rpms/python-cryptography
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import python-cryptography-2.3-3.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-01-21 16:40:43 -05:00 committed by Stepan Oksanichenko
parent 9204867f90
commit d4241a0190
2 changed files with 174 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch Normal file
View File

@ -0,0 +1,168 @@
From 95e7c4731b797e96c27c97420039f2979fa48041 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 12 Nov 2019 10:56:08 +0100
Subject: [PATCH] FIPS: Don't active osrandom engine
Resolves: rhbz#1762667
---
.../hazmat/backends/openssl/backend.py | 12 +--
tests/hazmat/backends/test_openssl.py | 94 +------------------
2 files changed, 6 insertions(+), 100 deletions(-)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index af14bfaae..c0a02d10d 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -96,7 +96,7 @@ class Backend(object):
self._cipher_registry = {}
self._register_default_ciphers()
- self.activate_osrandom_engine()
+ # self.activate_osrandom_engine()
self._dh_types = [self._lib.EVP_PKEY_DH]
if self._lib.Cryptography_HAS_EVP_PKEY_DHX:
self._dh_types.append(self._lib.EVP_PKEY_DHX)
@@ -136,14 +136,8 @@ class Backend(object):
self.openssl_assert(res == 1)
def activate_osrandom_engine(self):
- # Unregister and free the current engine.
- self.activate_builtin_random()
- with self._get_osurandom_engine() as e:
- # Set the engine as the default RAND provider.
- res = self._lib.ENGINE_set_default_RAND(e)
- self.openssl_assert(res == 1)
- # Reset the RNG to use the new engine.
- self._lib.RAND_cleanup()
+ # osrandom engine is not enabled for FIPS compliance
+ pass
def osrandom_engine_implementation(self):
buf = self._ffi.new("char[]", 64)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 31b34cd06..bcd26b615 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -171,63 +171,6 @@ class TestOpenSSL(object):
class TestOpenSSLRandomEngine(object):
- def setup(self):
- # The default RAND engine is global and shared between
- # tests. We make sure that the default engine is osrandom
- # before we start each test and restore the global state to
- # that engine in teardown.
- current_default = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(current_default)
- assert name == backend._binding._osrandom_engine_name
-
- def teardown(self):
- # we need to reset state to being default. backend is a shared global
- # for all these tests.
- backend.activate_osrandom_engine()
- current_default = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(current_default)
- assert name == backend._binding._osrandom_engine_name
-
- @pytest.mark.skipif(sys.executable is None,
- reason="No Python interpreter available.")
- def test_osrandom_engine_is_default(self, tmpdir):
- engine_printer = textwrap.dedent(
- """
- import sys
- from cryptography.hazmat.backends.openssl.backend import backend
-
- e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- sys.stdout.write(backend._ffi.string(name).decode('ascii'))
- res = backend._lib.ENGINE_free(e)
- assert res == 1
- """
- )
- engine_name = tmpdir.join('engine_name')
-
- # If we're running tests via ``python setup.py test`` in a clean
- # environment then all of our dependencies are going to be installed
- # into either the current directory or the .eggs directory. However the
- # subprocess won't know to activate these dependencies, so we'll get it
- # to do so by passing our entire sys.path into the subprocess via the
- # PYTHONPATH environment variable.
- env = os.environ.copy()
- env["PYTHONPATH"] = os.pathsep.join(sys.path)
-
- with engine_name.open('w') as out:
- subprocess.check_call(
- [sys.executable, "-c", engine_printer],
- env=env,
- stdout=out,
- stderr=subprocess.PIPE,
- )
-
- osrandom_engine_name = backend._ffi.string(
- backend._binding._osrandom_engine_name
- )
-
- assert engine_name.read().encode('ascii') == osrandom_engine_name
-
def test_osrandom_sanity_check(self):
# This test serves as a check against catastrophic failure.
buf = backend._ffi.new("unsigned char[]", 500)
@@ -235,32 +178,14 @@ class TestOpenSSLRandomEngine(object):
assert res == 1
assert backend._ffi.buffer(buf)[:] != "\x00" * 500
- def test_activate_osrandom_no_default(self):
- backend.activate_builtin_random()
+ def test_osrandom_noop(self):
e = backend._lib.ENGINE_get_default_RAND()
assert e == backend._ffi.NULL
+ # noop
backend.activate_osrandom_engine()
e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
-
- def test_activate_builtin_random(self):
- e = backend._lib.ENGINE_get_default_RAND()
- assert e != backend._ffi.NULL
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
- backend.activate_builtin_random()
- e = backend._lib.ENGINE_get_default_RAND()
- assert e == backend._ffi.NULL
-
- def test_activate_builtin_random_already_active(self):
- backend.activate_builtin_random()
- e = backend._lib.ENGINE_get_default_RAND()
assert e == backend._ffi.NULL
+ # noop
backend.activate_builtin_random()
e = backend._lib.ENGINE_get_default_RAND()
assert e == backend._ffi.NULL
@@ -282,19 +207,6 @@ class TestOpenSSLRandomEngine(object):
if sys.platform == 'win32':
assert name == 'CryptGenRandom'
- def test_activate_osrandom_already_default(self):
- e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
- backend.activate_osrandom_engine()
- e = backend._lib.ENGINE_get_default_RAND()
- name = backend._lib.ENGINE_get_name(e)
- assert name == backend._binding._osrandom_engine_name
- res = backend._lib.ENGINE_free(e)
- assert res == 1
-
class TestOpenSSLRSA(object):
def test_generate_rsa_parameters_supported(self):
--
2.23.0

7
SPECS/python-cryptography.spec
View File

@ -18,7 +18,7 @@
Name: python-%{srcname}
Version: 2.3
Release: 2%{?dist}
Release: 3%{?dist}
Summary: PyCA's cryptography library
Group: Development/Libraries
@ -27,6 +27,7 @@ URL: https://cryptography.io/en/latest/
Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch
Patch0002: 0002-FIPS-Dont-active-osrandom-engine.patch
BuildRequires: openssl-devel
BuildRequires: gcc
@ -161,6 +162,10 @@ rm -f tests/hazmat/primitives/test_padding.py
%changelog
* Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
- Don't activate custom osrandom engine for FIPS compliance
- Resolves: rhbz#1762667
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615099
- Resolves: RHBZ#1611738