diff --git a/fix_test_suite.patch b/fix_test_suite.patch deleted file mode 100644 index 589b03d..0000000 --- a/fix_test_suite.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -13,7 +13,7 @@ from datetime import datetime, timedelta - - import pytest - --from six import binary_type -+from six import binary_type, PY3 - - from cryptography import x509 - from cryptography.hazmat.backends.openssl.backend import backend -@@ -3167,9 +3167,14 @@ class TestCRL(object): - # and with what certificate it was exported. - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ if PY3: -+ text.decode().translate(str.maketrans('','',',/ ')).index( -+ 'Issuer:C=USST=ILL=ChicagoO=TestingCN=TestingRootCA' -+ ) -+ else: -+ text.translate(None, ',/ ').index( -+ 'Issuer:C=USST=ILL=ChicagoO=TestingCN=TestingRootCA' -+ ) - - def test_export_der(self): - """ diff --git a/openssl-1.1.1.patch b/openssl-1.1.1.patch new file mode 100644 index 0000000..d03f0a3 --- /dev/null +++ b/openssl-1.1.1.patch @@ -0,0 +1,226 @@ +From 4725d76eb4a1c0e7b7b6de6e4a8e95d6f076b50b Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 17:35:31 -0400 +Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 + +--- + tests/test_crypto.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/tests/test_crypto.py b/tests/test_crypto.py +index eb4590d0..4983d6ac 100644 +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -3161,10 +3161,10 @@ def test_export_pem(self): + dumped_crl = crl.export( + self.cert, self.pkey, days=20, digest=b"sha256" + ) +- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") ++ text = _runopenssl( ++ dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", "" ++ ) + +- # These magic values are based on the way the CRL above was constructed +- # and with what certificate it was exported. + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') + text.index( +@@ -3184,7 +3184,8 @@ def test_export_der(self): + self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" + ) + text = _runopenssl( +- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" ++ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", ++ b"-nameopt", "" + ) + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +@@ -3207,7 +3208,8 @@ def test_export_text(self): + self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" + ) + text = _runopenssl( +- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" ++ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", ++ b"-nameopt", "" + ) + + # text format + +From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 17:54:22 -0400 +Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly + +--- + tests/test_crypto.py | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/tests/test_crypto.py b/tests/test_crypto.py +index 4983d6ac..c08f81c3 100644 +--- a/tests/test_crypto.py ++++ b/tests/test_crypto.py +@@ -3167,9 +3167,9 @@ def test_export_pem(self): + + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +- text.index( +- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' +- ) ++ text.index(b'Issuer:') ++ text.index(b'C=US') ++ text.index(b'CN=Testing Root CA') + + def test_export_der(self): + """ +@@ -3189,9 +3189,9 @@ def test_export_der(self): + ) + text.index(b'Serial Number: 03AB') + text.index(b'Superseded') +- text.index( +- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' +- ) ++ text.index(b'Issuer:') ++ text.index(b'C=US') ++ text.index(b'CN=Testing Root CA') + + # Flaky because we compare the output of running commands which sometimes + # varies by 1 second + +From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 18:09:49 -0400 +Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3 + +TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it. +--- + tests/test_ssl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index fbf07603..4845eca3 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -2539,7 +2539,7 @@ def test_client_set_session(self): + """ + key = load_privatekey(FILETYPE_PEM, server_key_pem) + cert = load_certificate(FILETYPE_PEM, server_cert_pem) +- ctx = Context(SSLv23_METHOD) ++ ctx = Context(TLSv1_2_METHOD) + ctx.use_privatekey(key) + ctx.use_certificate(cert) + ctx.set_session_id("unity-test") + +From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 19:42:38 -0400 +Subject: [PATCH 4/7] Make this always behave like 1.1.1 + +--- + src/OpenSSL/SSL.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 5cf39c0d..910ce680 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list): + if not isinstance(cipher_list, bytes): + raise TypeError("cipher_list must be a byte string.") + +- _openssl_assert( +- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 +- ) ++ # This can return an error if there's no ciphersuites, but we don't care. ++ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + + def set_client_ca_list(self, certificate_authorities): + """ + +From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 19:43:49 -0400 +Subject: [PATCH 5/7] Update tests for the new behavior + +--- + tests/test_ssl.py | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 4845eca3..a5fb4df9 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string): + conn = Connection(context, None) + + assert "AES128-SHA" in conn.get_cipher_list() ++ ++ def test_set_cipher_list_imaginary(self, context): ++ # Doesn't raise an exception ++ context.set_cipher_list(b"gibberish") + +- @pytest.mark.parametrize("cipher_list,error", [ +- (object(), TypeError), +- ("imaginary-cipher", Error), +- ]) +- def test_set_cipher_list_wrong_args(self, context, cipher_list, error): ++ def test_set_cipher_list_wrong_args(self, context): + """ + `Context.set_cipher_list` raises `TypeError` when passed a non-string +- argument and raises `OpenSSL.SSL.Error` when passed an incorrect cipher +- list string. ++ argument. + """ +- with pytest.raises(error): +- context.set_cipher_list(cipher_list) ++ with pytest.raises(TypeError): ++ context.set_cipher_list(object()) + + def test_load_client_ca(self, context, ca_file): + """ + +From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 19:48:07 -0400 +Subject: [PATCH 6/7] flake8 + +--- + src/OpenSSL/SSL.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py +index 910ce680..a0469f10 100644 +--- a/src/OpenSSL/SSL.py ++++ b/src/OpenSSL/SSL.py +@@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list): + if not isinstance(cipher_list, bytes): + raise TypeError("cipher_list must be a byte string.") + +- # This can return an error if there's no ciphersuites, but we don't care. ++ # This can return an error if there's no ciphersuites, but we don't ++ # care. + _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + + def set_client_ca_list(self, certificate_authorities): + +From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 11 Sep 2018 20:01:26 -0400 +Subject: [PATCH 7/7] flake8 + +--- + tests/test_ssl.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index a5fb4df9..39e76500 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string): + conn = Connection(context, None) + + assert "AES128-SHA" in conn.get_cipher_list() +- ++ + def test_set_cipher_list_imaginary(self, context): + # Doesn't raise an exception + context.set_cipher_list(b"gibberish") diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index e8f02cf..8a68b42 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Oct 30 11:21:30 UTC 2018 - Tomáš Chvátal + +- Add patch to fix issues with openssl 1.1.1: + * openssl-1.1.1.patch +- Drop the downstream fix_test_suite.patch + ------------------------------------------------------------------- Tue Oct 30 01:06:28 CET 2018 - mcepl@suse.com diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index bdb66a1..f3db6db 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -28,7 +28,7 @@ URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch Patch2: openssl-1.1.0i.patch -Patch3: fix_test_suite.patch +Patch3: openssl-1.1.1.patch BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend}