Bug#940547: python-cryptography: diff for NMU version 2.6.1-3.1

Tue, 24 Sep 2019 12:36:26 -0700 

Control: tags 940547 + patch
Control: tags 940547 + pending

Dear maintainer,

I've prepared an NMU for python-cryptography (versioned as 2.6.1-3.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
Sebastian

diff -Nru python-cryptography-2.6.1/debian/changelog python-cryptography-2.6.1/debian/changelog
--- python-cryptography-2.6.1/debian/changelog	2019-03-09 12:25:47.000000000 +0100
+++ python-cryptography-2.6.1/debian/changelog	2019-09-24 21:10:32.000000000 +0200
@@ -1,3 +1,12 @@
+python-cryptography (2.6.1-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport two patches to fix the testsute with newer openssl.
+  * Ignore test_load_ecdsa_no_named_curve in the testsuite because it known to
+    break with newer openssl (Closes: #940547).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc>  Tue, 24 Sep 2019 21:10:32 +0200
+
 python-cryptography (2.6.1-3) unstable; urgency=medium
 
   * Fix autopkgtest dependencies.
diff -Nru python-cryptography-2.6.1/debian/patches/series python-cryptography-2.6.1/debian/patches/series
--- python-cryptography-2.6.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/series	2019-09-24 20:38:45.000000000 +0200
@@ -0,0 +1,3 @@
+update-our-test-to-be-more-robust-wrt-some-changes-f.patch
+use-a-random-key-for-these-tests-4887.patch
+tests-Skip-test_load_ecdsa_no_named_curve.patch
diff -Nru python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch
--- python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch	2019-09-24 20:38:23.000000000 +0200
@@ -0,0 +1,31 @@
+From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+Date: Tue, 24 Sep 2019 11:18:27 +0200
+Subject: [PATCH] tests: Skip test_load_ecdsa_no_named_curve
+
+The test_load_ecdsa_no_named_curve breaks with OpenSSL 1.1.1d which is
+due to to commit 9a43a733801bd ("[ec] Match built-in curves on
+EC_GROUP_new_from_ecparameters").
+
+Upstream is aware of the issue and it is tracked at
+	https://github.com/pyca/cryptography/issues/4998
+
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ tests/x509/test_x509.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
+index 07a6019bd1394..c553636f27efe 100644
+--- a/tests/x509/test_x509.py
++++ b/tests/x509/test_x509.py
+@@ -4122,6 +4122,7 @@ ParsedCertificate = collections.namedtuple(
+             ec.ECDSA(cert.signature_hash_algorithm)
+         )
+ 
++    @pytest.mark.skip(reason="Breaks with openssl 1.1.1d, https://github.com/pyca/cryptography/issues/4998";)
+     def test_load_ecdsa_no_named_curve(self, backend):
+         _skip_curve_unsupported(backend, ec.SECP256R1())
+         cert = _load_cert(
+-- 
+2.23.0
+
diff -Nru python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch
--- python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch	2019-09-24 08:34:23.000000000 +0200
@@ -0,0 +1,35 @@
+From e575e3d482f976c4a1f3203d63ea0f5007a49a2a Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.keh...@gmail.com>
+Date: Wed, 11 Sep 2019 12:12:30 +0800
+Subject: [PATCH] update our test to be more robust wrt some changes from
+ upstream (#4993)
+
+---
+ tests/hazmat/primitives/test_dh.py | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
+index c667cd16e1a6b..43f2ce5c0318b 100644
+--- a/tests/hazmat/primitives/test_dh.py
++++ b/tests/hazmat/primitives/test_dh.py
+@@ -157,8 +157,15 @@ from ...utils import load_nist_vectors, load_vectors_from_file
+             dh.generate_parameters(7, 512, backend)
+ 
+     def test_dh_parameters_supported(self, backend):
+-        assert backend.dh_parameters_supported(23, 5)
+-        assert not backend.dh_parameters_supported(23, 18)
++        valid_p = int(
++            b"907c7211ae61aaaba1825ff53b6cb71ac6df9f1a424c033f4a0a41ac42fad3a9"
++            b"bcfc7f938a269710ed69e330523e4039029b7900977c740990d46efed79b9bbe"
++            b"73505ae878808944ce4d9c6c52daecc0a87dc889c53499be93db8551ee685f30"
++            b"349bf1b443d4ebaee0d5e8b441a40d4e8178f8f612f657a5eb91e0a8e"
++            b"107755f", 16
++        )
++        assert backend.dh_parameters_supported(valid_p, 5)
++        assert not backend.dh_parameters_supported(23, 22)
+ 
+     @pytest.mark.parametrize(
+         "vector",
+-- 
+2.23.0
+
diff -Nru python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch
--- python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch	2019-09-24 08:34:30.000000000 +0200
@@ -0,0 +1,29 @@
+From 97af501780534065739a251dc6bafd74b6bf7f19 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.keh...@gmail.com>
+Date: Sat, 18 May 2019 09:04:37 -0400
+Subject: [PATCH] use a random key for these tests (#4887)
+
+Using an all 0 key causes failures in OpenSSL master (and Fedora has
+cherry-picked the commit that causes it). The change requires that the
+key/tweak for XTS mode not be the same value, so let's just use a random
+key.
+---
+ tests/hazmat/primitives/test_aes.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py
+index f083f31978ee7..565cc11dd4df5 100644
+--- a/tests/hazmat/primitives/test_aes.py
++++ b/tests/hazmat/primitives/test_aes.py
+@@ -490,7 +490,7 @@ from ...utils import load_nist_vectors
+ def test_buffer_protocol_alternate_modes(mode, backend):
+     data = bytearray(b"sixteen_byte_msg")
+     cipher = base.Cipher(
+-        algorithms.AES(bytearray(b"\x00" * 32)), mode, backend
++        algorithms.AES(bytearray(os.urandom(32))), mode, backend
+     )
+     enc = cipher.encryptor()
+     ct = enc.update(data) + enc.finalize()
+-- 
+2.23.0
+

Reply via email to