python-38-hmac-digestmod.patch

Index: Twisted-19.10.0/src/twisted/cred/credentials.py
===================================================================
--- Twisted-19.10.0.orig/src/twisted/cred/credentials.py
+++ Twisted-19.10.0/src/twisted/cred/credentials.py
@@ -439,7 +439,8 @@ class CramMD5Credentials(object):
 
 
     def checkPassword(self, password):
-        verify = hexlify(hmac.HMAC(password, self.challenge).digest())
+        verify = hexlify(
+            hmac.HMAC(password, self.challenge, digestmod=md5).digest())
         return verify == self.response
 
 
Index: Twisted-19.10.0/src/twisted/cred/test/test_cramauth.py
===================================================================
--- Twisted-19.10.0.orig/src/twisted/cred/test/test_cramauth.py
+++ Twisted-19.10.0/src/twisted/cred/test/test_cramauth.py
@@ -7,6 +7,7 @@ Tests for L{twisted.cred}'s implementati
 
 from __future__ import division, absolute_import
 
+from hashlib import md5
 from hmac import HMAC
 from binascii import hexlify
 
@@ -39,7 +40,7 @@ class CramMD5CredentialsTests(TestCase):
         """
         c = CramMD5Credentials()
         chal = c.getChallenge()
-        c.response = hexlify(HMAC(b'secret', chal).digest())
+        c.response = hexlify(HMAC(b'secret', chal, digestmod=md5).digest())
         self.assertTrue(c.checkPassword(b'secret'))
 
 
@@ -61,7 +62,8 @@ class CramMD5CredentialsTests(TestCase):
         """
         c = CramMD5Credentials()
         chal = c.getChallenge()
-        c.response = hexlify(HMAC(b'thewrongsecret', chal).digest())
+        c.response = hexlify(
+            HMAC(b'thewrongsecret', chal, digestmod=md5).digest())
         self.assertFalse(c.checkPassword(b'secret'))
 
 
@@ -75,7 +77,7 @@ class CramMD5CredentialsTests(TestCase):
         chal = c.getChallenge()
         c.setResponse(b" ".join(
             (b"squirrel",
-             hexlify(HMAC(b'supersecret', chal).digest()))))
+             hexlify(HMAC(b'supersecret', chal, digestmod=md5).digest()))))
         self.assertTrue(c.checkPassword(b'supersecret'))
         self.assertEqual(c.username, b"squirrel")
 
Index: Twisted-19.10.0/src/twisted/mail/test/test_pop3.py
===================================================================
--- Twisted-19.10.0.orig/src/twisted/mail/test/test_pop3.py
+++ Twisted-19.10.0/src/twisted/mail/test/test_pop3.py
@@ -12,6 +12,7 @@ import base64
 import itertools
 
 from collections import OrderedDict
+from hashlib import md5
 from io import BytesIO
 
 from zope.interface import implementer
@@ -1097,7 +1098,8 @@ class SASLTests(unittest.TestCase):
         p.lineReceived(b"AUTH CRAM-MD5")
         chal = s.getvalue().splitlines()[-1][2:]
         chal = base64.decodestring(chal)
-        response = hmac.HMAC(b'testpassword', chal).hexdigest().encode("ascii")
+        response = hmac.HMAC(
+            b'testpassword', chal, digestmod=md5).hexdigest().encode("ascii")
 
         p.lineReceived(
             base64.encodestring(b'testuser ' + response).rstrip(b'\n'))
- Update to 19.10.0: * twisted.trial.successResultOf, twisted.trial.failureResultOf, and twisted.trial.assertNoResult accept coroutines as well as Deferreds. (#9006) * Fixed circular import in twisted.trial.reporter, introduced in Twisted 16.0.0. (#8267) * The POP3 server implemented by twisted.mail.pop3 now accepts passwords that contain spaces. (#9100) * Incoming HTTP/2 connections will now not time out if they persist for longer than one minute. (#9653) * twisted.conch.ssh.keys now correctly writes the "iqmp" parameter in serialized RSA private keys as q^-1 mod p rather than p^-1 mod q. (#9681) * twisted.web.server.Request will now use twisted.web.server.Site.getContentFile, if it exists, to get a file into which to write request content. If getContentFile is not provided by the site, it will fall back to the previous behavior of using io.BytesIO for small requests and tempfile.TemporaryFile for large ones. (#9655) * twisted.web.client.FileBodyProducer will now stop producing when the Deferred returned by FileBodyProducer.startProducing is cancelled. (#9547) * The HTTP/2 server implementation now enforces TCP flow control on control frame messages and times out clients that send invalid data without reading responses. This closes CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), and CVE-2019-9515 (Settings Flood). Thanks to Jonathan Looney and Piotr Sikora. (#9694) - Add python-38-xml-namespace.patch to fix dictionary mutation under Python 3.8 - Add python-38-hmac-digestmod.patch to add digestmod parameter where required - Add python-38-no-cgi-parseqs.patch to no longer import parse_qs from cgi OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-Twisted?expand=0&rev=85 2019-12-04 05:06:51 +00:00			`Index: Twisted-19.10.0/src/twisted/cred/credentials.py`
			`===================================================================`
			`--- Twisted-19.10.0.orig/src/twisted/cred/credentials.py`
			`+++ Twisted-19.10.0/src/twisted/cred/credentials.py`
			`@@ -439,7 +439,8 @@ class CramMD5Credentials(object):`


			`def checkPassword(self, password):`
			`- verify = hexlify(hmac.HMAC(password, self.challenge).digest())`
			`+ verify = hexlify(`
			`+ hmac.HMAC(password, self.challenge, digestmod=md5).digest())`
			`return verify == self.response`


			`Index: Twisted-19.10.0/src/twisted/cred/test/test_cramauth.py`
			`===================================================================`
			`--- Twisted-19.10.0.orig/src/twisted/cred/test/test_cramauth.py`
			`+++ Twisted-19.10.0/src/twisted/cred/test/test_cramauth.py`
			`@@ -7,6 +7,7 @@ Tests for L{twisted.cred}'s implementati`

			`from __future__ import division, absolute_import`

			`+from hashlib import md5`
			`from hmac import HMAC`
			`from binascii import hexlify`

			`@@ -39,7 +40,7 @@ class CramMD5CredentialsTests(TestCase):`
			`"""`
			`c = CramMD5Credentials()`
			`chal = c.getChallenge()`
			`- c.response = hexlify(HMAC(b'secret', chal).digest())`
			`+ c.response = hexlify(HMAC(b'secret', chal, digestmod=md5).digest())`
			`self.assertTrue(c.checkPassword(b'secret'))`


			`@@ -61,7 +62,8 @@ class CramMD5CredentialsTests(TestCase):`
			`"""`
			`c = CramMD5Credentials()`
			`chal = c.getChallenge()`
			`- c.response = hexlify(HMAC(b'thewrongsecret', chal).digest())`
			`+ c.response = hexlify(`
			`+ HMAC(b'thewrongsecret', chal, digestmod=md5).digest())`
			`self.assertFalse(c.checkPassword(b'secret'))`


			`@@ -75,7 +77,7 @@ class CramMD5CredentialsTests(TestCase):`
			`chal = c.getChallenge()`
			`c.setResponse(b" ".join(`
			`(b"squirrel",`
			`- hexlify(HMAC(b'supersecret', chal).digest()))))`
			`+ hexlify(HMAC(b'supersecret', chal, digestmod=md5).digest()))))`
			`self.assertTrue(c.checkPassword(b'supersecret'))`
			`self.assertEqual(c.username, b"squirrel")`

			`Index: Twisted-19.10.0/src/twisted/mail/test/test_pop3.py`
			`===================================================================`
			`--- Twisted-19.10.0.orig/src/twisted/mail/test/test_pop3.py`
			`+++ Twisted-19.10.0/src/twisted/mail/test/test_pop3.py`
			`@@ -12,6 +12,7 @@ import base64`
			`import itertools`

			`from collections import OrderedDict`
			`+from hashlib import md5`
			`from io import BytesIO`

			`from zope.interface import implementer`
			`@@ -1097,7 +1098,8 @@ class SASLTests(unittest.TestCase):`
			`p.lineReceived(b"AUTH CRAM-MD5")`
			`chal = s.getvalue().splitlines()[-1][2:]`
			`chal = base64.decodestring(chal)`
			`- response = hmac.HMAC(b'testpassword', chal).hexdigest().encode("ascii")`
			`+ response = hmac.HMAC(`
			`+ b'testpassword', chal, digestmod=md5).hexdigest().encode("ascii")`

			`p.lineReceived(`
			`base64.encodestring(b'testuser ' + response).rstrip(b'\n'))`