pool/python-M2Crypto
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Update to 0.39.0:

Browse Source 
- SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE
    COMPLETELY REMOVED IN THE NEXT RELEASE.
  - Remove dependency on parameterized and use unittest.subTest
    instead.
  - Upgrade embedded six.py module to 1.16.0 (really tiny
    inconsequential changes).
  - Make tests working on MacOS again (test_bio_membuf: Use fork)
  - Use OpenSSL_version_num() instead of unrealiable parsing of
    .h file.
  - Mitigate the Bleichenbacher timing attacks in the RSA
    decryption API (CVE-2020-25657)
  - Add functionality to extract EC key from public key + Update
    tests
  - Worked around compatibility issues with OpenSSL 3.*
  - Support for Twisted has been deprecated (they have their own
    SSL support anyway).
  - Generate TAP while testing.
  - Stop using GitHub for testing.
  - Accept a small deviation from time in the testsuite (for
    systems with non-standard HZ kernel parameter).
  - Use the default BIO.__del__ rather tha overriding in BIO.File
    (avoid a memleak).
  - Resolve "X509_Name.as_der() method from X509.py -> class
    X509_Name caused segmentation fault"
- Remove upstreamed patches:
  - CVE-2020-25657-Bleichenbacher-attack.patch
  - m2crypto-0.38-ossl3-tests.patch
  - openssl-adapt-tests-for-3.1.0.patch
  - openssl-stop-parsing-header.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=119
This commit is contained in:
Matej Cepl 2023-07-04 19:38:52 +00:00 committed by Git OBS Bridge
parent 4866370746
commit 95bed22cb6
11 changed files with 53 additions and 511 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
CVE-2020-25657-Bleichenbacher-attack.patch
View File

@ -1,170 +0,0 @@
From 84c53958def0f510e92119fca14d74f94215827a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Tue, 28 Jun 2022 21:17:01 +0200
Subject: [PATCH] Mitigate the Bleichenbacher timing attacks in the RSA
decryption API (CVE-2020-25657)
Fixes #282
---
src/SWIG/_m2crypto_wrap.c | 20 ++++++++++++--------
src/SWIG/_rsa.i | 20 ++++++++++++--------
tests/test_rsa.py | 15 +++++++--------
3 files changed, 31 insertions(+), 24 deletions(-)
diff --git a/src/SWIG/_m2crypto_wrap.c b/src/SWIG/_m2crypto_wrap.c
index aba9eb6d..a9f30da9 100644
--- a/src/SWIG/_m2crypto_wrap.c
+++ b/src/SWIG/_m2crypto_wrap.c
@@ -7040,9 +7040,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -7070,9 +7071,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -7097,9 +7099,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -7124,9 +7127,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
diff --git a/src/SWIG/_rsa.i b/src/SWIG/_rsa.i
index bc714e01..1377b8be 100644
--- a/src/SWIG/_rsa.i
+++ b/src/SWIG/_rsa.i
@@ -239,9 +239,10 @@ PyObject *rsa_private_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -269,9 +270,10 @@ PyObject *rsa_public_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -296,9 +298,10 @@ PyObject *rsa_public_encrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_public_encrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
@@ -323,9 +326,10 @@ PyObject *rsa_private_decrypt(RSA *rsa, PyObject *from, int padding) {
tlen = RSA_private_decrypt(flen, (unsigned char *)fbuf,
(unsigned char *)tbuf, rsa, padding);
if (tlen == -1) {
- m2_PyErr_Msg(_rsa_err);
+ ERR_clear_error();
+ PyErr_Clear();
PyMem_Free(tbuf);
- return NULL;
+ Py_RETURN_NONE;
}
ret = PyBytes_FromStringAndSize((const char *)tbuf, tlen);
diff --git a/tests/test_rsa.py b/tests/test_rsa.py
index 7bb3af75..5e75d681 100644
--- a/tests/test_rsa.py
+++ b/tests/test_rsa.py
@@ -109,8 +109,9 @@ class RSATestCase(unittest.TestCase):
# The other paddings.
for padding in self.s_padding_nok:
p = getattr(RSA, padding)
- with self.assertRaises(RSA.RSAError):
- priv.private_encrypt(self.data, p)
+ # Exception disabled as a part of mitigation against CVE-2020-25657
+ # with self.assertRaises(RSA.RSAError):
+ priv.private_encrypt(self.data, p)
# Type-check the data to be encrypted.
with self.assertRaises(TypeError):
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
@@ -127,10 +128,12 @@ class RSATestCase(unittest.TestCase):
self.assertEqual(ptxt, self.data)
# no_padding
- with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
- priv.public_encrypt(self.data, RSA.no_padding)
+ # Exception disabled as a part of mitigation against CVE-2020-25657
+ # with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
+ priv.public_encrypt(self.data, RSA.no_padding)
# Type-check the data to be encrypted.
+ # Exception disabled as a part of mitigation against CVE-2020-25657
with self.assertRaises(TypeError):
priv.public_encrypt(self.gen_callback, RSA.pkcs1_padding)
@@ -146,10 +149,6 @@ class RSATestCase(unittest.TestCase):
b'\000\000\000\003\001\000\001') # aka 65537 aka 0xf4
with self.assertRaises(RSA.RSAError):
setattr(rsa, 'e', '\000\000\000\003\001\000\001')
- with self.assertRaises(RSA.RSAError):
- rsa.private_encrypt(1)
- with self.assertRaises(RSA.RSAError):
- rsa.private_decrypt(1)
assert rsa.check_key()
def test_loadpub_bad(self):
--
GitLab

BIN
M2Crypto-0.38.0.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

6
M2Crypto-0.38.0.tar.gz.asc
View File

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCYMfDmAAKCRDgn+8l2WSE
rJjeAJ9020kzL4u/p/KNnH3ei4EKFeJJhQCfcHKVJ0exSXSIj8/xbAdSKRvl8uQ=
=Q+r2
-----END PGP SIGNATURE-----

BIN
M2Crypto-0.39.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

6
M2Crypto-0.39.0.tar.gz.asc Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCZKRcPQAKCRDgn+8l2WSE
rOdTAJ94HzHyNz9/cD+BQje4mM6EBhPkzwCcCaHGd/j7TbdV4Y0GvdbzvHgAbFY=
=nPc4
-----END PGP SIGNATURE-----

212
m2crypto-0.38-ossl3-tests.patch
View File

@ -1,212 +0,0 @@
From 969beba690c31a91e4c8c2fea5dc1f992df21e09 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 2 Aug 2022 22:04:38 +0200
Subject: [PATCH] Changed required to pass tests on OpenSSL 3.0
Just changes to make the package pass tests. Some are just cosmetic
changes. Some would require proper investigation.
---
tests/test_bio.py | 7 ++++---
tests/test_evp.py | 12 ++++++------
tests/test_obj.py | 1 +
tests/test_rsa.py | 11 +++++++++--
tests/test_ssl.py | 1 +
tests/test_x509.py | 29 ++++++++++++++++++++++-------
6 files changed, 43 insertions(+), 18 deletions(-)
diff --git a/tests/test_bio.py b/tests/test_bio.py
index a70dd73..222c292 100644
--- a/tests/test_bio.py
+++ b/tests/test_bio.py
@@ -12,9 +12,9 @@ import logging
from parameterized import parameterized
-from M2Crypto import BIO, Rand
+from M2Crypto import BIO, Rand, m2
from tests import unittest
-from .fips import fips_mode
+from tests.fips import fips_mode
log = logging.getLogger('test_bio')
@@ -30,10 +30,11 @@ nonfips_ciphers = ['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb',
# 'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb',
'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb',
'rc4', 'rc2_40_cbc']
-if not fips_mode: # Forbidden ciphers
+if not fips_mode and m2.OPENSSL_VERSION_NUMBER < 0x30000000: # Forbidden ciphers
ciphers += nonfips_ciphers
+
class CipherStreamTestCase(unittest.TestCase):
def try_algo(self, algo):
data = b'123456789012345678901234'
diff --git a/tests/test_evp.py b/tests/test_evp.py
index d63b8b5..ceb0030 100644
--- a/tests/test_evp.py
+++ b/tests/test_evp.py
@@ -35,7 +35,7 @@ nonfips_ciphers = ['bf_ecb', 'bf_cbc', 'bf_cfb', 'bf_ofb',
# 'rc5_ecb', 'rc5_cbc', 'rc5_cfb', 'rc5_ofb',
'des_ecb', 'des_cbc', 'des_cfb', 'des_ofb',
'rc4', 'rc2_40_cbc']
-if not fips_mode: # Disabled algorithms
+if not fips_mode and m2.OPENSSL_VERSION_NUMBER < 0x30000000: # Disabled algorithms
ciphers += nonfips_ciphers
@@ -137,11 +137,11 @@ class EVPTestCase(unittest.TestCase):
209168838103121722341657216703105225176,
util.octx_to_num(EVP.hmac(b'key', b'data',
algo='md5')))
- self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data',
- algo='ripemd160')),
- 1176807136224664126629105846386432860355826868536,
- util.octx_to_num(EVP.hmac(b'key', b'data',
- algo='ripemd160')))
+ #self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data',
+ # algo='ripemd160')),
+ # 1176807136224664126629105846386432860355826868536,
+ # util.octx_to_num(EVP.hmac(b'key', b'data',
+ # algo='ripemd160')))
if m2.OPENSSL_VERSION_NUMBER >= 0x90800F:
self.assertEqual(util.octx_to_num(EVP.hmac(b'key', b'data',
diff --git a/tests/test_obj.py b/tests/test_obj.py
index 825c203..e2a9e3e 100644
--- a/tests/test_obj.py
+++ b/tests/test_obj.py
@@ -106,6 +106,7 @@ class ObjectsTestCase(unittest.TestCase):
self.assertEqual(n.as_text(), n1.as_text(), n1.as_text())
# Detailed OpenSSL error message is visible in Python error message:
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER >= 0x30000000, "Failing on OpenSSL3")
def test_detailed_error_message(self):
from M2Crypto import SMIME, X509
s = SMIME.SMIME()
diff --git a/tests/test_rsa.py b/tests/test_rsa.py
index 7bb3af7..8258c47 100644
--- a/tests/test_rsa.py
+++ b/tests/test_rsa.py
@@ -115,7 +115,8 @@ class RSATestCase(unittest.TestCase):
with self.assertRaises(TypeError):
priv.private_encrypt(self.gen_callback, RSA.pkcs1_padding)
- @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f,
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER < 0x1010103f or
+ m2.OPENSSL_VERSION_NUMBER >= 0x30000000,
'Relies on fix which happened only in OpenSSL 1.1.1c')
def test_public_encrypt(self):
priv = RSA.load_key(self.privkey)
@@ -264,7 +265,11 @@ class RSATestCase(unittest.TestCase):
algos['sha512'] = 0
for algo, salt_max in algos.items():
- h = hashlib.new(algo)
+ try:
+ h = hashlib.new(algo)
+ except ValueError:
+ algos[algo] = (None, None)
+ continue
h.update(message)
digest = h.digest()
algos[algo] = (salt_max, digest)
@@ -272,6 +277,8 @@ class RSATestCase(unittest.TestCase):
rsa = RSA.load_key(self.privkey)
rsa2 = RSA.load_pub_key(self.pubkey)
for algo, (salt_max, digest) in algos.items():
+ if salt_max is None or digest is None:
+ continue
for salt_length in range(0, salt_max):
signature = rsa.sign_rsassa_pss(digest, algo, salt_length)
verify = rsa2.verify_rsassa_pss(digest, signature,
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index e18adf5..cb06efe 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -417,6 +417,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
finally:
self.stop_server(pid)
+ @unittest.skipIf(m2.OPENSSL_VERSION_NUMBER >= 0x30000000, "No TLS1 is allowed")
def test_tls1_ok(self):
self.args.append('-tls1')
pid = self.start_server(self.args)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index c36757e..c91e0ca 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -219,14 +219,23 @@ class X509TestCase(unittest.TestCase):
req4 = X509.load_request('tests/tmp_request.der',
format=X509.FORMAT_DER)
os.remove('tests/tmp_request.der')
+ if m2.OPENSSL_VERSION_NUMBER >= 0x30000000:
+ req2t = req2.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)')
+ req3t = req3.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)')
+ req4t = req3.as_text().replace(' Public-Key: (1024 bit)', ' RSA Public-Key: (1024 bit)')
+ else:
+ req2t = req2.as_text()
+ req3t = req3.as_text()
+ req4t = req3.as_text()
+
self.assertEqual(req.as_pem(), req2.as_pem())
- self.assertEqual(req.as_text(), req2.as_text())
+ self.assertEqual(req.as_text(), req2t)
self.assertEqual(req.as_der(), req2.as_der())
self.assertEqual(req.as_pem(), req3.as_pem())
- self.assertEqual(req.as_text(), req3.as_text())
+ self.assertEqual(req.as_text(), req3t)
self.assertEqual(req.as_der(), req3.as_der())
self.assertEqual(req.as_pem(), req4.as_pem())
- self.assertEqual(req.as_text(), req4.as_text())
+ self.assertEqual(req.as_text(), req4t)
self.assertEqual(req.as_der(), req4.as_der())
self.assertEqual(req.get_version(), 0)
req.set_version(1)
@@ -370,9 +379,9 @@ class X509TestCase(unittest.TestCase):
self.assertTrue(proxycert.verify(pk2))
self.assertEqual(proxycert.get_ext_at(0).get_name(),
'proxyCertInfo')
- self.assertEqual(proxycert.get_ext_at(0).get_value(),
+ self.assertEqual(proxycert.get_ext_at(0).get_value().strip(),
'Path Length Constraint: infinite\n' +
- 'Policy Language: Inherit all\n')
+ 'Policy Language: Inherit all')
self.assertEqual(proxycert.get_ext_count(), 1,
proxycert.get_ext_count())
self.assertEqual(proxycert.get_subject().as_text(),
@@ -586,6 +595,12 @@ class X509TestCase(unittest.TestCase):
class X509StackTestCase(unittest.TestCase):
+ def setUp(self):
+ if m2.OPENSSL_VERSION_NUMBER >= 0x30000000:
+ self.expected_subject = '/DC=org/DC=doegrids/OU=Services/CN=host\\/bosshog.lbl.gov'
+ else:
+ self.expected_subject = '/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov'
+
def test_make_stack_from_der(self):
with open("tests/der_encoded_seq.b64", 'rb') as f:
b64 = f.read()
@@ -607,7 +622,7 @@ class X509StackTestCase(unittest.TestCase):
subject = cert.get_subject()
self.assertEqual(
str(subject),
- "/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov")
+ self.expected_subject)
def test_make_stack_check_num(self):
with open("tests/der_encoded_seq.b64", 'rb') as f:
@@ -629,7 +644,7 @@ class X509StackTestCase(unittest.TestCase):
subject = cert.get_subject()
self.assertEqual(
str(subject),
- "/DC=org/DC=doegrids/OU=Services/CN=host/bosshog.lbl.gov")
+ self.expected_subject)
def test_make_stack(self):
stack = X509.X509_Stack()
--
2.35.3

22
openssl-adapt-tests-for-3.1.0.patch
View File

@ -1,22 +0,0 @@
From a72341e20fd781b59beb59a27b222d32d021076e Mon Sep 17 00:00:00 2001
From: Otto Hollmann <otto.hollmann@suse.com>
Date: Thu, 16 Mar 2023 11:21:04 +0100
Subject: [PATCH] Adapt tests for OpenSSL v3.1.0
---
tests/test_ssl.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 6b9e1216..029e11ab 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -411,6 +411,7 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
warnings.simplefilter('ignore', DeprecationWarning)
ctx = SSL.Context('tlsv1')
s = SSL.Connection(ctx)
+ s.set_cipher_list('DEFAULT:@SECLEVEL=0')
with six.assertRaisesRegex(self, SSL.SSLError,
r'version|unexpected eof'):
s.connect(self.srv_addr)
--

64
openssl-stop-parsing-header.patch
View File

@ -1,64 +0,0 @@
From 1a746c6d01eff4863c116e279756a1035fd5feb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mcepl@cepl.eu>
Date: Mon, 22 Nov 2021 23:05:41 +0100
Subject: [PATCH] Use OpenSSL_version_num() instead of unrealiable parsing of
.h file.
Fixes #302
---
setup.py | 39 ++++++++++++++++++++++++---------------
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/setup.py b/setup.py
index a1d58f25..04ac8c77 100644
--- a/setup.py
+++ b/setup.py
@@ -75,21 +75,30 @@ def openssl_version(ossldir, req_ver, required=False):
:return: Boolean indicating whether the satisfying version of
OpenSSL has been installed.
"""
- ver = None
- file = os.path.join(ossldir, 'include', 'openssl', 'opensslv.h')
-
- with open(file) as origin_file:
- for line in origin_file:
- m = re.match(
- r'^# *define *OPENSSL_VERSION_NUMBER *(0x[0-9a-fA-F]*)',
- line)
- if m:
- log.debug('found version number: %s\n', m.group(1))
- ver = int(m.group(1), base=16)
- break
-
- if ver is None:
- raise OSError('Unknown format of file %s\n' % file)
+ try:
+ import ctypes
+ libssl = ctypes.cdll.LoadLibrary("libssl.so")
+ ver = libssl.OpenSSL_version_num()
+ log.debug("ctypes: ver = %s", hex(ver))
+ # for OpenSSL < 1.1.0
+ except AttributeError:
+ ver = None
+ file = os.path.join(ossldir, 'include', 'openssl', 'opensslv.h')
+
+ with open(file) as origin_file:
+ for line in origin_file:
+ m = re.match(
+ r'^# *define *OPENSSL_VERSION_NUMBER *(0x[0-9a-fA-F]*)',
+ line)
+ if m:
+ log.debug('found version number: %s\n', m.group(1))
+ ver = int(m.group(1), base=16)
+ break
+
+ log.debug("parsing header file: ver = %s", hex(ver))
+
+ if ver is None:
+ raise OSError('Unknown format of file %s\n' % file)
if required:
return ver >= req_ver
--
GitLab

35
python-M2Crypto.changes
View File

@ -1,3 +1,38 @@
-------------------------------------------------------------------
Tue Jul 4 19:21:57 UTC 2023 - Matej Cepl <mcepl@suse.com>
- Update to 0.39.0:
- SUPPORT FOR PYTHON 2 HAS BEEN DEPRECATED AND IT WILL BE
COMPLETELY REMOVED IN THE NEXT RELEASE.
- Remove dependency on parameterized and use unittest.subTest
instead.
- Upgrade embedded six.py module to 1.16.0 (really tiny
inconsequential changes).
- Make tests working on MacOS again (test_bio_membuf: Use fork)
- Use OpenSSL_version_num() instead of unrealiable parsing of
.h file.
- Mitigate the Bleichenbacher timing attacks in the RSA
decryption API (CVE-2020-25657)
- Add functionality to extract EC key from public key + Update
tests
- Worked around compatibility issues with OpenSSL 3.*
- Support for Twisted has been deprecated (they have their own
SSL support anyway).
- Generate TAP while testing.
- Stop using GitHub for testing.
- Accept a small deviation from time in the testsuite (for
systems with non-standard HZ kernel parameter).
- Use the default BIO.__del__ rather tha overriding in BIO.File
(avoid a memleak).
- Resolve "X509_Name.as_der() method from X509.py -> class
X509_Name caused segmentation fault"
- Remove upstreamed patches:
- CVE-2020-25657-Bleichenbacher-attack.patch
- m2crypto-0.38-ossl3-tests.patch
- openssl-adapt-tests-for-3.1.0.patch
- openssl-stop-parsing-header.patch
- timeout_300hz.patch
-------------------------------------------------------------------
Tue Jun 27 10:51:14 UTC 2023 - Dirk Müller <dmueller@suse.com>

30
python-M2Crypto.spec
View File

@ -17,33 +17,20 @@
%define oldpython python
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
Name: python-M2Crypto
Version: 0.38.0
Version: 0.39.0
Release: 0
Summary: Crypto and SSL toolkit for Python
License: MIT
Group: Development/Languages/Python
URL: https://gitlab.com/m2crypto/m2crypto
Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc
Source1: M2Crypto-%{version}.tar.gz.asc
Source99: python-M2Crypto.keyring
# PATCH-FIX-UPSTREAM CVE-2020-25657-Bleichenbacher-attack.patch bsc#1178829 mcepl@suse.com
# Mitigate the Bleichenbacher timing attacks in the RSA decryption API
Patch0: CVE-2020-25657-Bleichenbacher-attack.patch
# PATCH-FIX-UPSTREAM https://gitlab.com/m2crypto/m2crypto/-/merge_requests/271
Patch1: openssl-stop-parsing-header.patch
# Patch-FIX-OPENSUSE add test skips for openssl 3.x
Patch2: https://src.fedoraproject.org/rpms/m2crypto/raw/d7be0dd83ee5a414544d99dcc62cde4ad5998f0c/f/m2crypto-0.38-ossl3-tests.patch
# PATCH-FIX-UPSTREAM https://gitlab.com/m2crypto/m2crypto/-/merge_requests/284
Patch3: openssl-adapt-tests-for-3.1.0.patch
Patch4: timeout_300hz.patch
BuildRequires: %{python_module devel}
BuildRequires: %{python_module parameterized}
BuildRequires: %{python_module pytest}
BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module pip}
BuildRequires: %{python_module typing}
BuildRequires: %{python_module xml}
BuildRequires: %{python_module wheel}
BuildRequires: fdupes
BuildRequires: openssl
BuildRequires: openssl-devel
@ -94,20 +81,21 @@ Documentation for the Crypto and SSL toolkit for Python
%build
export CFLAGS="%{optflags}"
%python_build
%pyproject_wheel
%install
%python_install
%pyproject_install
%python_expand %fdupes %{buildroot}%{$python_sitearch}
%check
%python_expand ls -l %{buildroot}%{$python_sitearch}/M2Crypto/*.so*
export PYTEST_ADDOPTS="--import-mode=append"
%pytest_arch tests
%pyunittest_arch tests
%files %{python_files}
%doc CHANGES LICENCE README.rst
%{python_sitearch}/*
%{python_sitearch}/M2Crypto
%{python_sitearch}/M2Crypto-%{version}*-info
%files -n %{name}-doc
%doc doc/*.rst

13
timeout_300hz.patch
View File

@ -1,13 +0,0 @@
Index: M2Crypto-0.38.0/tests/test_ssl.py
===================================================================
--- M2Crypto-0.38.0.orig/tests/test_ssl.py
+++ M2Crypto-0.38.0/tests/test_ssl.py
@@ -391,7 +391,7 @@ class MiscSSLClientTestCase(BaseSSLClien
self.assertEqual(r.sec, DEFAULT_TIMEOUT, r.sec)
self.assertEqual(r.microsec, 0, r.microsec)
self.assertEqual(w.sec, test_timeout_sec, w.sec)
- self.assertEqual(w.microsec, test_timeout_microsec, w.microsec)
+ self.assertTrue(abs(w.microsec - test_timeout_microsec) < 4000, w.microsec)
s.connect(self.srv_addr)
data = self.http_get(s)