merging! 🤖
bors-fusion bot
referenced
this pull request
in fusionapp/fusion-index
Oct 2, 2017
161: Scheduled weekly dependency update for week 40 r=mithrandi
## Updates
Here's a list of all the updates bundled in this pull request. I've added some links to make it easier for you to find all the information you need.
<table align="center">
<tr>
<td><b>asn1crypto</b></td>
<td align="center">0.22.0</td>
<td align="center">»</td>
<td align="center">0.23.0</td>
<td>
<a href="https://pypi.python.org/pypi/asn1crypto">PyPI</a> | <a href="https://pyup.io/changelogs/asn1crypto/">Changelog</a> | <a href="https://github.com/wbond/asn1crypto/issues">Repo</a>
</td>
<tr>
<td><b>hypothesis</b></td>
<td align="center">3.23.2</td>
<td align="center">»</td>
<td align="center">3.31.2</td>
<td>
<a href="https://pypi.python.org/pypi/hypothesis">PyPI</a> | <a href="https://pyup.io/changelogs/hypothesis/">Changelog</a> | <a href="https://github.com/HypothesisWorks/hypothesis/issues">Repo</a>
</td>
<tr>
<td><b>pyasn1-modules</b></td>
<td align="center">0.1.1</td>
<td align="center">»</td>
<td align="center">0.1.4</td>
<td>
<a href="https://pypi.python.org/pypi/pyasn1-modules">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1-modules/">Changelog</a> | <a href="https://github.com/etingof/pyasn1-modules">Repo</a>
</td>
<tr>
<td><b>pyasn1</b></td>
<td align="center">0.3.3</td>
<td align="center">»</td>
<td align="center">0.3.6</td>
<td>
<a href="https://pypi.python.org/pypi/pyasn1">PyPI</a> | <a href="https://pyup.io/changelogs/pyasn1/">Changelog</a> | <a href="https://github.com/etingof/pyasn1">Repo</a>
</td>
<tr>
<td><b>pyopenssl</b></td>
<td align="center">17.2.0</td>
<td align="center">»</td>
<td align="center">17.3.0</td>
<td>
<a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a>
</td>
<tr>
<td><b>six</b></td>
<td align="center">1.10.0</td>
<td align="center">»</td>
<td align="center">1.11.0</td>
<td>
<a href="https://pypi.python.org/pypi/six">PyPI</a> | <a href="https://pyup.io/changelogs/six/">Changelog</a> | <a href="http://pypi.python.org/pypi/six/">Homepage</a> | <a href="http://pythonhosted.org/six/">Docs</a>
</td>
<tr>
<td><b>twisted[tls]</b></td>
<td align="center">17.5.0</td>
<td align="center">»</td>
<td align="center">17.9.0</td>
<td>
<a href="https://pypi.python.org/pypi/twisted">PyPI</a> | <a href="https://pyup.io/changelogs/twisted/">Changelog</a> | <a href="http://twistedmatrix.com/">Homepage</a> | <a href="https://twistedmatrix.com/trac/">Bugtracker</a>
</td>
<tr>
<td><b>zope.interface</b></td>
<td align="center">4.4.2</td>
<td align="center">»</td>
<td align="center">4.4.3</td>
<td>
<a href="https://pypi.python.org/pypi/zope.interface">PyPI</a> | <a href="https://pyup.io/changelogs/zope.interface/">Changelog</a> | <a href="https://github.com/zopefoundation/zope.interface">Repo</a>
</td>
</tr>
</table>
## Changelogs
### asn1crypto 0.22.0 -> 0.23.0
>### 0.23.0
> - Backwards compatibility break: the `tag_type`, `explicit_tag` and
> `explicit_class` attributes on `core.Asn1Value` no longer exist and were
> replaced by the `implicit` and `explicit` attributes. Field param dicts
> may use the new `explicit` and `implicit` keys, or the old `tag_type` and
> `tag` keys. The attribute changes will likely to have little to no impact
> since they were primarily an implementation detail.
> - Teletex strings used inside of X.509 certificates are now interpreted
> using Windows-1252 (a superset of ISO-8859-1). This enables compatibility
> with certificates generated by OpenSSL. Strict parsing of Teletex strings
> can be retained by using the `x509.strict_teletex()` context manager.
> - Added support for nested explicit tagging, supporting values that are
> defined with explicit tagging and then added as a field of another
> structure using explicit tagging.
> - Fixed a `UnicodeDecodeError` when trying to find the (optional) dependency
> OpenSSL on Python 2
> - Fixed `next_update` field of `crl.TbsCertList` to be optional
> - Added the `x509.Certificate.sha256_fingerprint` property
> - `x509.Certificate.ocsp_urls` and `x509.DistributionPoint.url` will now
> return `https://`, `ldap://` and `ldaps://` URLs in addition to `http://`.
> - Added CMS Attribute Protection definitions from RFC 6211
> - Added OIDs from RFC 6962
### hypothesis 3.23.2 -> 3.31.2
>### 3.31.2
>-------------------
>This release fixes some formatting and small typos/grammar issues in the
>documentation, specifically the page docs/settings.rst, and the inline docs
>for the various settings.
>-------------------
>### 3.31.1
>-------------------
>This release improves the handling of deadlines so that they act better with
>the shrinking process. This fixes :issue:`892`.
>This involves two changes:
>1. The deadline is raised during the initial generation and shrinking, and then
> lowered to the set value for final replay. This restricts our attention to
> examples which exceed the deadline by a more significant margin, which
> increases their reliability.
>2. When despite the above a test still becomes flaky because it is
> significantly faster on rerun than it was on its first run, the error
> message is now more explicit about the nature of this problem, and includes
> both the initial test run time and the new test run time.
>In addition, this release also clarifies the documentation of the deadline
>setting slightly to be more explicit about where it applies.
>This work was funded by `Smarkets <https://smarkets.com/>`_.
>-------------------
>### 3.31.0
>-------------------
>This release blocks installation of Hypothesis on Python 3.3, which
>:PEP:`reached its end of life date on 2017-09-29 <398>`.
>This should not be of interest to anyone but downstream maintainers -
>if you are affected, migrate to a secure version of Python as soon as
>possible or at least seek commercial support.
>-------------------
>### 3.30.4
>-------------------
>This release makes several changes:
>1. It significantly improves Hypothesis's ability to use coverage information
> to find interesting examples.
>2. It reduces the default ``max_examples`` setting from 200 to 100. This takes
> advantage of the improved algorithm meaning fewer examples are typically
> needed to get the same testing and is sufficiently better at covering
> interesting behaviour, and offsets some of the performance problems of
> running under coverage.
>3. Hypothesis will always try to start its testing with an example that is near
> minimized.
>The new algorithm for 1 also makes some changes to Hypothesis's low level data
>generation which apply even with coverage turned off. They generally reduce the
>total amount of data generated, which should improve test performance somewhat.
>Between this and 3 you should see a noticeable reduction in test runtime (how
>much so depends on your tests and how much example size affects their
>performance. On our benchmarks, where data generation dominates, we saw up to
>a factor of two performance improvement, but it's unlikely to be that large.
>-------------------
>### 3.30.3
>-------------------
>This release fixes some formatting and small typos/grammar issues in the
>documentation, specifically the page docs/details.rst, and some inline
>docs linked from there.
>-------------------
>### 3.30.2
>-------------------
>This release changes Hypothesis's caching approach for functions in
>``hypothesis.strategies``. Previously it would have cached extremely
>aggressively and cache entries would never be evicted. Now it adopts a
>least-frequently used, least recently used key invalidation policy, and is
>somewhat more conservative about which strategies it caches.
>This should cause some workloads (anything that creates strategies based on
>dynamic values, e.g. using flatmap or composite) to see a significantly lower
>memory usage.
>-------------------
>### 3.30.1
>-------------------
>This release fixes a bug where when running with use_coverage=True inside an
>existing running instance of coverage, Hypothesis would frequently put files
>that the coveragerc excluded in the report for the enclosing coverage.
>-------------------
>### 3.30.0
>-------------------
>This release introduces two new features:
>* pytest users can specify a seed to use for ``given`` based tests by passing
> the ``--hypothesis-seed`` command line argument.
>* When a test fails, either with a health check failure or a falsifying example,
> Hypothesis will print out a seed that led to that failure, if the test is not
> already running with a fixed seed. You can then recreate that failure using either
> the ``seed`` decorator or (if you are running pytest) with ``--hypothesis-seed``.
>This work was funded by `Smarkets <https://smarkets.com/>`_.
>-------------------
>### 3.29.0
>-------------------
>This release makes Hypothesis coverage aware. Hypothesis now runs all test
>bodies under coverage, and uses this information to guide its testing.
>The :attr:`~hypothesis.settings.use_coverage` setting can be used to disable
>this behaviour if you want to test code that is sensitive to coverage being
>enabled (either because of performance or interaction with the trace function).
>The main benefits of this feature are:
>* Hypothesis now observes when examples it discovers cover particular lines
> or branches and stores them in the database for later.
>* Hypothesis will make some use of this information to guide its exploration of
> the search space and improve the examples it finds (this is currently used
> only very lightly and will likely improve significantly in future releases).
>This also has the following side-effects:
>* Hypothesis now has an install time dependency on the coverage package.
>* Tests that are already running Hypothesis under coverage will likely get
> faster.
>* Tests that are not running under coverage now run their test bodies under
> coverage by default.
>This feature is only partially supported under pypy. It is significantly slower
>than on CPython and is turned off by default as a result, but it should still
>work correctly if you want to use it.
>-------------------
>### 3.28.3
>-------------------
>This release is an internal change that affects how Hypothesis handles
>calculating certain properties of strategies.
>The primary effect of this is that it fixes a bug where use of
>:func:`~hypothesis.deferred` could sometimes trigger an internal assertion
>error. However the fix for this bug involved some moderately deep changes to
>how Hypothesis handles certain constructs so you may notice some additional
>knock-on effects.
>In particular the way Hypothesis handles drawing data from strategies that
>cannot generate any values has changed to bail out sooner than it previously
>did. This may speed up certain tests, but it is unlikely to make much of a
>difference in practice for tests that were not already failing with
>Unsatisfiable.
>-------------------
>### 3.28.2
>-------------------
>This is a patch release that fixes a bug in the `hypothesis.extra.pandas` documentation where it incorrectly referred to column instead of columns.
>-------------------
>### 3.28.1
>-------------------
>This is a refactoring release. It moves a number of internal uses
>of nametuple over to using attrs based classes, and removes a couple
>of internal namedtuple classes that were no longer in use.
>It should have no user visible impact.
>-------------------
>### 3.28.0
>-------------------
>This release adds support for testing pandas via the :ref:`hypothesis.extra.pandas <hypothesis-pandas>`
>module.
>It also adds a dependency on attrs.
>This work was funded by `Stripe <https://stripe.com/>`_.
>-------------------
>### 3.27.1
>-------------------
>This release fixes some formatting and broken cross-references in the
>documentation, which includes editing docstrings - and thus a patch release.
>-------------------
>### 3.27.0
>-------------------
>This release introduces a :attr:`~hypothesis.settings.deadline`
>setting to Hypothesis.
>When set this turns slow tests into errors. By default it is unset but will
>warn if you exceed 200ms, which will become the default value in a future
>release.
>This work was funded by `Smarkets <https://smarkets.com/>`_.
>-------------------
>### 3.26.0
>-------------------
>Hypothesis now emits deprecation warnings if you are using the legacy
>SQLite example database format, or the tool for merging them. These were
>already documented as deprecated, so this doesn't change their deprecation
>status, only that we warn about it.
>-------------------
>### 3.25.1
>-------------------
>This release fixes a bug with generating numpy datetime and timedelta types:
>When inferring the strategy from the dtype, datetime and timedelta dtypes with
>sub-second precision would always produce examples with one second resolution.
>Inferring a strategy from a time dtype will now always produce example with the
>same precision.
>-------------------
>### 3.25.0
>-------------------
>This release changes how Hypothesis shrinks and replays examples to take into
>account that it can encounter new bugs while shrinking the bug it originally
>found. Previously it would end up replacing the originally found bug with the
>new bug and show you only that one. Now it is (often) able to recognise when
>two bugs are distinct and when it finds more than one will show both.
>-------------------
>### 3.24.2
>-------------------
>This release removes the (purely internal and no longer useful)
>``strategy_test_suite`` function and the corresponding strategytests module.
>-------------------
>### 3.24.1
>-------------------
>This release improves the reduction of examples involving floating point
>numbers to produce more human readable examples.
>It also has some general purpose changes to the way the minimizer works
>internally, which may see some improvement in quality and slow down of test
>case reduction in cases that have nothing to do with floating point numbers.
>-------------------
>### 3.24.0
>-------------------
>Hypothesis now emits deprecation warnings if you use example() inside a
>test function or strategy definition (this was never intended to be supported,
>but is sufficiently widespread that it warrants a deprecation path).
>-------------------
>### 3.23.3
>-------------------
>This is a bugfix release for :func:`~hypothesis.strategies.decimals`
>with the ``places`` argument.
>- No longer fails health checks (:issue:`725`, due to internal filtering)
>- Specifying a ``min_value`` and ``max_value`` without any decimals with
> ``places`` places between them gives a more useful error message.
>- Works for any valid arguments, regardless of the decimal precision context.
>-------------------
### pyopenssl 17.2.0 -> 17.3.0
>### 17.3.0
>-------------------
>Backward-incompatible changes:
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>- Dropped support for Python 3.3.
> `677 <https://github.com/pyca/pyopenssl/pull/677>`_
>- Removed the deprecated ``OpenSSL.rand`` module.
> This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden.
> ``os.urandom()`` should be used instead.
> `675 <https://github.com/pyca/pyopenssl/pull/675>`_
>Deprecations:
>^^^^^^^^^^^^^
>- Deprecated ``OpenSSL.tsafe``.
> `673 <https://github.com/pyca/pyopenssl/pull/673>`_
>Changes:
>^^^^^^^^
>- Fixed a memory leak in ``OpenSSL.crypto.CRL``.
> `690 <https://github.com/pyca/pyopenssl/pull/690>`_
>- Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``.
> `691 <https://github.com/pyca/pyopenssl/pull/691>`_
>----
### six 1.10.0 -> 1.11.0
>### 1.11.0
>------
>- Pull request 178: `with_metaclass` now properly proxies `__prepare__` to the
> underlying metaclass.
>- Pull request 191: Allow `with_metaclass` to work with metaclasses implemented
> in C.
>- Pull request 203: Add parse_http_list and parse_keqv_list to moved
> urllib.request.
>- Pull request 172 and issue 171: Add unquote_to_bytes to moved urllib.parse.
>- Pull request 167: Add `six.moves.getoutput`.
>- Pull request 80: Add `six.moves.urllib_parse.splitvalue`.
>- Pull request 75: Add `six.moves.email_mime_image`.
>- Pull request 72: Avoid creating reference cycles through tracebacks in
> `reraise`.
### zope.interface 4.4.2 -> 4.4.3
>### 4.4.3
>------------------
>- Avoid exceptions when the ``__annotations__`` attribute is added to
> interface definitions with Python 3.x type hints. See `issue 98
> <https://github.com/zopefoundation/zope.interface/issues/98>`_.
>- Fix the possibility of a rare crash in the C extension when
> deallocating items. See `issue 100
> <https://github.com/zopefoundation/zope.interface/issues/100>`_.
That's it for now!
Happy merging! 🤖
bors-fusion bot
referenced
this pull request
in fusionapp/documint
Nov 17, 2017
96: Update pyopenssl to 17.3.0 r=mithrandi There's a new version of [pyopenssl](https://pypi.python.org/pypi/pyopenssl) available. You are currently using **17.2.0**. I have updated it to **17.3.0** These links might come in handy: <a href="https://pypi.python.org/pypi/pyopenssl">PyPI</a> | <a href="https://pyup.io/changelogs/pyopenssl/">Changelog</a> | <a href="https://pyopenssl.org/">Homepage</a> | <a href="http://pythonhosted.org/pyOpenSSL/">Docs</a> ### Changelog > >### 17.3.0 >------------------- >Backward-incompatible changes: >^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >- Dropped support for Python 3.3. > `677 <https://github.com/pyca/pyopenssl/pull/677>`_ >- Removed the deprecated ``OpenSSL.rand`` module. > This is being done ahead of our normal deprecation schedule due to its lack of use and the fact that it was becoming a maintenance burden. > ``os.urandom()`` should be used instead. > `675 <https://github.com/pyca/pyopenssl/pull/675>`_ >Deprecations: >^^^^^^^^^^^^^ >- Deprecated ``OpenSSL.tsafe``. > `673 <https://github.com/pyca/pyopenssl/pull/673>`_ >Changes: >^^^^^^^^ >- Fixed a memory leak in ``OpenSSL.crypto.CRL``. > `690 <https://github.com/pyca/pyopenssl/pull/690>`_ >- Fixed a memory leak when verifying certificates with ``OpenSSL.crypto.X509StoreContext``. > `691 <https://github.com/pyca/pyopenssl/pull/691>`_ >---- *Got merge conflicts? Close this PR and delete the branch. I'll create a new PR for you.* Happy merging! 🤖
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes an issue where each instance of
X509StoreContextwouldleak a small amount of memory, but only if
verify_certificatewascalled.
The reason for this is that
X509_STORE_CTX_initis called inX509StoreContext.__init__and at the start ofX509StoreContext.verify_certificate. According to the man page forX509_STORE_CTX_init:"X509_STORE_CTX_init() sets up ctx for a subsequent verification
operation. It must be called before each call to X509_verify_cert(),
i.e. a ctx is only good for one call to X509_verify_cert(); if you want
to verify a second certificate with the same ctx then you must call
X509_STORE_CTX_cleanup() and then X509_STORE_CTX_init() again before
the second call to X509_verify_cert()."
Prior to this commit, the following script would cause a memory leak:
Moving the creation of
X509StoreContextoutside the loop stops thememory leak.
As with #690, I'm more than happy to write tests, I just need some directions 😄. I'm also fine doing this a different way like removing the
_initcall in__init__, but I was worried someone somewhere was relying on it being initialized. SinceX509_STORE_CTX_cleanupis idempotent I thought this was the least dangerous approach.Signed-off-by: Jeremy Cline [email protected]