From 4debf536dcd1922a462f4fc540c99c1f4e4a4430 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Tempel?= Date: Wed, 10 Jul 2024 03:32:09 +0200 Subject: [PATCH] community/py3-oscrypto: disable various broken tests See: * https://github.com/wbond/oscrypto/issues/82 * https://github.com/wbond/oscrypto/issues/80 --- community/py3-oscrypto/APKBUILD | 4 + .../py3-oscrypto/disable-badtls-tests.patch | 121 ++++++++++++++++++ .../test-failures-with-openssl-3.0.patch | 21 +++ 3 files changed, 146 insertions(+) create mode 100644 community/py3-oscrypto/disable-badtls-tests.patch create mode 100644 community/py3-oscrypto/test-failures-with-openssl-3.0.patch diff --git a/community/py3-oscrypto/APKBUILD b/community/py3-oscrypto/APKBUILD index 893158c5d982..eedf1c232aab 100644 --- a/community/py3-oscrypto/APKBUILD +++ b/community/py3-oscrypto/APKBUILD @@ -16,6 +16,8 @@ checkdepends="openssl-dev>3" # only for .so symlinks subpackages="$pkgname-doc $pkgname-pyc" source="$pkgname-$pkgver.tar.gz::https://github.com/wbond/oscrypto/archive/$pkgver.tar.gz use-importlib-instead-of-deprecated-imp-module-on-Py.patch + test-failures-with-openssl-3.0.patch + disable-badtls-tests.patch " builddir="$srcdir/$_pkgname-$pkgver" @@ -39,4 +41,6 @@ package() { sha512sums=" b5baf72e1a09615b267be4d1c4baf2375bb939b5bd3d717ca9ca70776541f590a8608bef95991967e23f3794e6220709ed2fe5acdedfe9bfce1921c879a74bec py3-oscrypto-1.3.0.tar.gz 3947d3e975d0fe17b3b25524a0b77de9b41b8e537283422b4074a33645ce36688270d89bf9eb728e967f1a217629a78e362949428ab95d78267d39a3709264a8 use-importlib-instead-of-deprecated-imp-module-on-Py.patch +8357502a71f2b0067d2e55e47fc2a87201132e7d79fdb8e405667e0583e2966d33278d20ed630850a8d5e4117cbfc31b5c755b487b5e5a289fe5db6a0dd035c0 test-failures-with-openssl-3.0.patch +4b348178ce320a2087e91007b8048948eb5fe1a92d82ecf2dd21d7d8915255ddbccc75e45c86f11961f54681377537ae255602f079a4273dd5a636af5120d54c disable-badtls-tests.patch " diff --git a/community/py3-oscrypto/disable-badtls-tests.patch b/community/py3-oscrypto/disable-badtls-tests.patch new file mode 100644 index 000000000000..b40648ee02d0 --- /dev/null +++ b/community/py3-oscrypto/disable-badtls-tests.patch @@ -0,0 +1,121 @@ +See https://github.com/wbond/oscrypto/issues/82 + +diff -upr oscrypto-1.3.0.orig/tests/test_tls.py oscrypto-1.3.0/tests/test_tls.py +--- oscrypto-1.3.0.orig/tests/test_tls.py 2024-07-10 15:13:24.273901857 +0200 ++++ oscrypto-1.3.0/tests/test_tls.py 2024-07-10 15:14:21.530695208 +0200 +@@ -90,7 +90,6 @@ class TLSTests(unittest.TestCase): + return ( + ('google', 'www.google.com', 443), + ('package_control', 'packagecontrol.io', 443), +- ('dh1024', 'dh1024.badtls.io', 10005), + ) + + @data('tls_hosts', True) +@@ -142,35 +141,41 @@ class TLSTests(unittest.TestCase): + s.close() + socket.setdefaulttimeout(def_timeout) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_missing_issuer(self): + expected = 'certificate issuer not found in trusted root certificate store' + with assert_exception(self, errors.TLSVerificationError, expected): + tls.TLSSocket('domain-match.badtls.io', 10000) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_domain_mismatch(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSVerificationError, 'does not match'): + tls.TLSSocket('domain-mismatch.badtls.io', 11002, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_san_mismatch(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSVerificationError, 'does not match'): + tls.TLSSocket('san-mismatch.badtls.io', 11003, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_wildcard_success(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + tls.TLSSocket('wildcard-match.badtls.io', 10001, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_not_yet_valid(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSVerificationError, 'not valid until'): + tls.TLSSocket('future.badtls.io', 11001, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_expired_2(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) +@@ -179,30 +184,35 @@ class TLSTests(unittest.TestCase): + with assert_exception(self, errors.TLSVerificationError, 'certificate expired|not valid until'): + tls.TLSSocket('expired-1963.badtls.io', 11000, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_client_cert_required(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSError, 'client authentication'): + tls.TLSSocket('required-auth.badtls.io', 10003, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_handshake_error_3(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSError, 'weak certificate signature algorithm'): + tls.TLSSocket('weak-sig.badtls.io', 11004, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_non_web(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSVerificationError, 'verification failed'): + tls.TLSSocket('bad-key-usage.badtls.io', 11005, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_wildcard_mismatch(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSVerificationError, 'does not match'): + tls.TLSSocket('wildcard.mismatch.badtls.io', 11007, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_expired(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) +@@ -225,18 +235,21 @@ class TLSTests(unittest.TestCase): + with assert_exception(self, errors.TLSError, regex): + tls.TLSSocket('dh512.badssl.com', 443) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_handshake_error(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSError, 'TLS handshake failed'): + tls.TLSSocket('rc4-md5.badtls.io', 11009, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_error_handshake_error_2(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path]) + with assert_exception(self, errors.TLSError, 'TLS handshake failed'): + tls.TLSSocket('rc4.badtls.io', 11008, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_extra_trust_roots_no_match(self): + expected = 'certificate issuer not found in trusted root certificate store' +@@ -244,6 +257,7 @@ class TLSTests(unittest.TestCase): + session = tls.TLSSession(extra_trust_roots=[digicert_ca_path]) + tls.TLSSocket('domain-match.badtls.io', 10000, session=session) + ++ @unittest.skip('badtls.io is defunct, see https://github.com/wbond/oscrypto/issues/82#issuecomment-2220451234') + @connection_timeout() + def test_tls_extra_trust_roots(self): + session = tls.TLSSession(extra_trust_roots=[badtls_ca_path, digicert_ca_path]) diff --git a/community/py3-oscrypto/test-failures-with-openssl-3.0.patch b/community/py3-oscrypto/test-failures-with-openssl-3.0.patch new file mode 100644 index 000000000000..321f6b2b549e --- /dev/null +++ b/community/py3-oscrypto/test-failures-with-openssl-3.0.patch @@ -0,0 +1,21 @@ +See https://github.com/wbond/oscrypto/issues/80 + +diff -upr oscrypto-1.3.0.orig/tests/test_tls.py oscrypto-1.3.0/tests/test_tls.py +--- oscrypto-1.3.0.orig/tests/test_tls.py 2024-07-10 15:15:55.074256024 +0200 ++++ oscrypto-1.3.0/tests/test_tls.py 2024-07-10 15:19:13.478110756 +0200 +@@ -123,6 +123,7 @@ class TLSTests(unittest.TestCase): + return + tls.TLSSocket('global-root-ca-revoked.chain-demos.digicert.com', 443) + ++ @unittest.skip('broken with OpenSSL 3.0, see https://github.com/wbond/oscrypto/issues/80') + @connection_timeout() + def test_tls_error_http(self): + with assert_exception(self, errors.TLSError, 'server responded using HTTP'): +@@ -214,6 +215,7 @@ class TLSTests(unittest.TestCase): + with assert_exception(self, errors.TLSVerificationError, 'self-signed'): + tls.TLSSocket('self-signed.badssl.com', 443) + ++ @unittest.skip('broken with OpenSSL 3.0, see https://github.com/wbond/oscrypto/issues/80') + @connection_timeout() + def test_tls_error_weak_dh_params(self): + # badssl.com uses SNI, which Windows XP does not support