Accepting request 1096850 from devel:languages:python
- Update to 0.39.0: - SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE COMPLETELY REMOVED IN THE NEXT RELEASE. - Remove dependency on parameterized and use unittest.subTest instead. - Upgrade embedded six.py module to 1.16.0 (really tiny inconsequential changes). - Make tests working on MacOS again (test_bio_membuf: Use fork) - Use OpenSSL_version_num() instead of unrealiable parsing of .h file. - Mitigate the Bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657) - Add functionality to extract EC key from public key + Update tests - Worked around compatibility issues with OpenSSL 3.* - Support for Twisted has been deprecated (they have their own SSL support anyway). - Generate TAP while testing. - Stop using GitHub for testing. - Accept a small deviation from time in the testsuite (for systems with non-standard HZ kernel parameter). - Use the default BIO.__del__ rather tha overriding in BIO.File (avoid a memleak). - Resolve "X509_Name.as_der() method from X509.py -> class X509_Name caused segmentation fault" - Remove upstreamed patches: - CVE-2020-25657-Bleichenbacher-attack.patch - m2crypto-0.38-ossl3-tests.patch - openssl-adapt-tests-for-3.1.0.patch - openssl-stop-parsing-header.patch - timeout_300hz.patch - add timeout_300hz.patch to accept a small deviation from time in the testsuite (bsc#1212757) OBS-URL: https://build.opensuse.org/request/show/1096850 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-M2Crypto?expand=0&rev=47
This commit is contained in:
commit
6bf9ef0c82
@ -1,170 +0,0 @@
|
|||||||
From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
|
|
||||||
Date: Tue, 28 Jun 2022 21:17:01 +0200
|
|
||||||
Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
|
|
||||||
decryption API (CVE-2020-25657)
|
|
||||||
|
|
||||||
Fixes #282
|
|
||||||
---
|
|
||||||
src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
|
|
||||||
src/SWIG/_rsa.i | 20 ++++++++++++--------
|
|
||||||
tests/test_rsa.py | 15 +++++++--------
|
|
||||||
3 files changed, 31 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
|
|
||||||
index aba9eb6d..a9f30da9 100644
|
|
||||||
--- a/src/SWIG/_m2crypto_wrap.c
|
|
||||||
+++ b/src/SWIG/_m2crypto_wrap.c
|
|
||||||
@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
|
|
||||||
diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
|
|
||||||
index bc714e01..1377b8be 100644
|
|
||||||
--- a/src/SWIG/_rsa.i
|
|
||||||
+++ b/src/SWIG/_rsa.i
|
|
||||||
@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
|
|
||||||
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
|
|
||||||
(unsigned char *)tbuf, rsa, padding);
|
|
||||||
if (tlen == -1) {
|
|
||||||
- m2_PyErr_Msg(_rsa_err);
|
|
||||||
+ ERR_clear_error();
|
|
||||||
+ PyErr_Clear();
|
|
||||||
PyMem_Free(tbuf);
|
|
||||||
- return NULL;
|
|
||||||
+ Py_RETURN_NONE;
|
|
||||||
}
|
|
||||||
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
|
|
||||||
|
|
||||||
diff --git a/tests/test_rsa.py b/tests/test_rsa.py
|
|
||||||
index 7bb3af75..5e75d681 100644
|
|
||||||
--- a/tests/test_rsa.py
|
|
||||||
+++ b/tests/test_rsa.py
|
|
||||||
@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
|
|
||||||
# The other paddings.
|
|
||||||
for padding in self.s_padding_nok:
|
|
||||||
p = getattr(RSA, padding)
|
|
||||||
- with self.assertRaises(RSA.RSAError):
|
|
||||||
- priv.private_encrypt(self.data, p)
|
|
||||||
+ # Exception disabled as a part of mitigation against CVE-2020-25657
|
|
||||||
+ # with self.assertRaises(RSA.RSAError):
|
|
||||||
+ priv.private_encrypt(self.data, p)
|
|
||||||
# Type-check the data to be encrypted.
|
|
||||||
with self.assertRaises(TypeError):
|
|
||||||
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
|
|
||||||
@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
|
|
||||||
self.assertEqual(ptxt, self.data)
|
|
||||||
|
|
||||||
# no_padding
|
|
||||||
- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
|
|
||||||
- priv.public_encrypt(self.data, RSA.no_padding)
|
|
||||||
+ # Exception disabled as a part of mitigation against CVE-2020-25657
|
|
||||||
+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
|
|
||||||
+ priv.public_encrypt(self.data, RSA.no_padding)
|
|
||||||
|
|
||||||
# Type-check the data to be encrypted.
|
|
||||||
+ # Exception disabled as a part of mitigation against CVE-2020-25657
|
|
||||||
with self.assertRaises(TypeError):
|
|
||||||
priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
|
|
||||||
|
|
||||||
@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
|
|
||||||
b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4
|
|
||||||
with self.assertRaises(RSA.RSAError):
|
|
||||||
setattr(rsa, 'e', '\000\000\000\003\001\000\001')
|
|
||||||
- with self.assertRaises(RSA.RSAError):
|
|
||||||
- rsa.private_encrypt(1)
|
|
||||||
- with self.assertRaises(RSA.RSAError):
|
|
||||||
- rsa.private_decrypt(1)
|
|
||||||
assert rsa.check_key()
|
|
||||||
|
|
||||||
def test_loadpub_bad(self):
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
BIN
M2Crypto-0.38.0.tar.gz
(Stored with Git LFS)
BIN
M2Crypto-0.38.0.tar.gz
(Stored with Git LFS)
Binary file not shown.
@ -1,6 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCYMfDmAAKCRDgn+8l2WSE
|
|
||||||
rJjeAJ9020kzL4u/p/KNnH3ei4EKFeJJhQCfcHKVJ0exSXSIj8/xbAdSKRvl8uQ=
|
|
||||||
=Q+r2
|
|
||||||
-----END PGP SIGNATURE-----
|
|
BIN
M2Crypto-0.39.0.tar.gz
(Stored with Git LFS)
Normal file
BIN
M2Crypto-0.39.0.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
6
M2Crypto-0.39.0.tar.gz.asc
Normal file
6
M2Crypto-0.39.0.tar.gz.asc
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCZKRcPQAKCRDgn+8l2WSE
|
||||||
|
rOdTAJ94HzHyNz9/cD+BQje4mM6EBhPkzwCcCaHGd/j7TbdV4Y0GvdbzvHgAbFY=
|
||||||
|
=nPc4
|
||||||
|
-----END PGP SIGNATURE-----
|
@ -1,212 +0,0 @@
|
|||||||
From 969beba690c31a91e4c8c2fea5dc1f992df21e09 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Mensik <pemensik@redhat.com>
|
|
||||||
Date: Tue, 2 Aug 2022 22:04:38 +0200
|
|
||||||
Subject: [PATCH] Changed required to pass tests on OpenSSL 3.0
|
|
||||||
|
|
||||||
Just changes to make the package pass tests. Some are just cosmetic
|
|
||||||
changes. Some would require proper investigation.
|
|
||||||
---
|
|
||||||
tests/test_bio.py | 7 ++++---
|
|
||||||
tests/test_evp.py | 12 ++++++------
|
|
||||||
tests/test_obj.py | 1 +
|
|
||||||
tests/test_rsa.py | 11 +++++++++--
|
|
||||||
tests/test_ssl.py | 1 +
|
|
||||||
tests/test_x509.py | 29 ++++++++++++++++++++++-------
|
|
||||||
6 files changed, 43 insertions(+), 18 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/tests/test_bio.py b/tests/test_bio.py
|
|
||||||
index a70dd73..222c292 100644
|
|
||||||
--- a/tests/test_bio.py
|
|
||||||
+++ b/tests/test_bio.py
|
|
||||||
@@ -12,9 +12,9 @@ import logging
|
|
||||||
|
|
||||||
from parameterized import parameterized
|
|
||||||
|
|
||||||
-from M2Crypto import BIO, Rand
|
|
||||||
+from M2Crypto import BIO, Rand, m2
|
|
||||||
from tests import unittest
|
|
||||||
-from .fips import fips_mode
|
|
||||||
+from tests.fips import fips_mode
|
|
||||||
|
|
||||||
log = logging.getLogger('test_bio')
|
|
||||||
|
|
||||||
@@ -30,10 +30,11 @@ nonfips_ciphers = ['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb',
|
|
||||||
# 'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb',
|
|
||||||
'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb',
|
|
||||||
'rc4', 'rc2_40_cbc']
|
|
||||||
-if not fips_mode: # Forbidden ciphers
|
|
||||||
+if not fips_mode and m2.OPENSSL_VERSION_NUMBER < 0x30000000: # Forbidden ciphers
|
|
||||||
ciphers += nonfips_ciphers
|
|
||||||
|
|
||||||
|
|
||||||
+
|
|
||||||
class CipherStreamTestCase(unittest.TestCase):
|
|
||||||
def try_algo(self, algo):
|
|
||||||
data = b'123456789012345678901234'
|
|
||||||
diff --git a/tests/test_evp.py b/tests/test_evp.py
|
|
||||||
index d63b8b5..ceb0030 100644
|
|
||||||
--- a/tests/test_evp.py
|
|
||||||
+++ b/tests/test_evp.py
|
|
||||||
@@ -35,7 +35,7 @@ nonfips_ciphers = ['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb',
|
|
||||||
# 'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb',
|
|
||||||
'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb',
|
|
||||||
'rc4', 'rc2_40_cbc']
|
|
||||||
-if not fips_mode: # Disabled algorithms
|
|
||||||
+if not fips_mode and m2.OPENSSL_VERSION_NUMBER < 0x30000000: # Disabled algorithms
|
|
||||||
ciphers += nonfips_ciphers
|
|
||||||
|
|
||||||
|
|
||||||
@@ -137,11 +137,11 @@ class EVPTestCase(unittest.TestCase):
|
|
||||||
209168838103121722341657216703105225176,
|
|
||||||
util.octx_to_num(EVP.hmac(b'key', b'data',
|
|
||||||
algo='md5')))
|
|
||||||
- self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data',
|
|
||||||
- algo='ripemd160')),
|
|
||||||
- 1176807136224664126629105846386432860355826868536,
|
|
||||||
- util.octx_to_num(EVP.hmac(b'key', b'data',
|
|
||||||
- algo='ripemd160')))
|
|
||||||
+ #self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data',
|
|
||||||
+ # algo='ripemd160')),
|
|
||||||
+ # 1176807136224664126629105846386432860355826868536,
|
|
||||||
+ # util.octx_to_num(EVP.hmac(b'key', b'data',
|
|
||||||
+ # algo='ripemd160')))
|
|
||||||
|
|
||||||
if m2.OPENSSL_VERSION_NUMBER >= 0x90800F:
|
|
||||||
self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data',
|
|
||||||
diff --git a/tests/test_obj.py b/tests/test_obj.py
|
|
||||||
index 825c203..e2a9e3e 100644
|
|
||||||
--- a/tests/test_obj.py
|
|
||||||
+++ b/tests/test_obj.py
|
|
||||||
@@ -106,6 +106,7 @@ class ObjectsTestCase(unittest.TestCase):
|
|
||||||
self.assertEqual(n.as_text(), n1.as_text(), n1.as_text())
|
|
||||||
|
|
||||||
# Detailed OpenSSL error message is visible in Python error message:
|
|
||||||
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER >= 0x30000000, "Failing on OpenSSL3")
|
|
||||||
def test_detailed_error_message(self):
|
|
||||||
from M2Crypto import SMIME, X509
|
|
||||||
s = SMIME.SMIME()
|
|
||||||
diff --git a/tests/test_rsa.py b/tests/test_rsa.py
|
|
||||||
index 7bb3af7..8258c47 100644
|
|
||||||
--- a/tests/test_rsa.py
|
|
||||||
+++ b/tests/test_rsa.py
|
|
||||||
@@ -115,7 +115,8 @@ class RSATestCase(unittest.TestCase):
|
|
||||||
with self.assertRaises(TypeError):
|
|
||||||
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
|
|
||||||
|
|
||||||
- @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f,
|
|
||||||
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f or
|
|
||||||
+ m2.OPENSSL_VERSION_NUMBER >= 0x30000000,
|
|
||||||
'Relies on fix which happened only in OpenSSL 1.1.1c')
|
|
||||||
def test_public_encrypt(self):
|
|
||||||
priv = RSA.load_key(self.privkey)
|
|
||||||
@@ -264,7 +265,11 @@ class RSATestCase(unittest.TestCase):
|
|
||||||
algos['sha512'] = 0
|
|
||||||
|
|
||||||
for algo, salt_max in algos.items():
|
|
||||||
- h = hashlib.new(algo)
|
|
||||||
+ try:
|
|
||||||
+ h = hashlib.new(algo)
|
|
||||||
+ except ValueError:
|
|
||||||
+ algos[algo] = (None, None)
|
|
||||||
+ continue
|
|
||||||
h.update(message)
|
|
||||||
digest = h.digest()
|
|
||||||
algos[algo] = (salt_max, digest)
|
|
||||||
@@ -272,6 +277,8 @@ class RSATestCase(unittest.TestCase):
|
|
||||||
rsa = RSA.load_key(self.privkey)
|
|
||||||
rsa2 = RSA.load_pub_key(self.pubkey)
|
|
||||||
for algo, (salt_max, digest) in algos.items():
|
|
||||||
+ if salt_max is None or digest is None:
|
|
||||||
+ continue
|
|
||||||
for salt_length in range(0, salt_max):
|
|
||||||
signature = rsa.sign_rsassa_pss(digest, algo, salt_length)
|
|
||||||
verify = rsa2.verify_rsassa_pss(digest, signature,
|
|
||||||
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
|
|
||||||
index e18adf5..cb06efe 100644
|
|
||||||
--- a/tests/test_ssl.py
|
|
||||||
+++ b/tests/test_ssl.py
|
|
||||||
@@ -417,6 +417,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
|
|
||||||
finally:
|
|
||||||
self.stop_server(pid)
|
|
||||||
|
|
||||||
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER >= 0x30000000, "No TLS1 is allowed")
|
|
||||||
def test_tls1_ok(self):
|
|
||||||
self.args.append('-tls1')
|
|
||||||
pid = self.start_server(self.args)
|
|
||||||
diff --git a/tests/test_x509.py b/tests/test_x509.py
|
|
||||||
index c36757e..c91e0ca 100644
|
|
||||||
--- a/tests/test_x509.py
|
|
||||||
+++ b/tests/test_x509.py
|
|
||||||
@@ -219,14 +219,23 @@ class X509TestCase(unittest.TestCase):
|
|
||||||
req4 = X509.load_request('tests/tmp_request.der',
|
|
||||||
format=X509.FORMAT_DER)
|
|
||||||
os.remove('tests/tmp_request.der')
|
|
||||||
+ if m2.OPENSSL_VERSION_NUMBER >= 0x30000000:
|
|
||||||
+ req2t = req2.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)')
|
|
||||||
+ req3t = req3.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)')
|
|
||||||
+ req4t = req3.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)')
|
|
||||||
+ else:
|
|
||||||
+ req2t = req2.as_text()
|
|
||||||
+ req3t = req3.as_text()
|
|
||||||
+ req4t = req3.as_text()
|
|
||||||
+
|
|
||||||
self.assertEqual(req.as_pem(), req2.as_pem())
|
|
||||||
- self.assertEqual(req.as_text(), req2.as_text())
|
|
||||||
+ self.assertEqual(req.as_text(), req2t)
|
|
||||||
self.assertEqual(req.as_der(), req2.as_der())
|
|
||||||
self.assertEqual(req.as_pem(), req3.as_pem())
|
|
||||||
- self.assertEqual(req.as_text(), req3.as_text())
|
|
||||||
+ self.assertEqual(req.as_text(), req3t)
|
|
||||||
self.assertEqual(req.as_der(), req3.as_der())
|
|
||||||
self.assertEqual(req.as_pem(), req4.as_pem())
|
|
||||||
- self.assertEqual(req.as_text(), req4.as_text())
|
|
||||||
+ self.assertEqual(req.as_text(), req4t)
|
|
||||||
self.assertEqual(req.as_der(), req4.as_der())
|
|
||||||
self.assertEqual(req.get_version(), 0)
|
|
||||||
req.set_version(1)
|
|
||||||
@@ -370,9 +379,9 @@ class X509TestCase(unittest.TestCase):
|
|
||||||
self.assertTrue(proxycert.verify(pk2))
|
|
||||||
self.assertEqual(proxycert.get_ext_at(0).get_name(),
|
|
||||||
'proxyCertInfo')
|
|
||||||
- self.assertEqual(proxycert.get_ext_at(0).get_value(),
|
|
||||||
+ self.assertEqual(proxycert.get_ext_at(0).get_value().strip(),
|
|
||||||
'Path Length Constraint: infinite\n' +
|
|
||||||
- 'Policy Language: Inherit all\n')
|
|
||||||
+ 'Policy Language: Inherit all')
|
|
||||||
self.assertEqual(proxycert.get_ext_count(), 1,
|
|
||||||
proxycert.get_ext_count())
|
|
||||||
self.assertEqual(proxycert.get_subject().as_text(),
|
|
||||||
@@ -586,6 +595,12 @@ class X509TestCase(unittest.TestCase):
|
|
||||||
|
|
||||||
|
|
||||||
class X509StackTestCase(unittest.TestCase):
|
|
||||||
+ def setUp(self):
|
|
||||||
+ if m2.OPENSSL_VERSION_NUMBER >= 0x30000000:
|
|
||||||
+ self.expected_subject = '/DC=org/DC=doegrids/OU=Services/CN=host\\/bosshog.lbl.gov'
|
|
||||||
+ else:
|
|
||||||
+ self.expected_subject = '/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov'
|
|
||||||
+
|
|
||||||
def test_make_stack_from_der(self):
|
|
||||||
with open("tests/der_encoded_seq.b64", 'rb') as f:
|
|
||||||
b64 = f.read()
|
|
||||||
@@ -607,7 +622,7 @@ class X509StackTestCase(unittest.TestCase):
|
|
||||||
subject = cert.get_subject()
|
|
||||||
self.assertEqual(
|
|
||||||
str(subject),
|
|
||||||
- "/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov")
|
|
||||||
+ self.expected_subject)
|
|
||||||
|
|
||||||
def test_make_stack_check_num(self):
|
|
||||||
with open("tests/der_encoded_seq.b64", 'rb') as f:
|
|
||||||
@@ -629,7 +644,7 @@ class X509StackTestCase(unittest.TestCase):
|
|
||||||
subject = cert.get_subject()
|
|
||||||
self.assertEqual(
|
|
||||||
str(subject),
|
|
||||||
- "/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov")
|
|
||||||
+ self.expected_subject)
|
|
||||||
|
|
||||||
def test_make_stack(self):
|
|
||||||
stack = X509.X509_Stack()
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
|||||||
From a72341e20fd781b59beb59a27b222d32d021076e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Otto Hollmann <otto.hollmann@suse.com>
|
|
||||||
Date: Thu, 16 Mar 2023 11:21:04 +0100
|
|
||||||
Subject: [PATCH] Adapt tests for OpenSSL v3.1.0
|
|
||||||
|
|
||||||
---
|
|
||||||
tests/test_ssl.py | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
|
|
||||||
index 6b9e1216..029e11ab 100644
|
|
||||||
--- a/tests/test_ssl.py
|
|
||||||
+++ b/tests/test_ssl.py
|
|
||||||
@@ -411,6 +411,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
|
|
||||||
warnings.simplefilter('ignore', DeprecationWarning)
|
|
||||||
ctx = SSL.Context('tlsv1')
|
|
||||||
s = SSL.Connection(ctx)
|
|
||||||
+ s.set_cipher_list('DEFAULT:@SECLEVEL=0')
|
|
||||||
with six.assertRaisesRegex(self, SSL.SSLError,
|
|
||||||
r'version|unexpected eof'):
|
|
||||||
s.connect(self.srv_addr)
|
|
||||||
--
|
|
@ -1,64 +0,0 @@
|
|||||||
From 1a746c6d01eff4863c116e279756a1035fd5feb0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
|
|
||||||
Date: Mon, 22 Nov 2021 23:05:41 +0100
|
|
||||||
Subject: [PATCH] Use OpenSSL_version_num() instead of unrealiable parsing of
|
|
||||||
.h file.
|
|
||||||
|
|
||||||
Fixes #302
|
|
||||||
---
|
|
||||||
setup.py | 39 ++++++++++++++++++++++++---------------
|
|
||||||
1 file changed, 24 insertions(+), 15 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/setup.py b/setup.py
|
|
||||||
index a1d58f25..04ac8c77 100644
|
|
||||||
--- a/setup.py
|
|
||||||
+++ b/setup.py
|
|
||||||
@@ -75,21 +75,30 @@ def openssl_version(ossldir, req_ver, required=False):
|
|
||||||
:return: Boolean indicating whether the satisfying version of
|
|
||||||
OpenSSL has been installed.
|
|
||||||
"""
|
|
||||||
- ver = None
|
|
||||||
- file = os.path.join(ossldir, 'include', 'openssl', 'opensslv.h')
|
|
||||||
-
|
|
||||||
- with open(file) as origin_file:
|
|
||||||
- for line in origin_file:
|
|
||||||
- m = re.match(
|
|
||||||
- r'^# *define *OPENSSL_VERSION_NUMBER *(0x[0-9a-fA-F]*)',
|
|
||||||
- line)
|
|
||||||
- if m:
|
|
||||||
- log.debug('found version number: %s\n', m.group(1))
|
|
||||||
- ver = int(m.group(1), base=16)
|
|
||||||
- break
|
|
||||||
-
|
|
||||||
- if ver is None:
|
|
||||||
- raise OSError('Unknown format of file %s\n' % file)
|
|
||||||
+ try:
|
|
||||||
+ import ctypes
|
|
||||||
+ libssl = ctypes.cdll.LoadLibrary("libssl.so")
|
|
||||||
+ ver = libssl.OpenSSL_version_num()
|
|
||||||
+ log.debug("ctypes: ver = %s", hex(ver))
|
|
||||||
+ # for OpenSSL < 1.1.0
|
|
||||||
+ except AttributeError:
|
|
||||||
+ ver = None
|
|
||||||
+ file = os.path.join(ossldir, 'include', 'openssl', 'opensslv.h')
|
|
||||||
+
|
|
||||||
+ with open(file) as origin_file:
|
|
||||||
+ for line in origin_file:
|
|
||||||
+ m = re.match(
|
|
||||||
+ r'^# *define *OPENSSL_VERSION_NUMBER *(0x[0-9a-fA-F]*)',
|
|
||||||
+ line)
|
|
||||||
+ if m:
|
|
||||||
+ log.debug('found version number: %s\n', m.group(1))
|
|
||||||
+ ver = int(m.group(1), base=16)
|
|
||||||
+ break
|
|
||||||
+
|
|
||||||
+ log.debug("parsing header file: ver = %s", hex(ver))
|
|
||||||
+
|
|
||||||
+ if ver is None:
|
|
||||||
+ raise OSError('Unknown format of file %s\n' % file)
|
|
||||||
|
|
||||||
if required:
|
|
||||||
return ver >= req_ver
|
|
||||||
--
|
|
||||||
GitLab
|
|
||||||
|
|
@ -1,3 +1,44 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jul 4 19:21:57 UTC 2023 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Update to 0.39.0:
|
||||||
|
- SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE
|
||||||
|
COMPLETELY REMOVED IN THE NEXT RELEASE.
|
||||||
|
- Remove dependency on parameterized and use unittest.subTest
|
||||||
|
instead.
|
||||||
|
- Upgrade embedded six.py module to 1.16.0 (really tiny
|
||||||
|
inconsequential changes).
|
||||||
|
- Make tests working on MacOS again (test_bio_membuf: Use fork)
|
||||||
|
- Use OpenSSL_version_num() instead of unrealiable parsing of
|
||||||
|
.h file.
|
||||||
|
- Mitigate the Bleichenbacher timing attacks in the RSA
|
||||||
|
decryption API (CVE-2020-25657)
|
||||||
|
- Add functionality to extract EC key from public key + Update
|
||||||
|
tests
|
||||||
|
- Worked around compatibility issues with OpenSSL 3.*
|
||||||
|
- Support for Twisted has been deprecated (they have their own
|
||||||
|
SSL support anyway).
|
||||||
|
- Generate TAP while testing.
|
||||||
|
- Stop using GitHub for testing.
|
||||||
|
- Accept a small deviation from time in the testsuite (for
|
||||||
|
systems with non-standard HZ kernel parameter).
|
||||||
|
- Use the default BIO.__del__ rather tha overriding in BIO.File
|
||||||
|
(avoid a memleak).
|
||||||
|
- Resolve "X509_Name.as_der() method from X509.py -> class
|
||||||
|
X509_Name caused segmentation fault"
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- CVE-2020-25657-Bleichenbacher-attack.patch
|
||||||
|
- m2crypto-0.38-ossl3-tests.patch
|
||||||
|
- openssl-adapt-tests-for-3.1.0.patch
|
||||||
|
- openssl-stop-parsing-header.patch
|
||||||
|
- timeout_300hz.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jun 27 10:51:14 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
- add timeout_300hz.patch to accept a small deviation from time
|
||||||
|
in the testsuite (bsc#1212757)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Mar 16 10:35:33 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
Thu Mar 16 10:35:33 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
|
||||||
|
|
||||||
|
@ -17,32 +17,20 @@
|
|||||||
|
|
||||||
|
|
||||||
%define oldpython python
|
%define oldpython python
|
||||||
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
|
|
||||||
Name: python-M2Crypto
|
Name: python-M2Crypto
|
||||||
Version: 0.38.0
|
Version: 0.39.0
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Crypto and SSL toolkit for Python
|
Summary: Crypto and SSL toolkit for Python
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Development/Languages/Python
|
Group: Development/Languages/Python
|
||||||
URL: https://gitlab.com/m2crypto/m2crypto
|
URL: https://gitlab.com/m2crypto/m2crypto
|
||||||
Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
|
Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
|
||||||
Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc
|
Source1: M2Crypto-%{version}.tar.gz.asc
|
||||||
Source99: python-M2Crypto.keyring
|
Source99: python-M2Crypto.keyring
|
||||||
# PATCH-FIX-UPSTREAM CVE-2020-25657-Bleichenbacher-attack.patch bsc#1178829 mcepl@suse.com
|
|
||||||
# Mitigate the Bleichenbacher timing attacks in the RSA decryption API
|
|
||||||
Patch0: CVE-2020-25657-Bleichenbacher-attack.patch
|
|
||||||
# PATCH-FIX-UPSTREAM https://gitlab.com/m2crypto/m2crypto/-/merge_requests/271
|
|
||||||
Patch1: openssl-stop-parsing-header.patch
|
|
||||||
# Patch-FIX-OPENSUSE add test skips for openssl 3.x
|
|
||||||
Patch2: https://src.fedoraproject.org/rpms/m2crypto/raw/d7be0dd83ee5a414544d99dcc62cde4ad5998f0c/f/m2crypto-0.38-ossl3-tests.patch
|
|
||||||
# PATCH-FIX-UPSTREAM https://gitlab.com/m2crypto/m2crypto/-/merge_requests/284
|
|
||||||
Patch3: openssl-adapt-tests-for-3.1.0.patch
|
|
||||||
BuildRequires: %{python_module devel}
|
BuildRequires: %{python_module devel}
|
||||||
BuildRequires: %{python_module parameterized}
|
BuildRequires: %{python_module pip}
|
||||||
BuildRequires: %{python_module pytest}
|
|
||||||
BuildRequires: %{python_module setuptools}
|
|
||||||
BuildRequires: %{python_module typing}
|
BuildRequires: %{python_module typing}
|
||||||
BuildRequires: %{python_module xml}
|
BuildRequires: %{python_module wheel}
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: openssl
|
BuildRequires: openssl
|
||||||
BuildRequires: openssl-devel
|
BuildRequires: openssl-devel
|
||||||
@ -93,20 +81,21 @@ Documentation for the Crypto and SSL toolkit for Python
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
export CFLAGS="%{optflags}"
|
export CFLAGS="%{optflags}"
|
||||||
%python_build
|
%pyproject_wheel
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%python_install
|
%pyproject_install
|
||||||
%python_expand %fdupes %{buildroot}%{$python_sitearch}
|
%python_expand %fdupes %{buildroot}%{$python_sitearch}
|
||||||
|
|
||||||
%check
|
%check
|
||||||
%python_expand ls -l %{buildroot}%{$python_sitearch}/M2Crypto/*.so*
|
%python_expand ls -l %{buildroot}%{$python_sitearch}/M2Crypto/*.so*
|
||||||
export PYTEST_ADDOPTS="--import-mode=append"
|
export PYTEST_ADDOPTS="--import-mode=append"
|
||||||
%pytest_arch tests
|
%pyunittest_arch tests
|
||||||
|
|
||||||
%files %{python_files}
|
%files %{python_files}
|
||||||
%doc CHANGES LICENCE README.rst
|
%doc CHANGES LICENCE README.rst
|
||||||
%{python_sitearch}/*
|
%{python_sitearch}/M2Crypto
|
||||||
|
%{python_sitearch}/M2Crypto-%{version}*-info
|
||||||
|
|
||||||
%files -n %{name}-doc
|
%files -n %{name}-doc
|
||||||
%doc doc/*.rst
|
%doc doc/*.rst
|
||||||
|
Loading…
Reference in New Issue
Block a user