From d631fa8ab10706c5a794fddea56f27b976dff05336e9379bfd599c43a1bbc0fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20S=C3=BAkup?= Date: Sat, 2 Mar 2019 16:33:31 +0000 Subject: [PATCH] - update to 19.0 - fixed build deps. - drop patches: openssl-1.1.0i.patch openssl-1.1.1.patch opensuse_ca.patch tls13-renegotiation.patch * X509Store.add_cert no longer raises an error if you add a duplicate cert. * pyOpenSSL now works with OpenSSL 1.1.1. * pyOpenSSL now handles NUL bytes in X509Name.get_components() OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-pyOpenSSL?expand=0&rev=58 --- openssl-1.1.0i.patch | 61 ----------- openssl-1.1.1.patch | 220 ++++++-------------------------------- opensuse_ca.patch | 14 +++ pyOpenSSL-18.0.0.tar.gz | 3 - pyOpenSSL-19.0.0.tar.gz | 3 + python-pyOpenSSL.changes | 13 +++ python-pyOpenSSL.spec | 9 +- tls13-renegotiation.patch | 26 +---- 8 files changed, 69 insertions(+), 280 deletions(-) delete mode 100644 openssl-1.1.0i.patch create mode 100644 opensuse_ca.patch delete mode 100644 pyOpenSSL-18.0.0.tar.gz create mode 100644 pyOpenSSL-19.0.0.tar.gz diff --git a/openssl-1.1.0i.patch b/openssl-1.1.0i.patch deleted file mode 100644 index 4127551..0000000 --- a/openssl-1.1.0i.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0e6c553bc57587dc644430b7336e6bf4d90180a6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 23 Aug 2018 10:52:15 -0500 -Subject: [PATCH] X509Store.add_cert no longer raises an error on duplicate - cert (#787) - -* X509Store.add_cert no longer raises an error on duplicate cert - ---- - src/OpenSSL/crypto.py | 11 ++++++++++- - tests/test_crypto.py | 9 ++++----- - 3 files changed, 16 insertions(+), 7 deletions(-) - - Deprecations: -diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py -index d40f23c2..ea7b354b 100644 ---- a/src/OpenSSL/crypto.py -+++ b/src/OpenSSL/crypto.py -@@ -1607,7 +1607,16 @@ def add_cert(self, cert): - if not isinstance(cert, X509): - raise TypeError() - -- _openssl_assert(_lib.X509_STORE_add_cert(self._store, cert._x509) != 0) -+ # As of OpenSSL 1.1.0i adding the same cert to the store more than -+ # once doesn't cause an error. Accordingly, this code now silences -+ # the error for OpenSSL < 1.1.0i as well. -+ if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: -+ code = _lib.ERR_peek_error() -+ err_reason = _lib.ERR_GET_REASON(code) -+ _openssl_assert( -+ err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE -+ ) -+ _lib.ERR_clear_error() - - def add_crl(self, crl): - """ -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index d1c261b8..eb4590d0 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -2016,16 +2016,15 @@ def test_add_cert_wrong_args(self, cert): - with pytest.raises(TypeError): - store.add_cert(cert) - -- def test_add_cert_rejects_duplicate(self): -+ def test_add_cert_accepts_duplicate(self): - """ -- `X509Store.add_cert` raises `OpenSSL.crypto.Error` if an attempt is -- made to add the same certificate to the store more than once. -+ `X509Store.add_cert` doesn't raise `OpenSSL.crypto.Error` if an attempt -+ is made to add the same certificate to the store more than once. - """ - cert = load_certificate(FILETYPE_PEM, cleartextCertificatePEM) - store = X509Store() - store.add_cert(cert) -- with pytest.raises(Error): -- store.add_cert(cert) -+ store.add_cert(cert) - - - class TestPKCS12(object): diff --git a/openssl-1.1.1.patch b/openssl-1.1.1.patch index d03f0a3..d746b08 100644 --- a/openssl-1.1.1.patch +++ b/openssl-1.1.1.patch @@ -7,162 +7,23 @@ Subject: [PATCH 1/7] Attempt to fix CRL tests under OpenSSL 1.1.1 tests/test_crypto.py | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index eb4590d0..4983d6ac 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -3161,10 +3161,10 @@ def test_export_pem(self): - dumped_crl = crl.export( - self.cert, self.pkey, days=20, digest=b"sha256" - ) -- text = _runopenssl(dumped_crl, b"crl", b"-noout", b"-text") -+ text = _runopenssl( -+ dumped_crl, b"crl", b"-noout", b"-text", b"-nameopt", "" -+ ) - -- # These magic values are based on the way the CRL above was constructed -- # and with what certificate it was exported. - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') - text.index( -@@ -3184,7 +3184,8 @@ def test_export_der(self): - self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" - ) - text = _runopenssl( -- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" -+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", -+ b"-nameopt", "" - ) - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -@@ -3207,7 +3208,8 @@ def test_export_text(self): - self.cert, self.pkey, FILETYPE_ASN1, digest=b"md5" - ) - text = _runopenssl( -- dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER" -+ dumped_crl, b"crl", b"-noout", b"-text", b"-inform", b"DER", -+ b"-nameopt", "" - ) - - # text format - -From 17d793266477c9812fdf3311741f175b24c07ed7 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 17:54:22 -0400 -Subject: [PATCH 2/7] make these asserts both 1.1.1 and earlier friendly - ---- - tests/test_crypto.py | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/tests/test_crypto.py b/tests/test_crypto.py -index 4983d6ac..c08f81c3 100644 ---- a/tests/test_crypto.py -+++ b/tests/test_crypto.py -@@ -3167,9 +3167,9 @@ def test_export_pem(self): - - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ text.index(b'Issuer:') -+ text.index(b'C=US') -+ text.index(b'CN=Testing Root CA') - - def test_export_der(self): - """ -@@ -3189,9 +3189,9 @@ def test_export_der(self): - ) - text.index(b'Serial Number: 03AB') - text.index(b'Superseded') -- text.index( -- b'Issuer: /C=US/ST=IL/L=Chicago/O=Testing/CN=Testing Root CA' -- ) -+ text.index(b'Issuer:') -+ text.index(b'C=US') -+ text.index(b'CN=Testing Root CA') - - # Flaky because we compare the output of running commands which sometimes - # varies by 1 second - -From f43cdc5cb6c5f1ccf7983d2c7b8f3304d5130662 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 18:09:49 -0400 -Subject: [PATCH 3/7] Fix setsession test by excluding TLS 1.3 - -TLS 1.3 changes how resumption works, and the precise assertion we use here doesn't hold for it. ---- - tests/test_ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index fbf07603..4845eca3 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -2539,7 +2539,7 @@ def test_client_set_session(self): - """ - key = load_privatekey(FILETYPE_PEM, server_key_pem) - cert = load_certificate(FILETYPE_PEM, server_cert_pem) -- ctx = Context(SSLv23_METHOD) -+ ctx = Context(TLSv1_2_METHOD) - ctx.use_privatekey(key) - ctx.use_certificate(cert) - ctx.set_session_id("unity-test") - -From 71f44a0d979a10c69692dad2098841029363323f Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:42:38 -0400 -Subject: [PATCH 4/7] Make this always behave like 1.1.1 - ---- - src/OpenSSL/SSL.py | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index 5cf39c0d..910ce680 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -1182,9 +1182,8 @@ def set_cipher_list(self, cipher_list): - if not isinstance(cipher_list, bytes): - raise TypeError("cipher_list must be a byte string.") - -- _openssl_assert( -- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 -- ) -+ # This can return an error if there's no ciphersuites, but we don't care. -+ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - - def set_client_ca_list(self, certificate_authorities): - """ - -From 457b6d391de7f0355def4a596ddb66eede63ae75 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:43:49 -0400 -Subject: [PATCH 5/7] Update tests for the new behavior - ---- - tests/test_ssl.py | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index 4845eca3..a5fb4df9 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -409,19 +409,18 @@ def test_set_cipher_list(self, context, cipher_string): - conn = Connection(context, None) +Index: pyOpenSSL-19.0.0/tests/test_ssl.py +=================================================================== +--- pyOpenSSL-19.0.0.orig/tests/test_ssl.py ++++ pyOpenSSL-19.0.0/tests/test_ssl.py +@@ -410,18 +410,17 @@ class TestContext(object): assert "AES128-SHA" in conn.get_cipher_list() -+ -+ def test_set_cipher_list_imaginary(self, context): -+ # Doesn't raise an exception -+ context.set_cipher_list(b"gibberish") - @pytest.mark.parametrize("cipher_list,error", [ - (object(), TypeError), - ("imaginary-cipher", Error), - ]) - def test_set_cipher_list_wrong_args(self, context, cipher_list, error): ++ def test_set_cipher_list_imaginary(self, context): ++ # Doesn't raise an exception ++ context.set_cipher_list(b"gibberish") ++ + def test_set_cipher_list_wrong_args(self, context): """ `Context.set_cipher_list` raises `TypeError` when passed a non-string @@ -177,50 +38,29 @@ index 4845eca3..a5fb4df9 100644 def test_load_client_ca(self, context, ca_file): """ - -From d735cdba24a0a6a908e316743e03faf0fd7a7f8a Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 19:48:07 -0400 -Subject: [PATCH 6/7] flake8 - ---- - src/OpenSSL/SSL.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py -index 910ce680..a0469f10 100644 ---- a/src/OpenSSL/SSL.py -+++ b/src/OpenSSL/SSL.py -@@ -1182,7 +1182,8 @@ def set_cipher_list(self, cipher_list): +@@ -3836,7 +3835,7 @@ class TestOCSP(object): + :param request_ocsp: Whether the client will actually ask for OCSP + stapling. Useful for testing only. + """ +- ctx = Context(SSLv23_METHOD) ++ ctx = Context(TLSv1_2_METHOD) + ctx.set_ocsp_client_callback(callback, data) + client = Connection(ctx) + +Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +=================================================================== +--- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py ++++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +@@ -1182,9 +1182,9 @@ class Context(object): if not isinstance(cipher_list, bytes): raise TypeError("cipher_list must be a byte string.") -- # This can return an error if there's no ciphersuites, but we don't care. +- _openssl_assert( +- _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) == 1 +- ) + # This can return an error if there's no ciphersuites, but we don't + # care. - _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) - - def set_client_ca_list(self, certificate_authorities): - -From cf1e7619862652e81879541a6af38b793ede47a1 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 11 Sep 2018 20:01:26 -0400 -Subject: [PATCH 7/7] flake8 - ---- - tests/test_ssl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/test_ssl.py b/tests/test_ssl.py -index a5fb4df9..39e76500 100644 ---- a/tests/test_ssl.py -+++ b/tests/test_ssl.py -@@ -409,7 +409,7 @@ def test_set_cipher_list(self, context, cipher_string): - conn = Connection(context, None) - - assert "AES128-SHA" in conn.get_cipher_list() -- -+ - def test_set_cipher_list_imaginary(self, context): - # Doesn't raise an exception - context.set_cipher_list(b"gibberish") ++ _lib.SSL_CTX_set_cipher_list(self._context, cipher_list) + # In OpenSSL 1.1.1 setting the cipher list will always return TLS 1.3 + # ciphers even if you pass an invalid cipher. Applications (like + # Twisted) have tests that depend on an error being raised if an diff --git a/opensuse_ca.patch b/opensuse_ca.patch new file mode 100644 index 0000000..a6c2c34 --- /dev/null +++ b/opensuse_ca.patch @@ -0,0 +1,14 @@ +Index: pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +=================================================================== +--- pyOpenSSL-19.0.0.orig/src/OpenSSL/SSL.py ++++ pyOpenSSL-19.0.0/src/OpenSSL/SSL.py +@@ -221,7 +221,8 @@ SSL_CB_HANDSHAKE_DONE = _lib.SSL_CB_HAND + _CERTIFICATE_FILE_LOCATIONS = [ + "/etc/ssl/certs/ca-certificates.crt", # Debian/Ubuntu/Gentoo etc. + "/etc/pki/tls/certs/ca-bundle.crt", # Fedora/RHEL 6 +- "/etc/ssl/ca-bundle.pem", # OpenSUSE ++ "/var/lib/ca-certificates/ca-bundle.pem", #openSUSE real locaction ++ "/etc/ssl/ca-bundle.pem", # openSUSE + "/etc/pki/tls/cacert.pem", # OpenELEC + "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7 + ] diff --git a/pyOpenSSL-18.0.0.tar.gz b/pyOpenSSL-18.0.0.tar.gz deleted file mode 100644 index a59479b..0000000 --- a/pyOpenSSL-18.0.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6488f1423b00f73b7ad5167885312bb0ce410d3312eb212393795b53c8caa580 -size 167296 diff --git a/pyOpenSSL-19.0.0.tar.gz b/pyOpenSSL-19.0.0.tar.gz new file mode 100644 index 0000000..ab5b2dc --- /dev/null +++ b/pyOpenSSL-19.0.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:aeca66338f6de19d1aa46ed634c3b9ae519a64b458f8468aec688e7e3c20f200 +size 168551 diff --git a/python-pyOpenSSL.changes b/python-pyOpenSSL.changes index 98f1afb..ad0ceb2 100644 --- a/python-pyOpenSSL.changes +++ b/python-pyOpenSSL.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Sat Mar 2 16:29:39 UTC 2019 - Ondřej Súkup + +- update to 19.0 +- fixed build deps. +- drop patches: openssl-1.1.0i.patch + openssl-1.1.1.patch + opensuse_ca.patch + tls13-renegotiation.patch + * X509Store.add_cert no longer raises an error if you add a duplicate cert. + * pyOpenSSL now works with OpenSSL 1.1.1. + * pyOpenSSL now handles NUL bytes in X509Name.get_components() + ------------------------------------------------------------------- Fri Mar 1 18:06:10 UTC 2019 - Hans-Peter Jansen diff --git a/python-pyOpenSSL.spec b/python-pyOpenSSL.spec index 63feebd..bc2b78e 100644 --- a/python-pyOpenSSL.spec +++ b/python-pyOpenSSL.spec @@ -19,7 +19,7 @@ %{?!python_module:%define python_module() python-%{**} python3-%{**}} %define oldpython python Name: python-pyOpenSSL -Version: 18.0.0 +Version: 19.0.0 Release: 0 Summary: Python wrapper module around the OpenSSL library License: Apache-2.0 @@ -27,16 +27,16 @@ Group: Development/Languages/Python URL: https://github.com/pyca/pyopenssl Source: https://files.pythonhosted.org/packages/source/p/pyOpenSSL/pyOpenSSL-%{version}.tar.gz Patch1: skip-networked-test.patch -Patch2: openssl-1.1.0i.patch -Patch3: openssl-1.1.1.patch -Patch4: tls13-renegotiation.patch BuildRequires: %{python_module cffi} BuildRequires: %{python_module cryptography >= 2.3.0} BuildRequires: %{python_module flaky} BuildRequires: %{python_module pretend} BuildRequires: %{python_module pytest >= 3.0.1} BuildRequires: %{python_module setuptools} +BuildRequires: %{python_module six} +BuildRequires: ca-certificates-mozilla BuildRequires: fdupes +BuildRequires: openssl BuildRequires: python-rpm-macros Requires: python-cffi Requires: python-cryptography >= 2.3.0 @@ -61,6 +61,7 @@ other things) a cffi-based interface to OpenSSL. %prep %setup -q -n pyOpenSSL-%{version} %autopatch -p1 +/usr/lib/ca-certificates/update.d/99certbundle.run %build %python_build diff --git a/tls13-renegotiation.patch b/tls13-renegotiation.patch index 8bb360c..7d1133e 100644 --- a/tls13-renegotiation.patch +++ b/tls13-renegotiation.patch @@ -1,7 +1,7 @@ -Index: pyOpenSSL-18.0.0/tests/test_ssl.py +Index: pyOpenSSL-19.0.0/tests/test_ssl.py =================================================================== ---- pyOpenSSL-18.0.0.orig/tests/test_ssl.py 2018-10-30 20:43:38.806954080 +0100 -+++ pyOpenSSL-18.0.0/tests/test_ssl.py 2018-10-30 20:58:46.133504622 +0100 +--- pyOpenSSL-19.0.0.orig/tests/test_ssl.py ++++ pyOpenSSL-19.0.0/tests/test_ssl.py @@ -3181,6 +3181,7 @@ class TestConnectionRenegotiate(object): """ Tests for SSL renegotiation APIs. @@ -10,25 +10,7 @@ Index: pyOpenSSL-18.0.0/tests/test_ssl.py def test_total_renegotiations(self): """ `Connection.total_renegotiations` returns `0` before any renegotiations -@@ -3193,7 +3194,16 @@ class TestConnectionRenegotiate(object): - """ - Go through a complete renegotiation cycle. - """ -- server, client = loopback() -+ # renegotiation works with TLS version <= 1.2 -+ def makeServer12(socket): -+ ctx = Context(TLSv1_2_METHOD) -+ ctx.use_privatekey(load_privatekey(FILETYPE_PEM, server_key_pem)) -+ ctx.use_certificate(load_certificate(FILETYPE_PEM, server_cert_pem)) -+ server = Connection(ctx, socket) -+ server.set_accept_state() -+ return server -+ -+ server, client = loopback(server_factory=makeServer12) - - server.send(b"hello world") - -@@ -3216,6 +3226,25 @@ class TestConnectionRenegotiate(object): +@@ -3219,6 +3220,25 @@ class TestConnectionRenegotiate(object): while False is server.renegotiate_pending(): pass