Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: buster Severity: normal
This is the proposed update for Buster to fix a build failure against openssl 1.1.1i which is proposed for Buster. The patch touches only the testsuite. The m2crypto issue is tracked upstream https://gitlab.com/m2crypto/m2crypto/-/issues/289 and I aligned the patch name and description (in debian/changelog) with what has been applied for unstable as 0.37.1-1. The package did not yet migrate to testing because it FTBFS on an IPv6 only buildd (unrelated issue, just built but has this RC bug). I verified that the proposed m2crypto package builds against the proposed openssl package. Sebastian
diff -Nru m2crypto-0.31.0/debian/changelog m2crypto-0.31.0/debian/changelog --- m2crypto-0.31.0/debian/changelog 2019-06-09 09:42:32.000000000 +0200 +++ m2crypto-0.31.0/debian/changelog 2021-01-24 12:01:15.000000000 +0100 @@ -1,3 +1,11 @@ +m2crypto (0.31.0-4+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * debian/patches/MR261.patch + - fix compatibility with openssl/1.1.1i+; Closes: #954402 + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sun, 24 Jan 2021 12:01:15 +0100 + m2crypto (0.31.0-4) unstable; urgency=medium * Add a few patches from upstream to avoid a testsuite diff -Nru m2crypto-0.31.0/debian/patches/MR261.patch m2crypto-0.31.0/debian/patches/MR261.patch --- m2crypto-0.31.0/debian/patches/MR261.patch 1970-01-01 01:00:00.000000000 +0100 +++ m2crypto-0.31.0/debian/patches/MR261.patch 2021-01-24 11:55:01.000000000 +0100 @@ -0,0 +1,46 @@ +From: Casey Deccio <ca...@deccio.net> +Date: Fri, 8 Jan 2021 12:43:09 -0700 +Subject: [PATCH] Allow verify_cb_* to be called with ok=True + +With https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 +OpenSSL allowed verificaton to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE +--- + tests/test_ssl.py | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/tests/test_ssl.py b/tests/test_ssl.py +index 92b6942c729a3..7a3271aa3dbc2 100644 +--- a/tests/test_ssl.py ++++ b/tests/test_ssl.py +@@ -59,8 +59,13 @@ srv_host = 'localhost' + + + def verify_cb_new_function(ok, store): +- assert not ok + err = store.get_error() ++ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of ++ # aborting, this callback is called to retrieve additional error ++ # information. In this case, ok might not be False. ++ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 ++ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ assert not ok + assert err in [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, + m2.X509_V_ERR_CERT_UNTRUSTED, +@@ -618,7 +623,12 @@ sleepTime = float(os.getenv('M2CRYPTO_TEST_SSL_SLEEP', '1.5')) + + def verify_cb_old(self, ctx_ptr, x509_ptr, err, depth, ok): + try: +- self.assertFalse(ok) ++ # If err is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE, then instead of ++ # aborting, this callback is called to retrieve additional error ++ # information. In this case, ok might not be False. ++ # See https://github.com/openssl/openssl/commit/2e06150e3928daa06d5ff70c32bffad8088ebe58 ++ if err != m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: ++ self.assertFalse(ok) + self.assertIn(err, + [m2.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + m2.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, +-- +2.30.0 + diff -Nru m2crypto-0.31.0/debian/patches/series m2crypto-0.31.0/debian/patches/series --- m2crypto-0.31.0/debian/patches/series 2019-06-09 09:42:08.000000000 +0200 +++ m2crypto-0.31.0/debian/patches/series 2021-01-24 12:00:36.000000000 +0100 @@ -4,3 +4,4 @@ 0004-Limit-tests.test_rsa.RSATestCase.test_public_encrypt.patch 0005-tests.test_rsa-Fix-typo-to-match-for-proper-exceptio.patch 0006-Be-resilient-against-the-situation-when-no-erorr-hap.patch +MR261.patch