Accepting request 873811 from devel:languages:python

- Add 293_sslv23_padding.patch to avoid using RSA_SSLV23_PADDING (gl#m2crypto/m2crypto#293, gh#openssl/openssl#14216). - OpenSSL allows the verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE * This unifies the behaviour of a single certificate with an unknown CA certificate with a self-signed certificate. - Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch (Thanks for Debian, https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff8) - Add source signature file OBS-URL: https://build.opensuse.org/request/show/873811 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-M2Crypto?expand=0&rev=39
2021-02-23 19:20:08 +00:00 · 2021-02-23 19:20:08 +00:00 · f83180bbc5
commit f83180bbc5
parent cb684043d0 3e4e459152
5 changed files with 99 additions and 2 deletions
--- a/293_sslv23_padding.patch
+++ b/293_sslv23_padding.patch
@ -0,0 +1,14 @@
+--- a/tests/test_rsa.py
+++ b/tests/test_rsa.py
+@@ -124,11 +124,6 @@ class RSATestCase(unittest.TestCase):
+             ptxt = priv.private_decrypt(ctxt, p)
+             self.assertEqual(ptxt, self.data)
+ 
+-        # sslv23_padding
+-        ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
+-        res = priv.private_decrypt(ctxt, RSA.sslv23_padding)
+-        self.assertEqual(res, self.data)
+-
+         # no_padding
+         with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
+             priv.public_encrypt(self.data, RSA.no_padding)
--- a/M2Crypto-0.37.1.tar.gz.asc
+++ b/M2Crypto-0.37.1.tar.gz.asc
@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCX8/GrwAKCRDgn+8l2WSE
+rAITAJ95Tn9v9Mr0kBf6bbbzEk6vYxV1hQCeLpgKge5XRjV3hse/9PBvzZRvZTo=
+=6EAh
+-----END PGP SIGNATURE-----
--- a/python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
+++ b/python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
@ -0,0 +1,47 @@
+From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001
+From: Casey Deccio <casey@deccio.net>
+Date: Fri, 8 Jan 2021 12:43:09 -0700
+Subject: [PATCH] Allow verify_cb_* to be called with ok=True
+
+With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
+OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
+---
+ tests/test_ssl.py | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/tests/test_ssl.py b/tests/test_ssl.py
+index 92b6942c..7a3271aa 100644
+--- a/tests/test_ssl.py
+++ b/tests/test_ssl.py
+@@ -59,8 +59,13 @@ def allocate_srv_port():
+ 
+ 
+ def verify_cb_new_function(ok, store):
+-    assert not ok
+     err = store.get_error()
+    # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
+    # aborting, this callback is called to retrieve additional error
+    # information.  In this case, ok might not be False.
+    # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
+    if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+        assert not ok
+     assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+                    m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+                    m2.X509_V_ERR_CERT_UNTRUSTED,
+@@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
+ 
+     def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok):
+         try:
+-            self.assertFalse(ok)
+            # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
+            # aborting, this callback is called to retrieve additional error
+            # information.  In this case, ok might not be False.
+            # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
+            if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+                self.assertFalse(ok)
+             self.assertIn(err,
+                           [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
+                            m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
+-- 
+GitLab
+
--- a/python-M2Crypto.changes
+++ b/python-M2Crypto.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Fri Feb 19 12:56:50 UTC 2021 - Matej Cepl <mcepl@suse.com>
+
+- Add 293_sslv23_padding.patch to avoid using RSA_SSLV23_PADDING
+  (gl#m2crypto/m2crypto#293, gh#openssl/openssl#14216).
+
+-------------------------------------------------------------------
+Wed Feb 17 11:18:07 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- OpenSSL allows the verificaton to continue on
+  UNABLE_TO_VERIFY_LEAF_SIGNATURE
+  * This unifies the behaviour of a single certificate with an
+    unknown CA certificate with a self-signed certificate.
+- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
+  (Thanks for Debian,
+  https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff8)
+
+-------------------------------------------------------------------
+Wed Feb 17 10:57:56 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- Add source signature file
+
 -------------------------------------------------------------------
 Wed Jan 13 08:16:04 UTC 2021 - Matej Cepl <mcepl@suse.com>

--- a/python-M2Crypto.spec
+++ b/python-M2Crypto.spec
@ -25,7 +25,15 @@ Summary:        Crypto and SSL toolkit for Python
 License:        MIT
 Group:          Development/Languages/Python
 URL:            https://gitlab.com/m2crypto/m2crypto
-Source:         https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
+Source0:        https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
+Source1:        https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc
+# PATCH-FIX-UPSTREAM python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch mcepl@suse.com
+# https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff86383dabbb92540c0a4892cb4c456
+# Fixes incompatibility with the modern crypto policies
+Patch0:         python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
+# PATCH-FIX-UPSTREAM 293_sslv23_padding.patch gl#m2crypto/m2crypto#293 mcepl@suse.com
+# RSA_SSLV23_PADDING is evil and should be avoided.
+Patch1:         293_sslv23_padding.patch
 BuildRequires:  %{python_module devel}
 BuildRequires:  %{python_module parameterized}
 BuildRequires:  %{python_module pytest}
@ -78,7 +86,7 @@ messenger for Zope.
 Documentation for the Crypto and SSL toolkit for Python

 %prep
-%setup -q -n M2Crypto-%{version}
+%autosetup -p1 -n M2Crypto-%{version}

 %build
 export CFLAGS="%{optflags}"