diff options
-rw-r--r-- | gnu/local.mk | 3 | ||||
-rw-r--r-- | gnu/packages/patches/mercurial-openssl-compat.patch | 89 | ||||
-rw-r--r-- | gnu/packages/version-control.scm | 34 |
3 files changed, 115 insertions, 11 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index b67dfac4e7..4e872e7cb0 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1510,7 +1510,8 @@ dist_patch_DATA = \ %D%/packages/patches/libmemcached-build-with-gcc7.patch \ %D%/packages/patches/libmhash-hmac-fix-uaf.patch \ %D%/packages/patches/libsigrokdecode-python3.9-fix.patch \ - %D%/packages/patches/mercurial-hg-extension-path.patch \ + %D%/packages/patches/mercurial-hg-extension-path.patch \ + %D%/packages/patches/mercurial-openssl-compat.patch \ %D%/packages/patches/mesa-opencl-all-targets.patch \ %D%/packages/patches/mesa-skip-tests.patch \ %D%/packages/patches/meson-allow-dirs-outside-of-prefix.patch \ diff --git a/gnu/packages/patches/mercurial-openssl-compat.patch b/gnu/packages/patches/mercurial-openssl-compat.patch new file mode 100644 index 0000000000..139356f285 --- /dev/null +++ b/gnu/packages/patches/mercurial-openssl-compat.patch @@ -0,0 +1,89 @@ +Tweak cipher selection to make TLS < 1.2 work with OpenSSL 3. + +Taken from Debian: + + https://salsa.debian.org/python-team/packages/mercurial/-/blob/debian/master/debian/patches/openssl_3_cipher_tlsv1.patch + +--- a/mercurial/sslutil.py ++++ b/mercurial/sslutil.py +@@ -117,17 +117,17 @@ def _hostsettings(ui, hostname): + ciphers = ui.config(b'hostsecurity', b'%s:ciphers' % bhostname, ciphers) + + # If --insecure is used, we allow the use of TLS 1.0 despite config options. + # We always print a "connection security to %s is disabled..." message when + # --insecure is used. So no need to print anything more here. + if ui.insecureconnections: + minimumprotocol = b'tls1.0' + if not ciphers: +- ciphers = b'DEFAULT' ++ ciphers = b'DEFAULT:@SECLEVEL=0' + + s[b'minimumprotocol'] = minimumprotocol + s[b'ciphers'] = ciphers + + # Look for fingerprints in [hostsecurity] section. Value is a list + # of <alg>:<fingerprint> strings. + fingerprints = ui.configlist( + b'hostsecurity', b'%s:fingerprints' % bhostname +@@ -621,17 +621,17 @@ def wrapserversocket( + + # Improve forward secrecy. + sslcontext.options |= getattr(ssl, 'OP_SINGLE_DH_USE', 0) + sslcontext.options |= getattr(ssl, 'OP_SINGLE_ECDH_USE', 0) + + # In tests, allow insecure ciphers + # Otherwise, use the list of more secure ciphers if found in the ssl module. + if exactprotocol: +- sslcontext.set_ciphers('DEFAULT') ++ sslcontext.set_ciphers('DEFAULT:@SECLEVEL=0') + elif util.safehasattr(ssl, b'_RESTRICTED_SERVER_CIPHERS'): + sslcontext.options |= getattr(ssl, 'OP_CIPHER_SERVER_PREFERENCE', 0) + # pytype: disable=module-attr + sslcontext.set_ciphers(ssl._RESTRICTED_SERVER_CIPHERS) + # pytype: enable=module-attr + + if requireclientcert: + sslcontext.verify_mode = ssl.CERT_REQUIRED +--- a/tests/test-https.t ++++ b/tests/test-https.t +@@ -356,19 +356,19 @@ Start servers running supported TLS vers + $ cat ../hg1.pid >> $DAEMON_PIDS + $ hg serve -p $HGPORT2 -d --pid-file=../hg2.pid --certificate=$PRIV \ + > --config devel.serverexactprotocol=tls1.2 + $ cat ../hg2.pid >> $DAEMON_PIDS + $ cd .. + + Clients talking same TLS versions work + +- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT/ ++ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.0 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT/ + 5fed3813f7f5 +- $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT id https://localhost:$HGPORT1/ ++ $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.1 --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 id https://localhost:$HGPORT1/ + 5fed3813f7f5 + $ P="$CERTSDIR" hg --config hostsecurity.minimumprotocol=tls1.2 id https://localhost:$HGPORT2/ + 5fed3813f7f5 + + Clients requiring newer TLS version than what server supports fail + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ + (could not negotiate a common security protocol (tls1.1+) with localhost; the likely cause is Mercurial is configured to be more secure than the server can support) +@@ -400,17 +400,17 @@ Clients requiring newer TLS version than + + $ hg --config hostsecurity.minimumprotocol=tls1.2 id --insecure https://localhost:$HGPORT1/ + warning: connection security to localhost is disabled per current settings; communication is susceptible to eavesdropping and tampering + 5fed3813f7f5 + + The per-host config option overrides the default + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ +- > --config hostsecurity.ciphers=DEFAULT \ ++ > --config hostsecurity.ciphers=DEFAULT:@SECLEVEL=0 \ + > --config hostsecurity.minimumprotocol=tls1.2 \ + > --config hostsecurity.localhost:minimumprotocol=tls1.0 + 5fed3813f7f5 + + The per-host config option by itself works + + $ P="$CERTSDIR" hg id https://localhost:$HGPORT/ \ + > --config hostsecurity.localhost:minimumprotocol=tls1.2 diff --git a/gnu/packages/version-control.scm b/gnu/packages/version-control.scm index 277ea2835b..cd84dfd0cc 100644 --- a/gnu/packages/version-control.scm +++ b/gnu/packages/version-control.scm @@ -1735,15 +1735,16 @@ execution of any hook written in any language before every commit.") (define-public mercurial (package (name "mercurial") - (version "5.8.1") + (version "6.2.1") (source (origin (method url-fetch) (uri (string-append "https://www.mercurial-scm.org/" "release/mercurial-" version ".tar.gz")) - (patches (search-patches "mercurial-hg-extension-path.patch")) + (patches (search-patches "mercurial-hg-extension-path.patch" + "mercurial-openssl-compat.patch")) (sha256 (base32 - "16xi4bmjqzi7ig8sfa5mnypfpbbbiyafmmqrs4nxmgc743za7fl1")))) + "1nl2726szaxyrxlyssrsir5c6vb4ci0i6g969i6xaahw1nidgica")))) (build-system gnu-build-system) (arguments `(#:make-flags @@ -1753,13 +1754,11 @@ execution of any hook written in any language before every commit.") (delete 'configure) (add-after 'unpack 'patch-tests (lambda _ - (substitute* '("tests/test-extdiff.t" - "tests/test-logtoprocess.t" - "tests/test-patchbomb.t" - "tests/test-run-tests.t" - "tests/test-transplant.t") + (substitute* (find-files "tests" "\\.(t|py)$") (("/bin/sh") - (which "sh"))))) + (which "sh")) + (("/usr/bin/env") + (which "env"))))) (replace 'check (lambda* (#:key tests? #:allow-other-keys) (with-directory-excursion "tests" @@ -1770,6 +1769,12 @@ execution of any hook written in any language before every commit.") ;; PATH from before (that's why we are building it!)? "test-hghave.t" + ;; This test creates a shebang spanning multiple + ;; lines which is difficult to substitute. It + ;; only tests the test runner itself, which gets + ;; thoroughly tested during the check phase anyway. + "test-run-tests.t" + ;; These tests fail because the program is not ;; connected to a TTY in the build container. "test-nointerrupt.t" @@ -1778,6 +1783,15 @@ execution of any hook written in any language before every commit.") ;; FIXME: This gets killed but does not receive an interrupt. "test-commandserver.t" + ;; These tests get unexpected warnings about using + ;; deprecated functionality in Python, but otherwise + ;; succeed; try enabling for later Mercurial versions. + "test-demandimport.py" + "test-patchbomb-tls.t" + ;; Similarly, this gets a more informative error + ;; message from Python 3.10 than it expects. + "test-http-bad-server.t" + ;; Only works when run in a hg-repo, not in an ;; extracted tarball "test-doctest.py" @@ -1808,7 +1822,7 @@ execution of any hook written in any language before every commit.") ;; The following inputs are only needed to run the tests. python-nose unzip which)) (inputs - (list python)) + (list python-wrapper)) ;; Find third-party extensions. (native-search-paths (list (search-path-specification |