diff --git a/m2crypto-0.38-ossl3-tests.patch b/m2crypto-0.38-ossl3-tests.patch new file mode 100644 index 0000000..57ee7c4 --- /dev/null +++ b/m2crypto-0.38-ossl3-tests.patch @@ -0,0 +1,212 @@ +From 969beba690c31a91e4c8c2fea5dc1f992df21e09 Mon Sep 17 00:00:00 2001 +From: Petr Mensik +Date: Tue, 2 Aug 2022 22:04:38 +0200 +Subject: [PATCH] Changed required to pass tests on OpenSSL 3.0 + +Just changes to make the package pass tests. Some are just cosmetic +changes. Some would require proper investigation. +--- + tests/test_bio.py | 7 ++++--- + tests/test_evp.py | 12 ++++++------ + tests/test_obj.py | 1 + + tests/test_rsa.py | 11 +++++++++-- + tests/test_ssl.py | 1 + + tests/test_x509.py | 29 ++++++++++++++++++++++------- + 6 files changed, 43 insertions(+), 18 deletions(-) + +diff --git a/tests/test_bio.py b/tests/test_bio.py +index a70dd73..222c292 100644 +--- a/tests/test_bio.py ++++ b/tests/test_bio.py +@@ -12,9 +12,9 @@ import logging + + from parameterized import parameterized + +-from M2Crypto import BIO, Rand ++from M2Crypto import BIO, Rand, m2 + from tests import unittest +-from .fips import fips_mode ++from tests.fips import fips_mode + + log = logging.getLogger('test_bio') + +@@ -30,10 +30,11 @@ nonfips_ciphers = ['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb', + # 'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb', + 'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb', + 'rc4', 'rc2_40_cbc'] +-if not fips_mode: # Forbidden ciphers ++if not fips_mode and m2.OPENSSL_VERSION_NUMBER < 0x30000000: # Forbidden ciphers + ciphers += nonfips_ciphers + + ++ + class CipherStreamTestCase(unittest.TestCase): + def try_algo(self, algo): + data = b'123456789012345678901234' +diff --git a/tests/test_evp.py b/tests/test_evp.py +index d63b8b5..ceb0030 100644 +--- a/tests/test_evp.py ++++ b/tests/test_evp.py +@@ -35,7 +35,7 @@ nonfips_ciphers = ['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb', + # 'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb', + 'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb', + 'rc4', 'rc2_40_cbc'] +-if not fips_mode: # Disabled algorithms ++if not fips_mode and m2.OPENSSL_VERSION_NUMBER < 0x30000000: # Disabled algorithms + ciphers += nonfips_ciphers + + +@@ -137,11 +137,11 @@ class EVPTestCase(unittest.TestCase): + 209168838103121722341657216703105225176, + util.octx_to_num(EVP.hmac(b'key', b'data', + algo='md5'))) +- self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data', +- algo='ripemd160')), +- 1176807136224664126629105846386432860355826868536, +- util.octx_to_num(EVP.hmac(b'key', b'data', +- algo='ripemd160'))) ++ #self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data', ++ # algo='ripemd160')), ++ # 1176807136224664126629105846386432860355826868536, ++ # util.octx_to_num(EVP.hmac(b'key', b'data', ++ # algo='ripemd160'))) + + if m2.OPENSSL_VERSION_NUMBER >= 0x90800F: + self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data', +diff --git a/tests/test_obj.py b/tests/test_obj.py +index 825c203..e2a9e3e 100644 +--- a/tests/test_obj.py ++++ b/tests/test_obj.py +@@ -106,6 +106,7 @@ class ObjectsTestCase(unittest.TestCase): + self.assertEqual(n.as_text(), n1.as_text(), n1.as_text()) + + # Detailed OpenSSL error message is visible in Python error message: ++ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER >= 0x30000000, "Failing on OpenSSL3") + def test_detailed_error_message(self): + from M2Crypto import SMIME, X509 + s = SMIME.SMIME() +diff --git a/tests/test_rsa.py b/tests/test_rsa.py +index 7bb3af7..8258c47 100644 +--- a/tests/test_rsa.py ++++ b/tests/test_rsa.py +@@ -115,7 +115,8 @@ class RSATestCase(unittest.TestCase): + with self.assertRaises(TypeError): + priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding) + +- @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f, ++ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f or ++ m2.OPENSSL_VERSION_NUMBER >= 0x30000000, + 'Relies on fix which happened only in OpenSSL 1.1.1c') + def test_public_encrypt(self): + priv = RSA.load_key(self.privkey) +@@ -264,7 +265,11 @@ class RSATestCase(unittest.TestCase): + algos['sha512'] = 0 + + for algo, salt_max in algos.items(): +- h = hashlib.new(algo) ++ try: ++ h = hashlib.new(algo) ++ except ValueError: ++ algos[algo] = (None, None) ++ continue + h.update(message) + digest = h.digest() + algos[algo] = (salt_max, digest) +@@ -272,6 +277,8 @@ class RSATestCase(unittest.TestCase): + rsa = RSA.load_key(self.privkey) + rsa2 = RSA.load_pub_key(self.pubkey) + for algo, (salt_max, digest) in algos.items(): ++ if salt_max is None or digest is None: ++ continue + for salt_length in range(0, salt_max): + signature = rsa.sign_rsassa_pss(digest, algo, salt_length) + verify = rsa2.verify_rsassa_pss(digest, signature, +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index e18adf5..cb06efe 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -417,6 +417,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): + finally: + self.stop_server(pid) + ++ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER >= 0x30000000, "No TLS1 is allowed") + def test_tls1_ok(self): + self.args.append('-tls1') + pid = self.start_server(self.args) +diff --git a/tests/test_x509.py b/tests/test_x509.py +index c36757e..c91e0ca 100644 +--- a/tests/test_x509.py ++++ b/tests/test_x509.py +@@ -219,14 +219,23 @@ class X509TestCase(unittest.TestCase): + req4 = X509.load_request('tests/tmp_request.der', + format=X509.FORMAT_DER) + os.remove('tests/tmp_request.der') ++ if m2.OPENSSL_VERSION_NUMBER >= 0x30000000: ++ req2t = req2.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)') ++ req3t = req3.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)') ++ req4t = req3.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)') ++ else: ++ req2t = req2.as_text() ++ req3t = req3.as_text() ++ req4t = req3.as_text() ++ + self.assertEqual(req.as_pem(), req2.as_pem()) +- self.assertEqual(req.as_text(), req2.as_text()) ++ self.assertEqual(req.as_text(), req2t) + self.assertEqual(req.as_der(), req2.as_der()) + self.assertEqual(req.as_pem(), req3.as_pem()) +- self.assertEqual(req.as_text(), req3.as_text()) ++ self.assertEqual(req.as_text(), req3t) + self.assertEqual(req.as_der(), req3.as_der()) + self.assertEqual(req.as_pem(), req4.as_pem()) +- self.assertEqual(req.as_text(), req4.as_text()) ++ self.assertEqual(req.as_text(), req4t) + self.assertEqual(req.as_der(), req4.as_der()) + self.assertEqual(req.get_version(), 0) + req.set_version(1) +@@ -370,9 +379,9 @@ class X509TestCase(unittest.TestCase): + self.assertTrue(proxycert.verify(pk2)) + self.assertEqual(proxycert.get_ext_at(0).get_name(), + 'proxyCertInfo') +- self.assertEqual(proxycert.get_ext_at(0).get_value(), ++ self.assertEqual(proxycert.get_ext_at(0).get_value().strip(), + 'Path Length Constraint: infinite\n' + +- 'Policy Language: Inherit all\n') ++ 'Policy Language: Inherit all') + self.assertEqual(proxycert.get_ext_count(), 1, + proxycert.get_ext_count()) + self.assertEqual(proxycert.get_subject().as_text(), +@@ -586,6 +595,12 @@ class X509TestCase(unittest.TestCase): + + + class X509StackTestCase(unittest.TestCase): ++ def setUp(self): ++ if m2.OPENSSL_VERSION_NUMBER >= 0x30000000: ++ self.expected_subject = '/DC=org/DC=doegrids/OU=Services/CN=host\\/bosshog.lbl.gov' ++ else: ++ self.expected_subject = '/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov' ++ + def test_make_stack_from_der(self): + with open("tests/der_encoded_seq.b64", 'rb') as f: + b64 = f.read() +@@ -607,7 +622,7 @@ class X509StackTestCase(unittest.TestCase): + subject = cert.get_subject() + self.assertEqual( + str(subject), +- "/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov") ++ self.expected_subject) + + def test_make_stack_check_num(self): + with open("tests/der_encoded_seq.b64", 'rb') as f: +@@ -629,7 +644,7 @@ class X509StackTestCase(unittest.TestCase): + subject = cert.get_subject() + self.assertEqual( + str(subject), +- "/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov") ++ self.expected_subject) + + def test_make_stack(self): + stack = X509.X509_Stack() +-- +2.35.3 + diff --git a/python-M2Crypto.changes b/python-M2Crypto.changes index 9743955..f44fa7b 100644 --- a/python-M2Crypto.changes +++ b/python-M2Crypto.changes @@ -2,6 +2,7 @@ Mon Nov 7 20:14:16 UTC 2022 - Dirk Müller - add openssl-stop-parsing-header.patch (bsc#1205042) +- add m2crypto-0.38-ossl3-tests.patch ------------------------------------------------------------------- Wed Aug 3 16:48:00 UTC 2022 - Dirk Müller diff --git a/python-M2Crypto.spec b/python-M2Crypto.spec index a798d43..2b22852 100644 --- a/python-M2Crypto.spec +++ b/python-M2Crypto.spec @@ -33,6 +33,8 @@ Source99: python-M2Crypto.keyring Patch0: CVE-2020-25657-Bleichenbacher-attack.patch # PATCH-FIX-UPSTREAM https://gitlab.com/m2crypto/m2crypto/-/merge_requests/271 Patch1: openssl-stop-parsing-header.patch +# Patch-FIX-OPENSUSE add test skips for openssl 3.x +Patch2: https://src.fedoraproject.org/rpms/m2crypto/raw/d7be0dd83ee5a414544d99dcc62cde4ad5998f0c/f/m2crypto-0.38-ossl3-tests.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module parameterized} BuildRequires: %{python_module pytest}