rpms/python-cryptography
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-cryptography-2.3-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 16:40:43 -05:00 committed by Andrew Lukoshko
commit 2a8996e42b
5 changed files with 558 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
SOURCES/cryptography-2.3.tar.gz

1
.python-cryptography.metadata Normal file
View File

@ -0,0 +1 @@
2bb0184cab9ac1f78e011d243fbcb039028e79e6 SOURCES/cryptography-2.3.tar.gz

66
SOURCES/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch Normal file
View File

@ -0,0 +1,66 @@
From 2716cd2fa55cc867656a3e797797f5a1386afd69 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sun, 12 Aug 2018 15:48:24 -0400
Subject: [PATCH] Fixed #4380 -- do not assume TLSv1 is available in OpenSSL
(#4389)
* Fixed #4380 -- do not assume TLSv1 is available in OpenSSL
Hallelujah! It's starting to become the case that some OpenSSLs are disabling it.
* cover this file as well
---
tests/hazmat/backends/test_openssl.py | 2 +-
tests/hazmat/bindings/test_openssl.py | 9 ++++++---
2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 31b34cd0..e77f5dc3 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -115,7 +115,7 @@ class TestOpenSSL(object):
assert len(errors) == 10
def test_ssl_ciphers_registered(self):
- meth = backend._lib.TLSv1_method()
+ meth = backend._lib.SSLv23_method()
ctx = backend._lib.SSL_CTX_new(meth)
assert ctx != backend._ffi.NULL
backend._lib.SSL_CTX_free(ctx)
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 488f64e1..f317f07f 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -37,7 +37,8 @@ class TestOpenSSL(object):
# Test that we're properly handling 32-bit unsigned on all platforms.
b = Binding()
assert b.lib.SSL_OP_ALL > 0
- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method())
+ assert ctx != b.ffi.NULL
ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
current_options = b.lib.SSL_CTX_get_options(ctx)
resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL)
@@ -49,7 +50,8 @@ class TestOpenSSL(object):
# Test that we're properly handling 32-bit unsigned on all platforms.
b = Binding()
assert b.lib.SSL_OP_ALL > 0
- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method())
+ assert ctx != b.ffi.NULL
ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
ssl = b.lib.SSL_new(ctx)
ssl = b.ffi.gc(ssl, b.lib.SSL_free)
@@ -63,7 +65,8 @@ class TestOpenSSL(object):
# Test that we're properly handling 32-bit unsigned on all platforms.
b = Binding()
assert b.lib.SSL_OP_ALL > 0
- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method())
+ assert ctx != b.ffi.NULL
ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
ssl = b.lib.SSL_new(ctx)
ssl = b.ffi.gc(ssl, b.lib.SSL_free)
--
2.17.1

168
SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch Normal file
View File

@ -0,0 +1,168 @@
From 95e7c4731b797e96c27c97420039f2979fa48041 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 12 Nov 2019 10:56:08 +0100
Subject: [PATCH] FIPS: Don't active osrandom engine
Resolves: rhbz#1762667
---
.../hazmat/backends/openssl/backend.py | 12 +--
tests/hazmat/backends/test_openssl.py | 94 +------------------
2 files changed, 6 insertions(+), 100 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index af14bfaae..c0a02d10d 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -96,7 +96,7 @@ class Backend(object):
self._cipher_registry = {}
self._register_default_ciphers()
- self.activate_osrandom_engine()
+ # self.activate_osrandom_engine()
self._dh_types = [self._lib.EVP_PKEY_DH]
if self._lib.Cryptography_HAS_EVP_PKEY_DHX:
self._dh_types.append(self._lib.EVP_PKEY_DHX)
@@ -136,14 +136,8 @@ class Backend(object):
self.openssl_assert(res == 1)
def activate_osrandom_engine(self):
- # Unregister and free the current engine.
- self.activate_builtin_random()
- with self._get_osurandom_engine() as e:
- # Set the engine as the default RAND provider.
- res = self._lib.ENGINE_set_default_RAND(e)
- self.openssl_assert(res == 1)
- # Reset the RNG to use the new engine.
- self._lib.RAND_cleanup()
+ # osrandom engine is not enabled for FIPS compliance
+ pass
def osrandom_engine_implementation(self):
buf = self._ffi.new("char[]", 64)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 31b34cd06..bcd26b615 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -171,63 +171,6 @@ class TestOpenSSL(object):
class TestOpenSSLRandomEngine(object):
- def setup(self):
- # The default RAND engine is global and shared between
- # tests. We make sure that the default engine is osrandom
- # before we start each test and restore the global state to
- # that engine in teardown.
- current_default = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(current_default)
- assert name == backend._binding._osrandom_engine_name
-
- def teardown(self):
- # we need to reset state to being default. backend is a shared global
- # for all these tests.
- backend.activate_osrandom_engine()
- current_default = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(current_default)
- assert name == backend._binding._osrandom_engine_name
-
- @pytest.mark.skipif(sys.executable is None,
- reason="No Python interpreter available.")
- def test_osrandom_engine_is_default(self, tmpdir):
- engine_printer = textwrap.dedent(
- """
- import sys
- from cryptography.hazmat.backends.openssl.backend import backend
-
- e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- sys.stdout.write(backend._ffi.string(name).decode('ascii'))
- res = backend._lib.ENGINE_free(e)
- assert res == 1
- """
- )
- engine_name = tmpdir.join('engine_name')
-
- # If we're running tests via ``python setup.py test`` in a clean
- # environment then all of our dependencies are going to be installed
- # into either the current directory or the .eggs directory. However the
- # subprocess won't know to activate these dependencies, so we'll get it
- # to do so by passing our entire sys.path into the subprocess via the
- # PYTHONPATH environment variable.
- env = os.environ.copy()
- env["PYTHONPATH"] = os.pathsep.join(sys.path)
-
- with engine_name.open('w') as out:
- subprocess.check_call(
- [sys.executable, "-c", engine_printer],
- env=env,
- stdout=out,
- stderr=subprocess.PIPE,
- )
-
- osrandom_engine_name = backend._ffi.string(
- backend._binding._osrandom_engine_name
- )
-
- assert engine_name.read().encode('ascii') == osrandom_engine_name
-
def test_osrandom_sanity_check(self):
# This test serves as a check against catastrophic failure.
buf = backend._ffi.new("unsigned char[]", 500)
@@ -235,32 +178,14 @@ class TestOpenSSLRandomEngine(object):
assert res == 1
assert backend._ffi.buffer(buf)[:] != "\x00" * 500
- def test_activate_osrandom_no_default(self):
- backend.activate_builtin_random()
+ def test_osrandom_noop(self):
e = backend._lib.ENGINE_get_default_RAND()
assert e == backend._ffi.NULL
+ # noop
backend.activate_osrandom_engine()
e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
-
- def test_activate_builtin_random(self):
- e = backend._lib.ENGINE_get_default_RAND()
- assert e != backend._ffi.NULL
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
- backend.activate_builtin_random()
- e = backend._lib.ENGINE_get_default_RAND()
- assert e == backend._ffi.NULL
-
- def test_activate_builtin_random_already_active(self):
- backend.activate_builtin_random()
- e = backend._lib.ENGINE_get_default_RAND()
assert e == backend._ffi.NULL
+ # noop
backend.activate_builtin_random()
e = backend._lib.ENGINE_get_default_RAND()
assert e == backend._ffi.NULL
@@ -282,19 +207,6 @@ class TestOpenSSLRandomEngine(object):
if sys.platform == 'win32':
assert name == 'CryptGenRandom'
- def test_activate_osrandom_already_default(self):
- e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
- backend.activate_osrandom_engine()
- e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
-
class TestOpenSSLRSA(object):
def test_generate_rsa_parameters_supported(self):
--
2.23.0

322
SPECS/python-cryptography.spec Normal file
View File

@ -0,0 +1,322 @@
%if 0%{?fedora} || 0%{?rhel} > 7
# Enable python3 build by default
%bcond_without python3
%else
%bcond_with python3
%endif
%if 0%{?rhel} > 7
# Disable python2 build by default
%bcond_with python2
%else
%bcond_without python2
%endif
%{!?python3_pkgversion:%global python3_pkgversion 3}
%global srcname cryptography
Name: python-%{srcname}
Version: 2.3
Release: 3%{?dist}
Summary: PyCA's cryptography library
Group: Development/Libraries
License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/
Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch
Patch0002: 0002-FIPS-Dont-active-osrandom-engine.patch
BuildRequires: openssl-devel
BuildRequires: gcc
%if 0%{?with_python2}
BuildRequires: python2-devel
BuildRequires: python2-pytest >= 3.2.1
BuildRequires: python2-setuptools
BuildRequires: python2-pretend
BuildRequires: python2-iso8601
BuildRequires: python2-cryptography-vectors = %{version}
BuildRequires: python2-asn1crypto >= 0.21
BuildRequires: python2-hypothesis >= 1.11.4
BuildRequires: python2-pytz
BuildRequires: python2-idna >= 2.1
BuildRequires: python2-six >= 1.4.1
BuildRequires: python2-cffi >= 1.7
BuildRequires: python2-enum34
BuildRequires: python2-ipaddress
%endif
%if 0%{?with_python3}
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-pretend
BuildRequires: python%{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version}
BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4
BuildRequires: python%{python3_pkgversion}-pytz
BuildRequires: python%{python3_pkgversion}-idna >= 2.1
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1
BuildRequires: python%{python3_pkgversion}-cffi >= 1.7
%endif
%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%if 0%{?with_python2}
%package -n python2-%{srcname}
Group: Development/Libraries
Summary: PyCA's cryptography library
%if 0%{?with_python3}
%{?python_provide:%python_provide python2-%{srcname}}
%else
Provides: python-%{srcname}
%endif
Requires: openssl-libs
Requires: python2-idna >= 2.1
Requires: python2-asn1crypto >= 0.21
Requires: python2-six >= 1.4.1
Requires: python2-cffi >= 1.7
Requires: python2-enum34
Requires: python2-ipaddress
%description -n python2-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%endif
%if 0%{?with_python3}
%package -n python%{python3_pkgversion}-%{srcname}
Group: Development/Libraries
Summary: PyCA's cryptography library
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
Requires: openssl-libs
Requires: python%{python3_pkgversion}-idna >= 2.1
Requires: python%{python3_pkgversion}-asn1crypto >= 0.21
Requires: python%{python3_pkgversion}-six >= 1.4.1
Requires: python%{python3_pkgversion}-cffi >= 1.7
%description -n python%{python3_pkgversion}-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%endif
%prep
%autosetup -p1 -n %{srcname}-%{version}
%build
%if 0%{?with_python2}
%py2_build
%endif
%if 0%{?with_python3}
%py3_build
%endif
%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
%if 0%{?with_python2}
%py2_install
%endif
%if 0%{?with_python3}
%py3_install
%endif
%check
# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
rm -f tests/hazmat/primitives/test_padding.py
%if 0%{?with_python2}
%{__python2} setup.py test
%endif
%if 0%{?with_python3}
%{__python3} setup.py test
%endif
%if 0%{?with_python2}
%files -n python2-%{srcname}
%doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs
%{python2_sitearch}/%{srcname}
%{python2_sitearch}/%{srcname}-%{version}-py*.egg-info
%endif
%if 0%{?with_python3}
%files -n python%{python3_pkgversion}-%{srcname}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%{python3_sitearch}/%{srcname}
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%endif
%changelog
* Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
- Don't activate custom osrandom engine for FIPS compliance
- Resolves: rhbz#1762667
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615099
- Resolves: RHBZ#1611738
* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
- New upstream release 2.3
- Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
* Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
- Remove unnecessary copy and shebang mangling
* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
- New upstream release 2.2.1
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
- New upstream release 2.1.4
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
- Build requires gcc
* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
- Upstream 2.1.3
* Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
- Change Requires to openssl-libs
* Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
- New upstream release 2.1
* Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
- Cleanup spec file conditionals
* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
- Add workaround for pytest bug
* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
- New upstream release 2.0.2
- Modernize spec
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
- Upstream release 1.9
* Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
- Update to latest upstream
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
- Update to the latest upstream.
- Add a patch from https://github.com/pyca/cryptography/pull/3328
* Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
- Enable tests
* Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
- Rebuild for Python 3.6
- Disable python3 tests for now
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
- Revert previous change
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
- Disable tests on releases earlier than 24
* Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
- Update to v1.5.3
- Update source URL
- Add BR for pytz
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
- Remove versioned setuptools dependency
* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
- Make it easier to build on EL7
* Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
- Update to v1.3.1
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
- Move python-cryptograph => python2-cryptography
* Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
- Update to v1.2.1
* Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
- Update to v1.1
* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
- Rebuilt for Python3.5 rebuild
* Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
- New upstream release (fix #1267548)
* Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
- New upstream release
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
- New upstream release
- Run tests on RHEL
- New deps: python-idna, python-ipaddress
* Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
- New upstream release
- Add python3-pyasn1 Requires (#1211073)
* Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
- Add python-pyasn1 Requires (#1211073)
* Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
- New upstream release
- Remove upstreamed patch
* Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
- Add python3-cryptography-vectors build requires
- Add python-enum34 requires
* Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
- New upstream release. BSD is now an optional license.
- Fix test running on python3
- Add upstream patch to fix test paths
* Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
- Fix requires, for reasons why other development files were not
eliminated see https://github.com/pyca/cryptography/issues/1463.
* Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
- New upstream release.
* Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
- initial version