commit: 79f541287308eb3fbe33c39fdea31d4d1c5b8205 Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Mon Apr 12 12:22:12 2021 +0000 Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> CommitDate: Mon Apr 12 12:46:47 2021 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79f54128
dev-python/m2crypto: Backport OpenSSL fixes Closes: https://bugs.gentoo.org/768495 Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> .../files/m2crypto-0.37.1-openssl-fixes.patch | 76 ++++++++++++++++++++++ dev-python/m2crypto/m2crypto-0.37.1-r1.ebuild | 69 ++++++++++++++++++++ 2 files changed, 145 insertions(+) diff --git a/dev-python/m2crypto/files/m2crypto-0.37.1-openssl-fixes.patch b/dev-python/m2crypto/files/m2crypto-0.37.1-openssl-fixes.patch new file mode 100644 index 00000000000..c249f7adbb8 --- /dev/null +++ b/dev-python/m2crypto/files/m2crypto-0.37.1-openssl-fixes.patch @@ -0,0 +1,76 @@ +From 73fbd1e646f6bbf202d4418bae80eb9941fbf552 Mon Sep 17 00:00:00 2001 +From: Casey Deccio <ca...@deccio.net> +Date: Fri, 8 Jan 2021 12:43:09 -0700 +Subject: [PATCH] Allow verify_cb_* to be called with ok=True + +With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 +OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE +--- + tests/test_ssl.py | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 92b6942..7a3271a 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -59,8 +59,13 @@ def allocate_srv_port(): + + + def verify_cb_new_function(ok, store): +- assert not ok + err = store.get_error() ++ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of ++ # aborting, this callback is called to retrieve additional error ++ # information. In this case, ok might not be False. ++ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 ++ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ assert not ok + assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + m2.X509_V_ERR_CERT_UNTRUSTED, +@@ -618,7 +623,12 @@ class MiscSSLClientTestCase(BaseSSLClientTestCase): + + def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok): + try: +- self.assertFalse(ok) ++ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of ++ # aborting, this callback is called to retrieve additional error ++ # information. In this case, ok might not be False. ++ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 ++ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ self.assertFalse(ok) + self.assertIn(err, + [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, +-- +2.31.1 + +From d06eaa88a5f491827733f32027c46de3557fbd05 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20Cepl?= <mc...@cepl.eu> +Date: Fri, 19 Feb 2021 15:53:02 +0100 +Subject: [PATCH] Use of RSA_SSLV23_PADDING has been deprecated. + +Fixes #293. +--- + tests/test_rsa.py | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/tests/test_rsa.py b/tests/test_rsa.py +index 3de5016..7299785 100644 +--- a/tests/test_rsa.py ++++ b/tests/test_rsa.py +@@ -124,11 +124,6 @@ class RSATestCase(unittest.TestCase): + ptxt = priv.private_decrypt(ctxt, p) + self.assertEqual(ptxt, self.data) + +- # sslv23_padding +- ctxt = priv.public_encrypt(self.data, RSA.sslv23_padding) +- res = priv.private_decrypt(ctxt, RSA.sslv23_padding) +- self.assertEqual(res, self.data) +- + # no_padding + with six.assertRaisesRegex(self, RSA.RSAError, 'data too small'): + priv.public_encrypt(self.data, RSA.no_padding) +-- +2.31.1 + diff --git a/dev-python/m2crypto/m2crypto-0.37.1-r1.ebuild b/dev-python/m2crypto/m2crypto-0.37.1-r1.ebuild new file mode 100644 index 00000000000..c650101f6d3 --- /dev/null +++ b/dev-python/m2crypto/m2crypto-0.37.1-r1.ebuild @@ -0,0 +1,69 @@ +# Copyright 2018-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{7..9} ) +PYTHON_REQ_USE="threads(+)" + +inherit distutils-r1 toolchain-funcs + +MY_PN="M2Crypto" +DESCRIPTION="A Python crypto and SSL toolkit" +HOMEPAGE="https://gitlab.com/m2crypto/m2crypto https://pypi.org/project/M2Crypto/"; +SRC_URI="mirror://pypi/${MY_PN:0:1}/${MY_PN}/${MY_PN}-${PV}.tar.gz" +S="${WORKDIR}/${MY_PN}-${PV}" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x64-macos" +IUSE="libressl test" +RESTRICT="!test? ( test )" + +BDEPEND=" + >=dev-lang/swig-2.0.9 + test? ( dev-python/parameterized[${PYTHON_USEDEP}] ) +" +RDEPEND=" + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) +" +DEPEND="${RDEPEND}" + +PATCHES=( + "${FILESDIR}/${P}-openssl-fixes.patch" +) + +swig_define() { + local x + for x; do + if tc-cpp-is-true "defined(${x})"; then + SWIG_FEATURES+=" -D${x}" + fi + done +} + +src_prepare() { + # TODO + sed -e 's:test_server_simple_timeouts:_&:' \ + -i tests/test_ssl.py || die + distutils-r1_src_prepare +} + +python_compile() { + # setup.py looks at platform.machine() to determine swig options. + # For exotic ABIs, we need to give swig a hint. + local -x SWIG_FEATURES= + + # https://bugs.gentoo.org/617946 + swig_define __ILP32__ + + # https://bugs.gentoo.org/674112 + swig_define __ARM_PCS_VFP + + distutils-r1_python_compile --openssl="${ESYSROOT}"/usr +} + +python_test() { + esetup.py test +}
