Accepting request 873095 from home:pmonrealgonzalez:branches:devel:languages:python

- OpenSSL allows the verificaton to continue on
  UNABLE_TO_VERIFY_LEAF_SIGNATURE
  * This unifies the behaviour of a single certificate with an
    unknown CA certificate with a self-signed certificate.
- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch

- Add source signature file

OBS-URL: https://build.opensuse.org/request/show/873095
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=96
This commit is contained in:
Matej Cepl 2021-02-17 11:23:26 +00:00 committed by Git OBS Bridge
parent 68549c21a6
commit a86aefab3a
4 changed files with 71 additions and 1 deletions

View File

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCX8/GrwAKCRDgn+8l2WSE
rAITAJ95Tn9v9Mr0kBf6bbbzEk6vYxV1hQCeLpgKge5XRjV3hse/9PBvzZRvZTo=
=6EAh
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,47 @@
From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001
From: Casey Deccio <casey@deccio.net>
Date: Fri, 8 Jan 2021 12:43:09 -0700
Subject: [PATCH] Allow verify_cb_* to be called with ok=True
With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
---
tests/test_ssl.py | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
index 92b6942c..7a3271aa 100644
--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
@@ -59,8 +59,13 @@ def allocate_srv_port():
def verify_cb_new_function(ok, store):
- assert not ok
err = store.get_error()
+ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
+ # aborting, this callback is called to retrieve additional error
+ # information. In this case, ok might not be False.
+ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
+ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ assert not ok
assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
m2.X509_V_ERR_CERT_UNTRUSTED,
@@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok):
try:
- self.assertFalse(ok)
+ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
+ # aborting, this callback is called to retrieve additional error
+ # information. In this case, ok might not be False.
+ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
+ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ self.assertFalse(ok)
self.assertIn(err,
[m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
--
GitLab

View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Wed Feb 17 11:18:07 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- OpenSSL allows the verificaton to continue on
UNABLE_TO_VERIFY_LEAF_SIGNATURE
* This unifies the behaviour of a single certificate with an
unknown CA certificate with a self-signed certificate.
- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
-------------------------------------------------------------------
Wed Feb 17 10:57:56 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
- Add source signature file
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 13 08:16:04 UTC 2021 - Matej Cepl <mcepl@suse.com> Wed Jan 13 08:16:04 UTC 2021 - Matej Cepl <mcepl@suse.com>

View File

@ -25,7 +25,9 @@ Summary: Crypto and SSL toolkit for Python
License: MIT License: MIT
Group: Development/Languages/Python Group: Development/Languages/Python
URL: https://gitlab.com/m2crypto/m2crypto URL: https://gitlab.com/m2crypto/m2crypto
Source: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc
Patch0: python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
BuildRequires: %{python_module devel} BuildRequires: %{python_module devel}
BuildRequires: %{python_module parameterized} BuildRequires: %{python_module parameterized}
BuildRequires: %{python_module pytest} BuildRequires: %{python_module pytest}
@ -79,6 +81,7 @@ Documentation for the Crypto and SSL toolkit for Python
%prep %prep
%setup -q -n M2Crypto-%{version} %setup -q -n M2Crypto-%{version}
%patch0 -p1
%build %build
export CFLAGS="%{optflags}" export CFLAGS="%{optflags}"