Accepting request 873811 from devel:languages:python
- Add 293_sslv23_padding.patch to avoid using RSA_SSLV23_PADDING
(gl#m2crypto/m2crypto#293, gh#openssl/openssl#14216).
- OpenSSL allows the verificaton to continue on
UNABLE_TO_VERIFY_LEAF_SIGNATURE
* This unifies the behaviour of a single certificate with an
unknown CA certificate with a self-signed certificate.
- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
(Thanks for Debian,
https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff8)
- Add source signature file
OBS-URL: https://build.opensuse.org/request/show/873811
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/python-M2Crypto?expand=0&rev=39
This commit is contained in:
Dominique Leuenberger
Git OBS Bridge
commit
f83180bbc5
14
293_sslv23_padding.patch
Normal file
14
293_sslv23_padding.patch
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
--- a/tests/test_rsa.py
|
||||||
|
+++ b/tests/test_rsa.py
|
||||||
|
@@ -124,11 +124,6 @@ class RSATestCase(unittest.TestCase):
|
||||||
|
ptxt = priv.private_decrypt(ctxt, p)
|
||||||
|
self.assertEqual(ptxt, self.data)
|
||||||
|
|
||||||
|
- # sslv23_padding
|
||||||
|
- ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding)
|
||||||
|
- res = priv.private_decrypt(ctxt, RSA.sslv23_padding)
|
||||||
|
- self.assertEqual(res, self.data)
|
||||||
|
-
|
||||||
|
# no_padding
|
||||||
|
with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'):
|
||||||
|
priv.public_encrypt(self.data, RSA.no_padding)
|
||||||
6
M2Crypto-0.37.1.tar.gz.asc
Normal file
6
M2Crypto-0.37.1.tar.gz.asc
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCX8/GrwAKCRDgn+8l2WSE
|
||||||
|
rAITAJ95Tn9v9Mr0kBf6bbbzEk6vYxV1hQCeLpgKge5XRjV3hse/9PBvzZRvZTo=
|
||||||
|
=6EAh
|
||||||
|
-----END PGP SIGNATURE-----
|
||||||
@ -0,0 +1,47 @@
|
|||||||
|
From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Casey Deccio <casey@deccio.net>
|
||||||
|
Date: Fri, 8 Jan 2021 12:43:09 -0700
|
||||||
|
Subject: [PATCH] Allow verify_cb_* to be called with ok=True
|
||||||
|
|
||||||
|
With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
|
||||||
|
OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
|
||||||
|
---
|
||||||
|
tests/test_ssl.py | 14 ++++++++++++--
|
||||||
|
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/tests/test_ssl.py b/tests/test_ssl.py
|
||||||
|
index 92b6942c..7a3271aa 100644
|
||||||
|
--- a/tests/test_ssl.py
|
||||||
|
+++ b/tests/test_ssl.py
|
||||||
|
@@ -59,8 +59,13 @@ def allocate_srv_port():
|
||||||
|
|
||||||
|
|
||||||
|
def verify_cb_new_function(ok, store):
|
||||||
|
- assert not ok
|
||||||
|
err = store.get_error()
|
||||||
|
+ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
|
||||||
|
+ # aborting, this callback is called to retrieve additional error
|
||||||
|
+ # information. In this case, ok might not be False.
|
||||||
|
+ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
|
||||||
|
+ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
||||||
|
+ assert not ok
|
||||||
|
assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
|
||||||
|
m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
|
||||||
|
m2.X509_V_ERR_CERT_UNTRUSTED,
|
||||||
|
@@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase):
|
||||||
|
|
||||||
|
def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok):
|
||||||
|
try:
|
||||||
|
- self.assertFalse(ok)
|
||||||
|
+ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of
|
||||||
|
+ # aborting, this callback is called to retrieve additional error
|
||||||
|
+ # information. In this case, ok might not be False.
|
||||||
|
+ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58
|
||||||
|
+ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
|
||||||
|
+ self.assertFalse(ok)
|
||||||
|
self.assertIn(err,
|
||||||
|
[m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT,
|
||||||
|
m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
|
||||||
|
--
|
||||||
|
GitLab
|
||||||
|
|
||||||
@ -1,3 +1,25 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Feb 19 12:56:50 UTC 2021 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
- Add 293_sslv23_padding.patch to avoid using RSA_SSLV23_PADDING
|
||||||
|
(gl#m2crypto/m2crypto#293, gh#openssl/openssl#14216).
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 17 11:18:07 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- OpenSSL allows the verificaton to continue on
|
||||||
|
UNABLE_TO_VERIFY_LEAF_SIGNATURE
|
||||||
|
* This unifies the behaviour of a single certificate with an
|
||||||
|
unknown CA certificate with a self-signed certificate.
|
||||||
|
- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
|
||||||
|
(Thanks for Debian,
|
||||||
|
https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff8)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 17 10:57:56 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
||||||
|
|
||||||
|
- Add source signature file
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Jan 13 08:16:04 UTC 2021 - Matej Cepl <mcepl@suse.com>
|
Wed Jan 13 08:16:04 UTC 2021 - Matej Cepl <mcepl@suse.com>
|
||||||
|
|
||||||
|
|||||||
@ -25,7 +25,15 @@ Summary: Crypto and SSL toolkit for Python
|
|||||||
License: MIT
|
License: MIT
|
||||||
Group: Development/Languages/Python
|
Group: Development/Languages/Python
|
||||||
URL: https://gitlab.com/m2crypto/m2crypto
|
URL: https://gitlab.com/m2crypto/m2crypto
|
||||||
Source: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
|
Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz
|
||||||
|
Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc
|
||||||
|
# PATCH-FIX-UPSTREAM python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch mcepl@suse.com
|
||||||
|
# https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff86383dabbb92540c0a4892cb4c456
|
||||||
|
# Fixes incompatibility with the modern crypto policies
|
||||||
|
Patch0: python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch
|
||||||
|
# PATCH-FIX-UPSTREAM 293_sslv23_padding.patch gl#m2crypto/m2crypto#293 mcepl@suse.com
|
||||||
|
# RSA_SSLV23_PADDING is evil and should be avoided.
|
||||||
|
Patch1: 293_sslv23_padding.patch
|
||||||
BuildRequires: %{python_module devel}
|
BuildRequires: %{python_module devel}
|
||||||
BuildRequires: %{python_module parameterized}
|
BuildRequires: %{python_module parameterized}
|
||||||
BuildRequires: %{python_module pytest}
|
BuildRequires: %{python_module pytest}
|
||||||
@ -78,7 +86,7 @@ messenger for Zope.
|
|||||||
Documentation for the Crypto and SSL toolkit for Python
|
Documentation for the Crypto and SSL toolkit for Python
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q -n M2Crypto-%{version}
|
%autosetup -p1 -n M2Crypto-%{version}
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export CFLAGS="%{optflags}"
|
export CFLAGS="%{optflags}"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user