added method to export keying material from an ssl connection

[kelbyludwig]

This adds a new method to export keying material from an SSL connection (RFC 5705).

It currently will not work without merging in pyca/cryptography#3878.

[codecov]

Codecov Report

Merging #686 into master will decrease coverage by 0.34%.
The diff coverage is 28.57%.

@@            Coverage Diff             @@
##           master     #686      +/-   ##
==========================================
- Coverage   97.01%   96.67%   -0.35%     
==========================================
  Files          16       16              
  Lines        5630     5651      +21     
  Branches      391      392       +1     
==========================================
+ Hits         5462     5463       +1     
- Misses        112      131      +19     
- Partials       56       57       +1

Impacted Files	Coverage Δ
src/OpenSSL/SSL.py	94.39% <50%> (-0.5%)	⬇️
tests/test_ssl.py	98.28% <9.09%> (-0.83%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 332848f...348afd4. Read the comment docs.

[codecov]

Codecov Report

Merging #686 into master will increase coverage by 0.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #686      +/-   ##
==========================================
+ Coverage   97.01%   97.02%   +0.01%     
==========================================
  Files          16       16              
  Lines        5630     5652      +22     
  Branches      391      392       +1     
==========================================
+ Hits         5462     5484      +22     
  Misses        112      112              
  Partials       56       56

Impacted Files	Coverage Δ
tests/test_ssl.py	99.11% <100%> (ø)	⬆️
src/OpenSSL/SSL.py	94.94% <100%> (+0.05%)	⬆️
src/OpenSSL/crypto.py	96.81% <0%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 332848f...317c9c8. Read the comment docs.

[alexwlchan]

This is blocked not just on the patch in cryptography being merged, but also a new release. The PyOpenSSL CI doesn’t install from cryptography master, so this will keep failing for now.

[reaperhulk]

That's not strictly true -- we have cryptography master tests (that are allowed to fail) in travis as well. In fact, they're currently failing on py3 indicating a bytes/str bug in this PR (https://travis-ci.org/pyca/pyopenssl/jobs/269830756).

[reaperhulk]

That said, Travis won't go green until after a cryptography release (and this PR will need to bump the cryptography dependency as well at that point).

[kelbyludwig]

The Travis checks look like they might only be failing for versions of cryptography that don't have pyca/cryptography#3878 included?

[alex]

The set of tests that are failing is the cryptographyMinimum set. Take a look at tox.ini and see about bumping that.

[kelbyludwig]

the py35-urllib3Master failure seems unrelated.

[kelbyludwig]

Is there anything else I could be doing to get this ready for review?

[reaperhulk]

Do you need to slice this? cffi will add a terminating NULL but when you pass it to SSL_export_keying_material with len(label) the terminating NULL simply won't be read.

[reaperhulk]

We shouldn't return None if this fails. This should call _openssl_assert(success == 1), which will raise an exception if exporting the keying material fails.

[reaperhulk]

Modulo my two comments this looks good. Thanks for sticking with us on this extremely long review cycle.

[reaperhulk]

Finished in #725