From 673132b30c8dc06657419f0639d7a09060ed941edb421bdd579873f26305f685 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Fri, 1 Mar 2019 19:38:20 +0000 Subject: [PATCH 1/5] Accepting request 680621 from home:frispete:python - remove everything to build docs: - local-intersphinx-inventories.patch - fetch-intersphinx-inventories.sh - python3.inv - crypto.inv OBS-URL: https://build.opensuse.org/request/show/680621 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=57 --- .gitattributes | 3 --- crypto.inv | 3 --- fetch-intersphinx-inventories.sh | 5 ----- local-intersphinx-inventories.patch | 13 ------------- python-pyOpenSSL.changes | 9 +++++++++ python-pyOpenSSL.spec | 21 --------------------- python3.inv | 3 --- 7 files changed, 9 insertions(+), 48 deletions(-) delete mode 100644 crypto.inv delete mode 100644 fetch-intersphinx-inventories.sh delete mode 100644 local-intersphinx-inventories.patch delete mode 100644 python3.inv diff --git a/.gitattributes b/.gitattributes index e6096f7..9b03811 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,6 +21,3 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text -## Specific LFS patterns -crypto.inv filter=lfs diff=lfs merge=lfs -text -python3.inv filter=lfs diff=lfs merge=lfs -text diff --git a/crypto.inv b/crypto.inv deleted file mode 100644 index 264442d..0000000 --- a/crypto.inv +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:41ce8ae745441735db7d7745cc412146c483377c44cda20d7844e0e1141e19a2 -size 9076 diff --git a/fetch-intersphinx-inventories.sh b/fetch-intersphinx-inventories.sh deleted file mode 100644 index 8ccb9af..0000000 --- a/fetch-intersphinx-inventories.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -wget -O python3.inv https://docs.python.org/3/objects.inv -wget -O crypto.inv https://cryptography.io/en/latest/objects.inv - diff --git a/local-intersphinx-inventories.patch b/local-intersphinx-inventories.patch deleted file mode 100644 index 8d4f5f1..0000000 --- a/local-intersphinx-inventories.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: b/doc/conf.py -=================================================================== ---- a/doc/conf.py -+++ b/doc/conf.py -@@ -254,6 +254,6 @@ man_pages = [ - ] - - intersphinx_mapping = { -- "https://docs.python.org/3": None, -- "https://cryptography.io/en/latest/": None, -+ "https://docs.python.org/3": "python3.inv", -+ "https://cryptography.io/en/latest/": "crypto.inv", - } diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 72836db..98f1afb 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen + +- remove everything to build docs: + - local-intersphinx-inventories.patch + - fetch-intersphinx-inventories.sh + - python3.inv + - crypto.inv + ------------------------------------------------------------------- Mon Feb 25 19:56:35 UTC 2019 - Todd R diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 0fcc20a..63feebd 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -26,14 +26,10 @@ License: Apache-2.0 Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz -Source1: python3.inv -Source2: crypto.inv -Source3: fetch-intersphinx-inventories.sh Patch1: skip-networked-test.patch Patch2: openssl-1.1.0i.patch Patch3: openssl-1.1.1.patch Patch4: tls13-renegotiation.patch -Patch5: local-intersphinx-inventories.patch BuildRequires: %{python_module cffi} BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} @@ -42,7 +38,6 @@ BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: python-rpm-macros -BuildRequires: python3-Sphinx Requires: python-cffi Requires: python-cryptography >= 2.3.0 Requires: python-six >= 1.5.2 @@ -63,28 +58,16 @@ pyOpenSSL is now a pure-Python project with a dependency on a new project, cryptography (), which provides (among other things) a cffi-based interface to OpenSSL. -%package -n %{name}-doc -Summary: Documentation for %{name} -Group: Documentation/HTML - -%description -n %{name}-doc -Provides documentation for %{name}. - %prep %setup -q -n pyOpenSSL-%{version} %autopatch -p1 -# prepare local intersphinx inventories, fetch with fetch-intersphinx-inventories.sh -cp -v %{S:1} doc/ -cp -v %{S:2} doc/ - %build %python_build %install %python_install %python_expand %fdupes %{buildroot}%{$python_sitelib} -PYTHONPATH="%{buildroot}%{python3_sitelib}" python3 setup.py build_sphinx && rm build/sphinx/html/.buildinfo %check export LC_ALL=en_US.UTF-8 @@ -98,8 +81,4 @@ py.test-%{$python_bin_suffix} -m "not network" -k "not test_export_text" %{python_sitelib}/OpenSSL/ %{python_sitelib}/pyOpenSSL-%{version}-py*.egg-info -%files -n %{name}-doc -%doc build/sphinx/html/ -%doc examples/ - %changelog diff --git a/python3.inv b/python3.inv deleted file mode 100644 index 99ffcde..0000000 --- a/python3.inv +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0c8b6fe404be5534e725ad69abf2a0f7deb6a2972b6500584df61102ce20d7fd -size 102981 From d631fa8ab10706c5a794fddea56f27b976dff05336e9379bfd599c43a1bbc0fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20S=C3=BAkup?= Date: Sat, 2 Mar 2019 16:33:31 +0000 Subject: [PATCH 2/5] - update to 19.0 - fixed build deps. - drop patches: openssl-1.1.0i.patch openssl-1.1.1.patch opensuse_ca.patch tls13-renegotiation.patch * X509Store.add_cert no longer raises an error if you add a duplicate cert. * pyOpenSSL now works with OpenSSL 1.1.1. * pyOpenSSL now handles NUL bytes in X509Name.get_components() OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=58 --- openssl-1.1.0i.patch | 61 ----------- openssl-1.1.1.patch | 220 ++++++-------------------------------- opensuse_ca.patch | 14 +++ pyOpenSSL-18.0.0.tar.gz | 3 - pyOpenSSL-19.0.0.tar.gz | 3 + python-pyOpenSSL.changes | 13 +++ python-pyOpenSSL.spec | 9 +- tls13-renegotiation.patch | 26 +---- 8 files changed, 69 insertions(+), 280 deletions(-) delete mode 100644 openssl-1.1.0i.patch create mode 100644 opensuse_ca.patch delete mode 100644 pyOpenSSL-18.0.0.tar.gz create mode 100644 pyOpenSSL-19.0.0.tar.gz diff --git a/openssl-1.1.0i.patch b/openssl-1.1.0i.patch deleted file mode 100644 index 4127551..0000000 --- a/openssl-1.1.0i.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 23 Aug 2018 10:52:15 -0500 -Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate - cert (#787) - -* X509Store.add_cert no longer raises an error on duplicate cert - ---- - src/OpenSSL/crypto.py | 11 ++++++++++- - tests/test_crypto.py | 9 ++++----- - 3 files changed, 16 insertions(+), 7 deletions(-) - - Deprecations: -diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py -index d40f23c2..ea7b354b 100644 ---- a/src/OpenSSL/crypto.py -+++ b/src/OpenSSL/crypto.py -@@ -1607,7 +1607,16 @@ def add_cert(self, cert): - if not isinstance(cert, X509): - raise TypeError() - -- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0) -+ # As of OpenSSL 1.1.0i adding the same cert to the store more than -+ # once doesn't cause an error. Accordingly, this code now silences -+ # the error for OpenSSL < 1.1.0i as well. -+ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: -+ code = _lib.ERR_peek_error() -+ err_reason = _lib.ERR_GET_REASON(code) -+ _openssl_assert( -+ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE -+ ) -+ _lib.ERR_clear_error() - - def add_crl(self, crl): - """ -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index d1c261b8..eb4590d0 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert): - with pytest.raises(TypeError): - store.add_cert(cert) - -- def test_add_cert_rejects_duplicate(self): -+ def test_add_cert_accepts_duplicate(self): - """ -- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is -- made to add the same certificate to the store more than once. -+ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt -+ is made to add the same certificate to the store more than once. - """ - cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) - store = X509Store() - store.add_cert(cert) -- with pytest.raises(Error): -- store.add_cert(cert) -+ store.add_cert(cert) - - - class TestPKCS12(object): diff --git a/openssl-1.1.1.patch b/openssl-1.1.1.patch index d03f0a3..d746b08 100644 --- a/openssl-1.1.1.patch +++ b/openssl-1.1.1.patch @@ -7,162 +7,23 @@ Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 tests/test_crypto.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index eb4590d0..4983d6ac 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -3161,10 +3161,10 @@ def test_export_pem(self): - dumped_crl = crl.export( - self.cert, self.pkey, days=20, digest=b"sha256" - ) -- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") -+ text = _runopenssl( -+ dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", "" -+ ) - -- # These magic values are based on the way the CRL above was constructed -- # and with what certificate it was exported. - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') - text.index( -@@ -3184,7 +3184,8 @@ def test_export_der(self): - self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" - ) - text = _runopenssl( -- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" -+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", -+ b"-nameopt", "" - ) - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -@@ -3207,7 +3208,8 @@ def test_export_text(self): - self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" - ) - text = _runopenssl( -- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" -+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", -+ b"-nameopt", "" - ) - - # text format - -From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 17:54:22 -0400 -Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly - ---- - tests/test_crypto.py | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index 4983d6ac..c08f81c3 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -3167,9 +3167,9 @@ def test_export_pem(self): - - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ text.index(b'Issuer:') -+ text.index(b'C=US') -+ text.index(b'CN=Testing Root CA') - - def test_export_der(self): - """ -@@ -3189,9 +3189,9 @@ def test_export_der(self): - ) - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ text.index(b'Issuer:') -+ text.index(b'C=US') -+ text.index(b'CN=Testing Root CA') - - # Flaky because we compare the output of running commands which sometimes - # varies by 1 second - -From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 18:09:49 -0400 -Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3 - -TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it. ---- - tests/test_ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index fbf07603..4845eca3 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -2539,7 +2539,7 @@ def test_client_set_session(self): - """ - key = load_privatekey(FILETYPE_PEM, server_key_pem) - cert = load_certificate(FILETYPE_PEM, server_cert_pem) -- ctx = Context(SSLv23_METHOD) -+ ctx = Context(TLSv1_2_METHOD) - ctx.use_privatekey(key) - ctx.use_certificate(cert) - ctx.set_session_id("unity-test") - -From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:42:38 -0400 -Subject: [PATCH 4/7] Make this always behave like 1.1.1 - ---- - src/OpenSSL/SSL.py | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index 5cf39c0d..910ce680 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list): - if not isinstance(cipher_list, bytes): - raise TypeError("cipher_list must be a byte string.") - -- _openssl_assert( -- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 -- ) -+ # This can return an error if there's no ciphersuites, but we don't care. -+ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - - def set_client_ca_list(self, certificate_authorities): - """ - -From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:43:49 -0400 -Subject: [PATCH 5/7] Update tests for the new behavior - ---- - tests/test_ssl.py | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index 4845eca3..a5fb4df9 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string): - conn = Connection(context, None) +Index: pyOpenSSL-19.0.0/tests/test_ssl.py +=================================================================== +--- pyOpenSSL-19.0.0.orig/tests/test_ssl.py ++++ pyOpenSSL-19.0.0/tests/test_ssl.py +@@ -410,18 +410,17 @@ class TestContext(object): assert "AES128-SHA" in conn.get_cipher_list() -+ -+ def test_set_cipher_list_imaginary(self, context): -+ # Doesn't raise an exception -+ context.set_cipher_list(b"gibberish") - @pytest.mark.parametrize("cipher_list,error", [ - (object(), TypeError), - ("imaginary-cipher", Error), - ]) - def test_set_cipher_list_wrong_args(self, context, cipher_list, error): ++ def test_set_cipher_list_imaginary(self, context): ++ # Doesn't raise an exception ++ context.set_cipher_list(b"gibberish") ++ + def test_set_cipher_list_wrong_args(self, context): """ `Context.set_cipher_list` raises `TypeError` when passed a non-string @@ -177,50 +38,29 @@ index 4845eca3..a5fb4df9 100644 def test_load_client_ca(self, context, ca_file): """ - -From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:48:07 -0400 -Subject: [PATCH 6/7] flake8 - ---- - src/OpenSSL/SSL.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index 910ce680..a0469f10 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list): +@@ -3836,7 +3835,7 @@ class TestOCSP(object): + :param request_ocsp: Whether the client will actually ask for OCSP + stapling. Useful for testing only. + """ +- ctx = Context(SSLv23_METHOD) ++ ctx = Context(TLSv1_2_METHOD) + ctx.set_ocsp_client_callback(callback, data) + client = Connection(ctx) + +Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +=================================================================== +--- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py ++++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +@@ -1182,9 +1182,9 @@ class Context(object): if not isinstance(cipher_list, bytes): raise TypeError("cipher_list must be a byte string.") -- # This can return an error if there's no ciphersuites, but we don't care. +- _openssl_assert( +- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 +- ) + # This can return an error if there's no ciphersuites, but we don't + # care. - _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - - def set_client_ca_list(self, certificate_authorities): - -From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 20:01:26 -0400 -Subject: [PATCH 7/7] flake8 - ---- - tests/test_ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index a5fb4df9..39e76500 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string): - conn = Connection(context, None) - - assert "AES128-SHA" in conn.get_cipher_list() -- -+ - def test_set_cipher_list_imaginary(self, context): - # Doesn't raise an exception - context.set_cipher_list(b"gibberish") ++ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + # In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3 + # ciphers even if you pass an invalid cipher. Applications (like + # Twisted) have tests that depend on an error being raised if an diff --git a/opensuse_ca.patch b/opensuse_ca.patch new file mode 100644 index 0000000..a6c2c34 --- /dev/null +++ b/opensuse_ca.patch @@ -0,0 +1,14 @@ +Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +=================================================================== +--- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py ++++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +@@ -221,7 +221,8 @@ SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HAND + _CERTIFICATE_FILE_LOCATIONS = [ + "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc. + "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6 +- "/etc/ssl/ca-bundle.pem", # OpenSUSE ++ "/var/lib/ca-certificates/ca-bundle.pem", #openSUSE real locaction ++ "/etc/ssl/ca-bundle.pem", # openSUSE + "/etc/pki/tls/cacert.pem", # OpenELEC + "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7 + ] diff --git a/pyOpenSSL-18.0.0.tar.gz b/pyOpenSSL-18.0.0.tar.gz deleted file mode 100644 index a59479b..0000000 --- a/pyOpenSSL-18.0.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580 -size 167296 diff --git a/pyOpenSSL-19.0.0.tar.gz b/pyOpenSSL-19.0.0.tar.gz new file mode 100644 index 0000000..ab5b2dc --- /dev/null +++ b/pyOpenSSL-19.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200 +size 168551 diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 98f1afb..ad0ceb2 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sat Mar 2 16:29:39 UTC 2019 - Ondřej Súkup + +- update to 19.0 +- fixed build deps. +- drop patches: openssl-1.1.0i.patch + openssl-1.1.1.patch + opensuse_ca.patch + tls13-renegotiation.patch + * X509Store.add_cert no longer raises an error if you add a duplicate cert. + * pyOpenSSL now works with OpenSSL 1.1.1. + * pyOpenSSL now handles NUL bytes in X509Name.get_components() + ------------------------------------------------------------------- Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 63feebd..bc2b78e 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-pyOpenSSL -Version: 18.0.0 +Version: 19.0.0 Release: 0 Summary: Python wrapper module around the OpenSSL library License: Apache-2.0 @@ -27,16 +27,16 @@ Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch -Patch2: openssl-1.1.0i.patch -Patch3: openssl-1.1.1.patch -Patch4: tls13-renegotiation.patch BuildRequires: %{python_module cffi} BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module six} +BuildRequires: ca-certificates-mozilla BuildRequires: fdupes +BuildRequires: openssl BuildRequires: python-rpm-macros Requires: python-cffi Requires: python-cryptography >= 2.3.0 @@ -61,6 +61,7 @@ other things) a cffi-based interface to OpenSSL. %prep %setup -q -n pyOpenSSL-%{version} %autopatch -p1 +/usr/lib/ca-certificates/update.d/99certbundle.run %build %python_build diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch index 8bb360c..7d1133e 100644 --- a/tls13-renegotiation.patch +++ b/tls13-renegotiation.patch @@ -1,7 +1,7 @@ -Index: pyOpenSSL-18.0.0/tests/test_ssl.py +Index: pyOpenSSL-19.0.0/tests/test_ssl.py =================================================================== ---- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 -+++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 +--- pyOpenSSL-19.0.0.orig/tests/test_ssl.py ++++ pyOpenSSL-19.0.0/tests/test_ssl.py @@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): """ Tests for SSL renegotiation APIs. @@ -10,25 +10,7 @@ Index: pyOpenSSL-18.0.0/tests/test_ssl.py def test_total_renegotiations(self): """ `Connection.total_renegotiations` returns `0` before any renegotiations -@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): - """ - Go through a complete renegotiation cycle. - """ -- server, client = loopback() -+ # renegotiation works with TLS version <= 1.2 -+ def makeServer12(socket): -+ ctx = Context(TLSv1_2_METHOD) -+ ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) -+ ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) -+ server = Connection(ctx, socket) -+ server.set_accept_state() -+ return server -+ -+ server, client = loopback(server_factory=makeServer12) - - server.send(b"hello world") - -@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object): +@@ -3219,6 +3220,25 @@ class TestConnectionRenegotiate(object): while False is server.renegotiate_pending(): pass From 693ef40809ecaa5bda9a4a2a34d4fe051195e247aba982524c8497587753f7f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20S=C3=BAkup?= Date: Sat, 2 Mar 2019 16:34:16 +0000 Subject: [PATCH 3/5] remove patches OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=59 --- openssl-1.1.1.patch | 66 --------------------------------------- tls13-renegotiation.patch | 38 ---------------------- 2 files changed, 104 deletions(-) delete mode 100644 openssl-1.1.1.patch delete mode 100644 tls13-renegotiation.patch diff --git a/openssl-1.1.1.patch b/openssl-1.1.1.patch deleted file mode 100644 index d746b08..0000000 --- a/openssl-1.1.1.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 4725d76eb4a1c0e7b7b6de6e4a8e95d6f076b50b Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 17:35:31 -0400 -Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 - ---- - tests/test_crypto.py | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -Index: pyOpenSSL-19.0.0/tests/test_ssl.py -=================================================================== ---- pyOpenSSL-19.0.0.orig/tests/test_ssl.py -+++ pyOpenSSL-19.0.0/tests/test_ssl.py -@@ -410,18 +410,17 @@ class TestContext(object): - - assert "AES128-SHA" in conn.get_cipher_list() - -- @pytest.mark.parametrize("cipher_list,error", [ -- (object(), TypeError), -- ("imaginary-cipher", Error), -- ]) -- def test_set_cipher_list_wrong_args(self, context, cipher_list, error): -+ def test_set_cipher_list_imaginary(self, context): -+ # Doesn't raise an exception -+ context.set_cipher_list(b"gibberish") -+ -+ def test_set_cipher_list_wrong_args(self, context): - """ - `Context.set_cipher_list` raises `TypeError` when passed a non-string -- argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher -- list string. -+ argument. - """ -- with pytest.raises(error): -- context.set_cipher_list(cipher_list) -+ with pytest.raises(TypeError): -+ context.set_cipher_list(object()) - - def test_load_client_ca(self, context, ca_file): - """ -@@ -3836,7 +3835,7 @@ class TestOCSP(object): - :param request_ocsp: Whether the client will actually ask for OCSP - stapling. Useful for testing only. - """ -- ctx = Context(SSLv23_METHOD) -+ ctx = Context(TLSv1_2_METHOD) - ctx.set_ocsp_client_callback(callback, data) - client = Connection(ctx) - -Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py -=================================================================== ---- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py -+++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py -@@ -1182,9 +1182,9 @@ class Context(object): - if not isinstance(cipher_list, bytes): - raise TypeError("cipher_list must be a byte string.") - -- _openssl_assert( -- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 -- ) -+ # This can return an error if there's no ciphersuites, but we don't -+ # care. -+ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - # In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3 - # ciphers even if you pass an invalid cipher. Applications (like - # Twisted) have tests that depend on an error being raised if an diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch deleted file mode 100644 index 7d1133e..0000000 --- a/tls13-renegotiation.patch +++ /dev/null @@ -1,38 +0,0 @@ -Index: pyOpenSSL-19.0.0/tests/test_ssl.py -=================================================================== ---- pyOpenSSL-19.0.0.orig/tests/test_ssl.py -+++ pyOpenSSL-19.0.0/tests/test_ssl.py -@@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): - """ - Tests for SSL renegotiation APIs. - """ -+ - def test_total_renegotiations(self): - """ - `Connection.total_renegotiations` returns `0` before any renegotiations -@@ -3219,6 +3220,25 @@ class TestConnectionRenegotiate(object): - while False is server.renegotiate_pending(): - pass - -+ # renegotiation is forbidden in TLS 1.3 -+ server, client = loopback() -+ -+ server.send(b"hello world") -+ -+ assert b"hello world" == client.recv(len(b"hello world")) -+ -+ assert 0 == server.total_renegotiations() -+ assert False is server.renegotiate_pending() -+ -+ # renegotian under TLS 1.3 must fail -+ -+ if client.get_protocol_version_name() == "TLSv1.3": -+ try: -+ assert False is server.renegotiate() -+ #error ('SSL routines', 'SSL_renegotiate', 'wrong ssl version') -+ except SSL.Error: -+ pass -+ - - class TestError(object): - """ From af94cd5070052a239bef685db905a64149fb122f366820f0c0fa6be782001876 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20S=C3=BAkup?= Date: Sat, 2 Mar 2019 16:34:43 +0000 Subject: [PATCH 4/5] ... OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=60 --- opensuse_ca.patch | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 opensuse_ca.patch diff --git a/opensuse_ca.patch b/opensuse_ca.patch deleted file mode 100644 index a6c2c34..0000000 --- a/opensuse_ca.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py -=================================================================== ---- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py -+++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py -@@ -221,7 +221,8 @@ SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HAND - _CERTIFICATE_FILE_LOCATIONS = [ - "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc. - "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6 -- "/etc/ssl/ca-bundle.pem", # OpenSUSE -+ "/var/lib/ca-certificates/ca-bundle.pem", #openSUSE real locaction -+ "/etc/ssl/ca-bundle.pem", # openSUSE - "/etc/pki/tls/cacert.pem", # OpenELEC - "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7 - ] From 244516e2206d19c966e2ac5ebe59a0721244804adea6c158f8a1ff3de686ea35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20S=C3=BAkup?= Date: Sat, 2 Mar 2019 16:35:29 +0000 Subject: [PATCH 5/5] g OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=61 --- python-pyOpenSSL.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index bc2b78e..e695916 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -61,7 +61,6 @@ other things) a cffi-based interface to OpenSSL. %prep %setup -q -n pyOpenSSL-%{version} %autopatch -p1 -/usr/lib/ca-certificates/update.d/99certbundle.run %build %python_build