[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#941451: marked as done (buster-pu: package python-cryptography/2.6.1-3+deb10u1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #941451,
regarding buster-pu: package python-cryptography/2.6.1-3+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
941451: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941451
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: buster
Severity: normal

The upload of OpenSSL 1.1.1d to unstable broke the testsuite of 
python-cryptography in unstable. I picked two patches from upstream and
skipped one test (which upstream has no solution yet) and uploaded to
unstable.
The same version of OpenSSL should pop up soon in Buster via security
and will break the testsuite since the same version is currently in
Buster. I propose the same change for Buster as I did unstable.

Sebastian

diff -Nru python-cryptography-2.6.1/debian/changelog python-cryptography-2.6.1/debian/changelog
--- python-cryptography-2.6.1/debian/changelog	2019-03-09 12:25:47.000000000 +0100
+++ python-cryptography-2.6.1/debian/changelog	2019-09-30 20:55:00.000000000 +0200
@@ -1,3 +1,12 @@
+python-cryptography (2.6.1-3+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport two patches to fix the testsute with newer openssl.
+  * Ignore test_load_ecdsa_no_named_curve in the testsuite because it known to
+    break with newer openssl (Closes: #940547).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Mon, 30 Sep 2019 20:55:00 +0200
+
 python-cryptography (2.6.1-3) unstable; urgency=medium
 
   * Fix autopkgtest dependencies.
diff -Nru python-cryptography-2.6.1/debian/patches/series python-cryptography-2.6.1/debian/patches/series
--- python-cryptography-2.6.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/series	2019-09-24 20:38:45.000000000 +0200
@@ -0,0 +1,3 @@
+update-our-test-to-be-more-robust-wrt-some-changes-f.patch
+use-a-random-key-for-these-tests-4887.patch
+tests-Skip-test_load_ecdsa_no_named_curve.patch
diff -Nru python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch
--- python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/tests-Skip-test_load_ecdsa_no_named_curve.patch	2019-09-24 20:38:23.000000000 +0200
@@ -0,0 +1,31 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Tue, 24 Sep 2019 11:18:27 +0200
+Subject: [PATCH] tests: Skip test_load_ecdsa_no_named_curve
+
+The test_load_ecdsa_no_named_curve breaks with OpenSSL 1.1.1d which is
+due to to commit 9a43a733801bd ("[ec] Match built-in curves on
+EC_GROUP_new_from_ecparameters").
+
+Upstream is aware of the issue and it is tracked at
+	https://github.com/pyca/cryptography/issues/4998
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ tests/x509/test_x509.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
+index 07a6019bd1394..c553636f27efe 100644
+--- a/tests/x509/test_x509.py
++++ b/tests/x509/test_x509.py
+@@ -4122,6 +4122,7 @@ ParsedCertificate = collections.namedtuple(
+             ec.ECDSA(cert.signature_hash_algorithm)
+         )
+ 
++    @pytest.mark.skip(reason="Breaks with openssl 1.1.1d, https://github.com/pyca/cryptography/issues/4998";)
+     def test_load_ecdsa_no_named_curve(self, backend):
+         _skip_curve_unsupported(backend, ec.SECP256R1())
+         cert = _load_cert(
+-- 
+2.23.0
+
diff -Nru python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch
--- python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/update-our-test-to-be-more-robust-wrt-some-changes-f.patch	2019-09-24 08:34:23.000000000 +0200
@@ -0,0 +1,35 @@
+From e575e3d482f976c4a1f3203d63ea0f5007a49a2a Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Wed, 11 Sep 2019 12:12:30 +0800
+Subject: [PATCH] update our test to be more robust wrt some changes from
+ upstream (#4993)
+
+---
+ tests/hazmat/primitives/test_dh.py | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
+index c667cd16e1a6b..43f2ce5c0318b 100644
+--- a/tests/hazmat/primitives/test_dh.py
++++ b/tests/hazmat/primitives/test_dh.py
+@@ -157,8 +157,15 @@ from ...utils import load_nist_vectors, load_vectors_from_file
+             dh.generate_parameters(7, 512, backend)
+ 
+     def test_dh_parameters_supported(self, backend):
+-        assert backend.dh_parameters_supported(23, 5)
+-        assert not backend.dh_parameters_supported(23, 18)
++        valid_p = int(
++            b"907c7211ae61aaaba1825ff53b6cb71ac6df9f1a424c033f4a0a41ac42fad3a9"
++            b"bcfc7f938a269710ed69e330523e4039029b7900977c740990d46efed79b9bbe"
++            b"73505ae878808944ce4d9c6c52daecc0a87dc889c53499be93db8551ee685f30"
++            b"349bf1b443d4ebaee0d5e8b441a40d4e8178f8f612f657a5eb91e0a8e"
++            b"107755f", 16
++        )
++        assert backend.dh_parameters_supported(valid_p, 5)
++        assert not backend.dh_parameters_supported(23, 22)
+ 
+     @pytest.mark.parametrize(
+         "vector",
+-- 
+2.23.0
+
diff -Nru python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch
--- python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch	1970-01-01 01:00:00.000000000 +0100
+++ python-cryptography-2.6.1/debian/patches/use-a-random-key-for-these-tests-4887.patch	2019-09-24 08:34:30.000000000 +0200
@@ -0,0 +1,29 @@
+From 97af501780534065739a251dc6bafd74b6bf7f19 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sat, 18 May 2019 09:04:37 -0400
+Subject: [PATCH] use a random key for these tests (#4887)
+
+Using an all 0 key causes failures in OpenSSL master (and Fedora has
+cherry-picked the commit that causes it). The change requires that the
+key/tweak for XTS mode not be the same value, so let's just use a random
+key.
+---
+ tests/hazmat/primitives/test_aes.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py
+index f083f31978ee7..565cc11dd4df5 100644
+--- a/tests/hazmat/primitives/test_aes.py
++++ b/tests/hazmat/primitives/test_aes.py
+@@ -490,7 +490,7 @@ from ...utils import load_nist_vectors
+ def test_buffer_protocol_alternate_modes(mode, backend):
+     data = bytearray(b"sixteen_byte_msg")
+     cipher = base.Cipher(
+-        algorithms.AES(bytearray(b"\x00" * 32)), mode, backend
++        algorithms.AES(bytearray(os.urandom(32))), mode, backend
+     )
+     enc = cipher.encryptor()
+     ct = enc.update(data) + enc.finalize()
+-- 
+2.23.0
+

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: