From a86aefab3a13687c34e2018e986e1d8982db868c9b46f5e1d960b0927671f193 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 17 Feb 2021 11:23:26 +0000 Subject: [PATCH 1/4] Accepting request 873095 from home:pmonrealgonzalez:branches:devel:languages:python - OpenSSL allows the verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE * This unifies the behaviour of a single certificate with an unknown CA certificate with a self-signed certificate. - Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch - Add source signature file OBS-URL: https://build.opensuse.org/request/show/873095 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=96 --- M2Crypto-0.37.1.tar.gz.asc | 6 +++ ...w-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch | 47 +++++++++++++++++++ python-M2Crypto.changes | 14 ++++++ python-M2Crypto.spec | 5 +- 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 M2Crypto-0.37.1.tar.gz.asc create mode 100644 python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch diff --git a/M2Crypto-0.37.1.tar.gz.asc b/M2Crypto-0.37.1.tar.gz.asc new file mode 100644 index 0000000..c4ab463 --- /dev/null +++ b/M2Crypto-0.37.1.tar.gz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABECAB0WIQSJ70vGKIq/QxurJcPgn+8l2WSErAUCX8/GrwAKCRDgn+8l2WSE +rAITAJ95Tn9v9Mr0kBf6bbbzEk6vYxV1hQCeLpgKge5XRjV3hse/9PBvzZRvZTo= +=6EAh +-----END PGP SIGNATURE----- diff --git a/python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch b/python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch new file mode 100644 index 0000000..cce3d08 --- /dev/null +++ b/python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch @@ -0,0 +1,47 @@ +From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001 +From: Casey Deccio +Date: Fri, 8 Jan 2021 12:43:09 -0700 +Subject: [PATCH] Allow verify_cb_* to be called with ok=True + +With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 +OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE +--- + tests/test_ssl.py | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 92b6942c..7a3271aa 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -59,8 +59,13 @@ def allocate_srv_port(): + + + def verify_cb_new_function(ok, store): +- assert not ok + err = store.get_error() ++ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of ++ # aborting, this callback is called to retrieve additional error ++ # information. In this case, ok might not be False. ++ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 ++ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ assert not ok + assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + m2.X509_V_ERR_CERT_UNTRUSTED, +@@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): + + def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok): + try: +- self.assertFalse(ok) ++ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of ++ # aborting, this callback is called to retrieve additional error ++ # information. In this case, ok might not be False. ++ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 ++ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ self.assertFalse(ok) + self.assertIn(err, + [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, +-- +GitLab + diff --git a/python-M2Crypto.changes b/python-M2Crypto.changes index 89abf6c..af47482 100644 --- a/python-M2Crypto.changes +++ b/python-M2Crypto.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Wed Feb 17 11:18:07 UTC 2021 - Pedro Monreal + +- OpenSSL allows the verificaton to continue on + UNABLE_TO_VERIFY_LEAF_SIGNATURE + * This unifies the behaviour of a single certificate with an + unknown CA certificate with a self-signed certificate. +- Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch + +------------------------------------------------------------------- +Wed Feb 17 10:57:56 UTC 2021 - Pedro Monreal + +- Add source signature file + ------------------------------------------------------------------- Wed Jan 13 08:16:04 UTC 2021 - Matej Cepl diff --git a/python-M2Crypto.spec b/python-M2Crypto.spec index 9857fa7..f33388a 100644 --- a/python-M2Crypto.spec +++ b/python-M2Crypto.spec @@ -25,7 +25,9 @@ Summary: Crypto and SSL toolkit for Python License: MIT Group: Development/Languages/Python URL: https://gitlab.com/m2crypto/m2crypto -Source: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz +Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz +Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc +Patch0: python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module parameterized} BuildRequires: %{python_module pytest} @@ -79,6 +81,7 @@ Documentation for the Crypto and SSL toolkit for Python %prep %setup -q -n M2Crypto-%{version} +%patch0 -p1 %build export CFLAGS="%{optflags}" From 16a454665422e495224318c604ea184dba787793bec3f3103396b9334d51fa21 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 17 Feb 2021 14:23:27 +0000 Subject: [PATCH 2/4] Fix metadata OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=97 --- python-M2Crypto.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-M2Crypto.spec b/python-M2Crypto.spec index f33388a..78d44e0 100644 --- a/python-M2Crypto.spec +++ b/python-M2Crypto.spec @@ -27,6 +27,9 @@ Group: Development/Languages/Python URL: https://gitlab.com/m2crypto/m2crypto Source0: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Crypto-%{version}.tar.gz.asc +# PATCH-FIX-UPSTREAM python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch mcepl@suse.com +# https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff86383dabbb92540c0a4892cb4c456 +# Fixes incompatibility with the modern crypto policies Patch0: python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module parameterized} @@ -80,8 +83,7 @@ messenger for Zope. Documentation for the Crypto and SSL toolkit for Python %prep -%setup -q -n M2Crypto-%{version} -%patch0 -p1 +%autosetup -p1 -n M2Crypto-%{version} %build export CFLAGS="%{optflags}" From 190a90181f601309ff858aabb46ed19bf398a217be7ca581757ea4769fa67894 Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Wed, 17 Feb 2021 14:24:50 +0000 Subject: [PATCH 3/4] Fix changes OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=98 --- python-M2Crypto.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-M2Crypto.changes b/python-M2Crypto.changes index af47482..d3d65e0 100644 --- a/python-M2Crypto.changes +++ b/python-M2Crypto.changes @@ -6,6 +6,8 @@ Wed Feb 17 11:18:07 UTC 2021 - Pedro Monreal * This unifies the behaviour of a single certificate with an unknown CA certificate with a self-signed certificate. - Add python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch + (Thanks for Debian, + https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff8) ------------------------------------------------------------------- Wed Feb 17 10:57:56 UTC 2021 - Pedro Monreal From 3e4e4591529ded67b777fa1673849df4d0f4b7d4e29f5f5134d03f9598cc127a Mon Sep 17 00:00:00 2001 From: Matej Cepl Date: Fri, 19 Feb 2021 14:31:51 +0000 Subject: [PATCH 4/4] - Add 293_sslv23_padding.patch to avoid using RSA_SSLV23_PADDING (gl#m2crypto/m2crypto#293, gh#openssl/openssl#14216). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-M2Crypto?expand=0&rev=99 --- 293_sslv23_padding.patch | 14 ++++++++++++++ python-M2Crypto.changes | 6 ++++++ python-M2Crypto.spec | 3 +++ 3 files changed, 23 insertions(+) create mode 100644 293_sslv23_padding.patch diff --git a/293_sslv23_padding.patch b/293_sslv23_padding.patch new file mode 100644 index 0000000..79d2084 --- /dev/null +++ b/293_sslv23_padding.patch @@ -0,0 +1,14 @@ +--- a/tests/test_rsa.py ++++ b/tests/test_rsa.py +@@ -124,11 +124,6 @@ class RSATestCase(unittest.TestCase): + ptxt = priv.private_decrypt(ctxt, p) + self.assertEqual(ptxt, self.data) + +- # sslv23_padding +- ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding) +- res = priv.private_decrypt(ctxt, RSA.sslv23_padding) +- self.assertEqual(res, self.data) +- + # no_padding + with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): + priv.public_encrypt(self.data, RSA.no_padding) diff --git a/python-M2Crypto.changes b/python-M2Crypto.changes index d3d65e0..443b58c 100644 --- a/python-M2Crypto.changes +++ b/python-M2Crypto.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Feb 19 12:56:50 UTC 2021 - Matej Cepl + +- Add 293_sslv23_padding.patch to avoid using RSA_SSLV23_PADDING + (gl#m2crypto/m2crypto#293, gh#openssl/openssl#14216). + ------------------------------------------------------------------- Wed Feb 17 11:18:07 UTC 2021 - Pedro Monreal diff --git a/python-M2Crypto.spec b/python-M2Crypto.spec index 78d44e0..cfd7ab7 100644 --- a/python-M2Crypto.spec +++ b/python-M2Crypto.spec @@ -31,6 +31,9 @@ Source1: https://files.pythonhosted.org/packages/source/M/M2Crypto/M2Cryp # https://salsa.debian.org/python-team/packages/m2crypto/-/commit/e0e9ad5cfff86383dabbb92540c0a4892cb4c456 # Fixes incompatibility with the modern crypto policies Patch0: python-M2Crypto-Allow-on-UNABLE_TO_VERIFY_LEAF_SIGNATURE.patch +# PATCH-FIX-UPSTREAM 293_sslv23_padding.patch gl#m2crypto/m2crypto#293 mcepl@suse.com +# RSA_SSLV23_PADDING is evil and should be avoided. +Patch1: 293_sslv23_padding.patch BuildRequires: %{python_module devel} BuildRequires: %{python_module parameterized} BuildRequires: %{python_module pytest}