gnu: certbot: Fix build with python-pyopenssl >= 17.3.0.

* gnu/packages/patches/python-acme-dont-use-openssl-rand.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/tls.scm (python-acme)[source]: Use it.
2017-09-17 17:39:30 +02:00 · 2017-09-17 17:39:30 +02:00 · 881006b65c
commit 881006b65c
parent 0c19c0f272
3 changed files with 33 additions and 3 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -550,6 +550,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/ceph-disable-unittest-throttle.patch	\
  %D%/packages/patches/ceph-skip-collect-sys-info-test.patch	\
  %D%/packages/patches/ceph-skip-unittest_blockdev.patch	\
+  %D%/packages/patches/python-acme-dont-use-openssl-rand.patch	\
  %D%/packages/patches/chicken-CVE-2017-6949.patch		\
  %D%/packages/patches/chicken-CVE-2017-11343.patch		\
  %D%/packages/patches/chmlib-inttypes.patch			\
--- a/gnu/packages/patches/python-acme-dont-use-openssl-rand.patch
+++ b/gnu/packages/patches/python-acme-dont-use-openssl-rand.patch
@ -0,0 +1,28 @@
+Fix build with PyOpenSSL > 17.2.0.
+
+See <https://github.com/certbot/certbot/issues/5111>.
+
+Patch copied from upstream source repository:
+https://github.com/certbot/certbot/commit/f6be07da74c664b57ac8c053585f919c79f9af44
+
+diff --git a/acme/crypto_util.py b/acme/crypto_util.py
+index de15284c03..b8fba03488 100644
+--- a/acme/crypto_util.py
+++ b/acme/crypto_util.py
+@@ -2,6 +2,7 @@
+ import binascii
+ import contextlib
+ import logging
+import os
+ import re
+ import socket
+ import sys
+@@ -243,7 +244,7 @@ def gen_ss_cert(key, domains, not_before=None,
+     """
+     assert domains, "Must provide one or more hostnames for the cert."
+     cert = OpenSSL.crypto.X509()
+-    cert.set_serial_number(int(binascii.hexlify(OpenSSL.rand.bytes(16)), 16))
+    cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16))
+     cert.set_version(2)
+ 
+     extensions = [
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@ -490,9 +490,10 @@ (define-public python-acme
    (source (origin
              (method url-fetch)
              (uri (pypi-uri "acme" version))
-      (sha256
-       (base32
-        "0ry6vhfkhds28sg232hngwfnkqihsxv9r8w92c6nz45r7w56qk0y"))))
+              (patches (search-patches "python-acme-dont-use-openssl-rand.patch"))
+              (sha256
+               (base32
+                "0ry6vhfkhds28sg232hngwfnkqihsxv9r8w92c6nz45r7w56qk0y"))))
    (build-system python-build-system)
    (arguments
     `(#:phases