import python-cryptography-3.2.1-3.el8

2021-03-30 07:23:42 -04:00 · 2021-03-30 07:23:42 -04:00 · e20b062f65
commit e20b062f65
parent d4241a0190
9 changed files with 518 additions and 332 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/cryptography-2.3.tar.gz
+SOURCES/cryptography-3.2.1.tar.gz
--- a/.python-cryptography.metadata
+++ b/.python-cryptography.metadata
@ -1 +1 @@
-2bb0184cab9ac1f78e011d243fbcb039028e79e6 SOURCES/cryptography-2.3.tar.gz
+20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz
--- a/SOURCES/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch
+++ b/SOURCES/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch
@ -1,66 +0,0 @@
 From 2716cd2fa55cc867656a3e797797f5a1386afd69 Mon Sep 17 00:00:00 2001
 From: Alex Gaynor <alex.gaynor@gmail.com>
 Date: Sun, 12 Aug 2018 15:48:24 -0400
 Subject: [PATCH] Fixed #4380 -- do not assume TLSv1 is available in OpenSSL
 (#4389)
 * Fixed #4380 -- do not assume TLSv1 is available in OpenSSL
 Hallelujah! It's starting to become the case that some OpenSSLs are disabling it.
 * cover this file as well
 ---
 tests/hazmat/backends/test_openssl.py | 2 +-
 tests/hazmat/bindings/test_openssl.py | 9 ++++++---
 2 files changed, 7 insertions(+), 4 deletions(-)
 diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
 index 31b34cd0..e77f5dc3 100644
 --- a/tests/hazmat/backends/test_openssl.py
 +++ b/tests/hazmat/backends/test_openssl.py
@@ -115,7 +115,7 @@ class TestOpenSSL(object):
         assert len(errors) == 10
     def test_ssl_ciphers_registered(self):
 -        meth = backend._lib.TLSv1_method()
 +        meth = backend._lib.SSLv23_method()
         ctx = backend._lib.SSL_CTX_new(meth)
         assert ctx != backend._ffi.NULL
         backend._lib.SSL_CTX_free(ctx)
 diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
 index 488f64e1..f317f07f 100644
 --- a/tests/hazmat/bindings/test_openssl.py
 +++ b/tests/hazmat/bindings/test_openssl.py
@@ -37,7 +37,8 @@ class TestOpenSSL(object):
         # Test that we're properly handling 32-bit unsigned on all platforms.
         b = Binding()
         assert b.lib.SSL_OP_ALL > 0
 -        ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
 +        ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method())
 +        assert ctx != b.ffi.NULL
         ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
         current_options = b.lib.SSL_CTX_get_options(ctx)
         resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL)
@@ -49,7 +50,8 @@ class TestOpenSSL(object):
         # Test that we're properly handling 32-bit unsigned on all platforms.
         b = Binding()
         assert b.lib.SSL_OP_ALL > 0
 -        ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
 +        ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method())
 +        assert ctx != b.ffi.NULL
         ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
         ssl = b.lib.SSL_new(ctx)
         ssl = b.ffi.gc(ssl, b.lib.SSL_free)
@@ -63,7 +65,8 @@ class TestOpenSSL(object):
         # Test that we're properly handling 32-bit unsigned on all platforms.
         b = Binding()
         assert b.lib.SSL_OP_ALL > 0
 -        ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method())
 +        ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method())
 +        assert ctx != b.ffi.NULL
         ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free)
         ssl = b.lib.SSL_new(ctx)
         ssl = b.ffi.gc(ssl, b.lib.SSL_free)
 -- 
 2.17.1
--- a/SOURCES/0001-Re-add-deprecated-and-removed-features.patch
+++ b/SOURCES/0001-Re-add-deprecated-and-removed-features.patch
@ -0,0 +1,254 @@
 From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Tue, 27 Oct 2020 16:42:15 +0100
 Subject: [PATCH 1] Re-add deprecated and removed features
 * encode_rfc6979_signature()
 * decode_rfc6979_signature()
 * Certificate.serial property
 * MACContext
 * osrandom engine is disabled
 Signed-off-by: Christian Heimes <cheimes@redhat.com>
 ---
 .../hazmat/backends/openssl/cmac.py           |  3 +-
 .../hazmat/backends/openssl/hmac.py           |  3 +-
 .../hazmat/backends/openssl/x509.py           |  4 ++
 .../hazmat/primitives/asymmetric/utils.py     |  8 ++++
 src/cryptography/hazmat/primitives/cmac.py    |  3 +-
 src/cryptography/hazmat/primitives/hmac.py    |  3 +-
 src/cryptography/hazmat/primitives/mac.py     | 37 +++++++++++++++++++
 src/cryptography/x509/extensions.py           |  6 ++-
 tests/hazmat/backends/test_openssl.py         |  3 ++
 tests/hazmat/primitives/test_asym_utils.py    |  9 +++++
 tests/x509/test_x509.py                       |  1 +
 tests/x509/test_x509_ext.py                   |  5 +++
 12 files changed, 80 insertions(+), 5 deletions(-)
 create mode 100644 src/cryptography/hazmat/primitives/mac.py
 diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
 index 195fc230f..5281f634d 100644
 --- a/src/cryptography/hazmat/backends/openssl/cmac.py
 +++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
     UnsupportedAlgorithm,
     _Reasons,
 )
 -from cryptography.hazmat.primitives import constant_time
 +from cryptography.hazmat.primitives import constant_time, mac
 from cryptography.hazmat.primitives.ciphers.modes import CBC
 +@utils.register_interface(mac.MACContext)
 class _CMACContext(object):
     def __init__(self, backend, algorithm, ctx=None):
         if not backend.cmac_algorithm_supported(algorithm):
 diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
 index 5024223b2..11c850e10 100644
 --- a/src/cryptography/hazmat/backends/openssl/hmac.py
 +++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
     UnsupportedAlgorithm,
     _Reasons,
 )
 -from cryptography.hazmat.primitives import constant_time, hashes
 +from cryptography.hazmat.primitives import constant_time, hashes, mac
 +@utils.register_interface(mac.MACContext)
 @utils.register_interface(hashes.HashContext)
 class _HMACContext(object):
     def __init__(self, backend, key, algorithm, ctx=None):
 diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
 index 4d0dac764..c9074f59e 100644
 --- a/src/cryptography/hazmat/backends/openssl/x509.py
 +++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -73,6 +73,10 @@ class _Certificate(object):
         self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
         return _asn1_integer_to_int(self._backend, asn1_int)
 +    @property
 +    def serial(self):
 +        return self.serial_number
 +
     def public_key(self):
         pkey = self._backend._lib.X509_get_pubkey(self._x509)
         if pkey == self._backend._ffi.NULL:
 diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
 index 5f9b67786..886d7565b 100644
 --- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
 +++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -39,3 +39,11 @@ class Prehashed(object):
         self._digest_size = algorithm.digest_size
     digest_size = utils.read_only_property("_digest_size")
 +
 +
 +def decode_rfc6979_signature(signature):
 +    return decode_dss_signature(signature)
 +
 +
 +def encode_rfc6979_signature(r, s):
 +    return encode_dss_signature(r, s)
 diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
 index bf962c906..7f37f13cc 100644
 --- a/src/cryptography/hazmat/primitives/cmac.py
 +++ b/src/cryptography/hazmat/primitives/cmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
 )
 from cryptography.hazmat.backends import _get_backend
 from cryptography.hazmat.backends.interfaces import CMACBackend
 -from cryptography.hazmat.primitives import ciphers
 +from cryptography.hazmat.primitives import ciphers, mac
 +@utils.register_interface(mac.MACContext)
 class CMAC(object):
     def __init__(self, algorithm, backend=None, ctx=None):
         backend = _get_backend(backend)
 diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
 index 8c421dc68..6f03a1071 100644
 --- a/src/cryptography/hazmat/primitives/hmac.py
 +++ b/src/cryptography/hazmat/primitives/hmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
 )
 from cryptography.hazmat.backends import _get_backend
 from cryptography.hazmat.backends.interfaces import HMACBackend
 -from cryptography.hazmat.primitives import hashes
 +from cryptography.hazmat.primitives import hashes, mac
 +@utils.register_interface(mac.MACContext)
 @utils.register_interface(hashes.HashContext)
 class HMAC(object):
     def __init__(self, key, algorithm, backend=None, ctx=None):
 diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
 new file mode 100644
 index 000000000..4c95190ba
 --- /dev/null
 +++ b/src/cryptography/hazmat/primitives/mac.py
@@ -0,0 +1,37 @@
 +# This file is dual licensed under the terms of the Apache License, Version
 +# 2.0, and the BSD License. See the LICENSE file in the root of this repository
 +# for complete details.
 +
 +from __future__ import absolute_import, division, print_function
 +
 +import abc
 +
 +import six
 +
 +
 +@six.add_metaclass(abc.ABCMeta)
 +class MACContext(object):
 +    @abc.abstractmethod
 +    def update(self, data):
 +        """
 +        Processes the provided bytes.
 +        """
 +
 +    @abc.abstractmethod
 +    def finalize(self):
 +        """
 +        Returns the message authentication code as bytes.
 +        """
 +
 +    @abc.abstractmethod
 +    def copy(self):
 +        """
 +        Return a MACContext that is a copy of the current context.
 +        """
 +
 +    @abc.abstractmethod
 +    def verify(self, signature):
 +        """
 +        Checks if the generated message authentication code matches the
 +        signature.
 +        """
 diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
 index 130ba69b8..ddbccdf3b 100644
 --- a/src/cryptography/x509/extensions.py
 +++ b/src/cryptography/x509/extensions.py
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
     @classmethod
     def from_issuer_subject_key_identifier(cls, ski):
 +        if isinstance(ski, SubjectKeyIdentifier):
 +            digest = ski.digest
 +        else:
 +            digest = ski.value.digest
         return cls(
 -            key_identifier=ski.digest,
 +            key_identifier=digest,
             authority_cert_issuer=None,
             authority_cert_serial_number=None,
         )
 diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
 index 2f7e7bebf..73c17d84f 100644
 --- a/tests/hazmat/backends/test_openssl.py
 +++ b/tests/hazmat/backends/test_openssl.py
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
         res = backend._lib.ENGINE_free(e)
         assert res == 1
 +    def test_rhel8_no_osrandom(self):
 +        pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
 +
 @pytest.mark.skipif(
     backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
 diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
 index 70bff012f..334b459b5 100644
 --- a/tests/hazmat/primitives/test_asym_utils.py
 +++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
     Prehashed,
     decode_dss_signature,
     encode_dss_signature,
 +    encode_rfc6979_signature,
 +    decode_rfc6979_signature
 )
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
 def test_pass_invalid_prehashed_arg():
     with pytest.raises(TypeError):
         Prehashed(object())
 +
 +
 +def test_deprecated_rfc6979_signature():
 +    sig = encode_rfc6979_signature(1, 1)
 +    assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
 +    decoded = decode_rfc6979_signature(sig)
 +    assert decoded == (1, 1)
 diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
 index 11c80816c..e5bdf17d4 100644
 --- a/tests/x509/test_x509.py
 +++ b/tests/x509/test_x509.py
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
         )
         assert isinstance(cert, x509.Certificate)
         assert cert.serial_number == 11559813051657483483
 +        assert cert.serial == cert.serial_number
         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
         assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
         assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
 diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
 index 2cd216fb6..ac2b2c03d 100644
 --- a/tests/x509/test_x509_ext.py
 +++ b/tests/x509/test_x509_ext.py
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
         )
         assert ext.value == aki
 +        aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
 +            ski_ext
 +        )
 +        assert ext.value == aki
 +
 class TestNameConstraints(object):
     def test_ipaddress_wrong_type(self):
 -- 
 2.26.2
--- a/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch
+++ b/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch
@ -1,168 +0,0 @@
 From 95e7c4731b797e96c27c97420039f2979fa48041 Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Tue, 12 Nov 2019 10:56:08 +0100
 Subject: [PATCH] FIPS: Don't active osrandom engine
 Resolves: rhbz#1762667
 ---
 .../hazmat/backends/openssl/backend.py        | 12 +--
 tests/hazmat/backends/test_openssl.py         | 94 +------------------
 2 files changed, 6 insertions(+), 100 deletions(-)
 diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
 index af14bfaae..c0a02d10d 100644
 --- a/src/cryptography/hazmat/backends/openssl/backend.py
 +++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -96,7 +96,7 @@ class Backend(object):
         self._cipher_registry = {}
         self._register_default_ciphers()
 -        self.activate_osrandom_engine()
 +        # self.activate_osrandom_engine()
         self._dh_types = [self._lib.EVP_PKEY_DH]
         if self._lib.Cryptography_HAS_EVP_PKEY_DHX:
             self._dh_types.append(self._lib.EVP_PKEY_DHX)
@@ -136,14 +136,8 @@ class Backend(object):
             self.openssl_assert(res == 1)
     def activate_osrandom_engine(self):
 -        # Unregister and free the current engine.
 -        self.activate_builtin_random()
 -        with self._get_osurandom_engine() as e:
 -            # Set the engine as the default RAND provider.
 -            res = self._lib.ENGINE_set_default_RAND(e)
 -            self.openssl_assert(res == 1)
 -        # Reset the RNG to use the new engine.
 -        self._lib.RAND_cleanup()
 +        # osrandom engine is not enabled for FIPS compliance
 +        pass
     def osrandom_engine_implementation(self):
         buf = self._ffi.new("char[]", 64)
 diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
 index 31b34cd06..bcd26b615 100644
 --- a/tests/hazmat/backends/test_openssl.py
 +++ b/tests/hazmat/backends/test_openssl.py
@@ -171,63 +171,6 @@ class TestOpenSSL(object):
 class TestOpenSSLRandomEngine(object):
 -    def setup(self):
 -        # The default RAND engine is global and shared between
 -        # tests. We make sure that the default engine is osrandom
 -        # before we start each test and restore the global state to
 -        # that engine in teardown.
 -        current_default = backend._lib.ENGINE_get_default_RAND()
 -        name = backend._lib.ENGINE_get_name(current_default)
 -        assert name == backend._binding._osrandom_engine_name
 -
 -    def teardown(self):
 -        # we need to reset state to being default. backend is a shared global
 -        # for all these tests.
 -        backend.activate_osrandom_engine()
 -        current_default = backend._lib.ENGINE_get_default_RAND()
 -        name = backend._lib.ENGINE_get_name(current_default)
 -        assert name == backend._binding._osrandom_engine_name
 -
 -    @pytest.mark.skipif(sys.executable is None,
 -                        reason="No Python interpreter available.")
 -    def test_osrandom_engine_is_default(self, tmpdir):
 -        engine_printer = textwrap.dedent(
 -            """
 -            import sys
 -            from cryptography.hazmat.backends.openssl.backend import backend
 -
 -            e = backend._lib.ENGINE_get_default_RAND()
 -            name = backend._lib.ENGINE_get_name(e)
 -            sys.stdout.write(backend._ffi.string(name).decode('ascii'))
 -            res = backend._lib.ENGINE_free(e)
 -            assert res == 1
 -            """
 -        )
 -        engine_name = tmpdir.join('engine_name')
 -
 -        # If we're running tests via ``python setup.py test`` in a clean
 -        # environment then all of our dependencies are going to be installed
 -        # into either the current directory or the .eggs directory. However the
 -        # subprocess won't know to activate these dependencies, so we'll get it
 -        # to do so by passing our entire sys.path into the subprocess via the
 -        # PYTHONPATH environment variable.
 -        env = os.environ.copy()
 -        env["PYTHONPATH"] = os.pathsep.join(sys.path)
 -
 -        with engine_name.open('w') as out:
 -            subprocess.check_call(
 -                [sys.executable, "-c", engine_printer],
 -                env=env,
 -                stdout=out,
 -                stderr=subprocess.PIPE,
 -            )
 -
 -        osrandom_engine_name = backend._ffi.string(
 -            backend._binding._osrandom_engine_name
 -        )
 -
 -        assert engine_name.read().encode('ascii') == osrandom_engine_name
 -
     def test_osrandom_sanity_check(self):
         # This test serves as a check against catastrophic failure.
         buf = backend._ffi.new("unsigned char[]", 500)
@@ -235,32 +178,14 @@ class TestOpenSSLRandomEngine(object):
         assert res == 1
         assert backend._ffi.buffer(buf)[:] != "\x00" * 500
 -    def test_activate_osrandom_no_default(self):
 -        backend.activate_builtin_random()
 +    def test_osrandom_noop(self):
         e = backend._lib.ENGINE_get_default_RAND()
         assert e == backend._ffi.NULL
 +        # noop
         backend.activate_osrandom_engine()
         e = backend._lib.ENGINE_get_default_RAND()
 -        name = backend._lib.ENGINE_get_name(e)
 -        assert name == backend._binding._osrandom_engine_name
 -        res = backend._lib.ENGINE_free(e)
 -        assert res == 1
 -
 -    def test_activate_builtin_random(self):
 -        e = backend._lib.ENGINE_get_default_RAND()
 -        assert e != backend._ffi.NULL
 -        name = backend._lib.ENGINE_get_name(e)
 -        assert name == backend._binding._osrandom_engine_name
 -        res = backend._lib.ENGINE_free(e)
 -        assert res == 1
 -        backend.activate_builtin_random()
 -        e = backend._lib.ENGINE_get_default_RAND()
 -        assert e == backend._ffi.NULL
 -
 -    def test_activate_builtin_random_already_active(self):
 -        backend.activate_builtin_random()
 -        e = backend._lib.ENGINE_get_default_RAND()
         assert e == backend._ffi.NULL
 +        # noop
         backend.activate_builtin_random()
         e = backend._lib.ENGINE_get_default_RAND()
         assert e == backend._ffi.NULL
@@ -282,19 +207,6 @@ class TestOpenSSLRandomEngine(object):
         if sys.platform == 'win32':
             assert name == 'CryptGenRandom'
 -    def test_activate_osrandom_already_default(self):
 -        e = backend._lib.ENGINE_get_default_RAND()
 -        name = backend._lib.ENGINE_get_name(e)
 -        assert name == backend._binding._osrandom_engine_name
 -        res = backend._lib.ENGINE_free(e)
 -        assert res == 1
 -        backend.activate_osrandom_engine()
 -        e = backend._lib.ENGINE_get_default_RAND()
 -        name = backend._lib.ENGINE_get_name(e)
 -        assert name == backend._binding._osrandom_engine_name
 -        res = backend._lib.ENGINE_free(e)
 -        assert res == 1
 -
 class TestOpenSSLRSA(object):
     def test_generate_rsa_parameters_supported(self):
 -- 
 2.23.0
--- a/SOURCES/0002-Support-pytest-3.4.2.patch
+++ b/SOURCES/0002-Support-pytest-3.4.2.patch
@ -0,0 +1,86 @@
 From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Wed, 28 Oct 2020 14:27:55 +0100
 Subject: [PATCH 2] Support pytest 3.4.2
 ---
 setup.py            | 3 ++-
 tests/conftest.py   | 4 ++--
 tests/test_utils.py | 4 ++--
 tests/utils.py      | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)
 diff --git a/setup.py b/setup.py
 index 82800a96e..5678db004 100644
 --- a/setup.py
 +++ b/setup.py
@@ -93,7 +93,8 @@ setup(
     extras_require={
         ":python_version < '3'": ["enum34", "ipaddress"],
         "test": [
 -            "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
 +            "pytest>=3.4.2,<3.6",
 +            "attrs>=17.4.0,<18.0",
             "pretend",
             "iso8601",
             "pytz",
 diff --git a/tests/conftest.py b/tests/conftest.py
 index 4e3124fa7..53c194830 100644
 --- a/tests/conftest.py
 +++ b/tests/conftest.py
@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
 def pytest_runtest_setup(item):
     if openssl_backend._fips_enabled:
 -        for marker in item.iter_markers(name="skip_fips"):
 +        for marker in item.get_marker(name="skip_fips") or []:
             pytest.skip(marker.kwargs["reason"])
@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
 def backend(request):
     required_interfaces = [
         mark.kwargs["interface"]
 -        for mark in request.node.iter_markers("requires_backend_interface")
 +        for mark in request.node.get_marker("requires_backend_interface") or []
     ]
     if not all(
         isinstance(openssl_backend, iface) for iface in required_interfaces
 diff --git a/tests/test_utils.py b/tests/test_utils.py
 index d6afa3b34..e0a1be4f5 100644
 --- a/tests/test_utils.py
 +++ b/tests/test_utils.py
@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
     supported = pretend.stub(
         kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
     )
 -    node = pretend.stub(iter_markers=lambda x: [supported])
 +    node = pretend.stub(get_marker=lambda x: [supported])
     item = pretend.stub(node=node)
     with pytest.raises(pytest.skip.Exception) as exc_info:
         check_backend_support(True, item)
@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
     supported = pretend.stub(
         kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
     )
 -    node = pretend.stub(iter_markers=lambda x: [supported])
 +    node = pretend.stub(get_marker=lambda x: [supported])
     item = pretend.stub(node=node)
     assert check_backend_support(None, item) is None
 diff --git a/tests/utils.py b/tests/utils.py
 index 5d98af00e..a08f79c34 100644
 --- a/tests/utils.py
 +++ b/tests/utils.py
@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
 def check_backend_support(backend, item):
 -    for mark in item.node.iter_markers("supported"):
 +    for mark in item.node.get_marker("supported") or []:
         if not mark.kwargs["only_if"](backend):
             pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
 -- 
 2.26.2
--- a/SOURCES/0003-Skip-iso8601-test-cases.patch
+++ b/SOURCES/0003-Skip-iso8601-test-cases.patch
@ -0,0 +1,73 @@
 From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Thu, 29 Oct 2020 09:21:06 +0100
 Subject: [PATCH 3] Skip iso8601 test cases
 ---
 tests/test_fernet.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
 diff --git a/tests/test_fernet.py b/tests/test_fernet.py
 index 38409b03e..343f3e4ec 100644
 --- a/tests/test_fernet.py
 +++ b/tests/test_fernet.py
@@ -10,7 +10,10 @@ import json
 import os
 import time
 -import iso8601
 +try:
 +    import iso8601
 +except ImportError:
 +    iso8601 = None
 import pytest
@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
 import cryptography_vectors
 +skip_iso8601 = pytest.mark.skipif(
 +    iso8601 is None,
 +    reason="is8601 is not available"
 +)
 +
 +
 def json_parametrize(keys, filename):
     vector_file = cryptography_vectors.open_vector_file(
         os.path.join("fernet", filename), "r"
@@ -49,6 +58,7 @@ def test_default_backend():
     skip_message="Does not support AES CBC",
 )
 class TestFernet(object):
 +    @skip_iso8601
     @json_parametrize(
         ("secret", "now", "iv", "src", "token"),
         "generate.json",
@@ -62,6 +72,7 @@ class TestFernet(object):
         )
         assert actual_token == token.encode("ascii")
 +    @skip_iso8601
     @json_parametrize(
         ("secret", "now", "src", "ttl_sec", "token"),
         "verify.json",
@@ -81,6 +92,7 @@ class TestFernet(object):
         payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
         assert payload == src.encode("ascii")
 +    @skip_iso8601
     @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
     def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
         f = Fernet(secret.encode("ascii"), backend=backend)
@@ -117,6 +129,7 @@ class TestFernet(object):
         with pytest.raises(TypeError):
             f.decrypt(u"")
 +    @skip_iso8601
     def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
         pt = b"encrypt me"
 -- 
 2.26.2
--- a/SOURCES/0004-Revert-remove-NPN-bindings.patch
+++ b/SOURCES/0004-Revert-remove-NPN-bindings.patch
@ -0,0 +1,75 @@
 From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
 From: Christian Heimes <cheimes@redhat.com>
 Date: Mon, 14 Dec 2020 14:13:53 +0100
 Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
 (#4765)"
 This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
 ---
 src/_cffi_src/openssl/ssl.py          | 20 +++++++++++++++++++-
 tests/hazmat/bindings/test_openssl.py |  4 ++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
 index c38e309a1..fa854f5dd 100644
 --- a/src/_cffi_src/openssl/ssl.py
 +++ b/src/_cffi_src/openssl/ssl.py
@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
 static const long TLS_ST_BEFORE;
 static const long TLS_ST_OK;
 +static const long OPENSSL_NPN_NEGOTIATED;
 +
 typedef ... SSL_METHOD;
 typedef ... SSL_CTX;
@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
 long SSL_session_reused(SSL *);
 +void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
 +                                           int (*)(SSL *,
 +                                                   const unsigned char **,
 +                                                   unsigned int *,
 +                                                   void *),
 +                                           void *);
 +void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
 +                                      int (*)(SSL *,
 +                                              unsigned char **,
 +                                              unsigned char *,
 +                                              const unsigned char *,
 +                                              unsigned int,
 +                                              void *),
 +                                      void *);
 int SSL_select_next_proto(unsigned char **, unsigned char *,
                           const unsigned char *, unsigned int,
                           const unsigned char *, unsigned int);
 +void SSL_get0_next_proto_negotiated(const SSL *,
 +                                    const unsigned char **, unsigned *);
 int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
 const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
 static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
 static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
 static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
 -static const long Cryptography_HAS_NEXTPROTONEG = 0;
 +static const long Cryptography_HAS_NEXTPROTONEG = 1;
 static const long Cryptography_HAS_ALPN = 1;
 #if CRYPTOGRAPHY_IS_LIBRESSL
 diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
 index ecee34091..aeb12a0dc 100644
 --- a/tests/hazmat/bindings/test_openssl.py
 +++ b/tests/hazmat/bindings/test_openssl.py
@@ -137,3 +137,7 @@ class TestOpenSSL(object):
         )
         with pytest.raises(RuntimeError):
             _verify_openssl_version(lib)
 +
 +    def test_npn_binding(self):
 +        b = Binding()
 +        assert b.lib.Cryptography_HAS_NEXTPROTONEG
 -- 
 2.29.2
--- a/SPECS/python-cryptography.spec
+++ b/SPECS/python-cryptography.spec
@ -1,23 +1,9 @@
 %if 0%{?fedora} || 0%{?rhel} > 7
 # Enable python3 build by default
 %bcond_without python3
 %else
 %bcond_with python3
 %endif
 %if 0%{?rhel} > 7
 # Disable python2 build by default
 %bcond_with python2
 %else
 %bcond_without python2
 %endif
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 %global srcname cryptography
 Name:           python-%{srcname}
-Version:        2.3
+Version:        3.2.1
 Release:        3%{?dist}
 Summary:        PyCA's cryptography library
@ -26,142 +12,88 @@ License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
 Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
-Patch0001:      0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch
+Patch0001:      0001-Re-add-deprecated-and-removed-features.patch
-Patch0002:      0002-FIPS-Dont-active-osrandom-engine.patch
+Patch0002:      0002-Support-pytest-3.4.2.patch
 Patch0003:	0003-Skip-iso8601-test-cases.patch
 Patch0004:	0004-Revert-remove-NPN-bindings.patch
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 %if 0%{?with_python2}
 BuildRequires:  python2-devel
 BuildRequires:  python2-pytest >= 3.2.1
 BuildRequires:  python2-setuptools
 BuildRequires:  python2-pretend
 BuildRequires:  python2-iso8601
 BuildRequires:  python2-cryptography-vectors = %{version}
 BuildRequires:  python2-asn1crypto >= 0.21
 BuildRequires:  python2-hypothesis >= 1.11.4
 BuildRequires:  python2-pytz
 BuildRequires:  python2-idna >= 2.1
 BuildRequires:  python2-six >= 1.4.1
 BuildRequires:  python2-cffi >= 1.7
 BuildRequires:  python2-enum34
 BuildRequires:  python2-ipaddress
 %endif
 %if 0%{?with_python3}
 BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-pytest >= 3.2.1
+BuildRequires:  python%{python3_pkgversion}-pytest >= 3.4.2
 BuildRequires:  python%{python3_pkgversion}-setuptools
 BuildRequires:  python%{python3_pkgversion}-pretend
-BuildRequires:  python%{python3_pkgversion}-iso8601
+# BuildRequires:  python{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
 BuildRequires:  python%{python3_pkgversion}-asn1crypto >= 0.21
 BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
 BuildRequires:  python%{python3_pkgversion}-pytz
 BuildRequires:  python%{python3_pkgversion}-idna >= 2.1
 BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
 BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
 %endif
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %if 0%{?with_python2}
 %package -n  python2-%{srcname}
 Group:          Development/Libraries
 Summary:        PyCA's cryptography library
 %if 0%{?with_python3}
 %{?python_provide:%python_provide python2-%{srcname}}
 %else
 Provides:       python-%{srcname}
 %endif
 Requires:       openssl-libs
 Requires:       python2-idna >= 2.1
 Requires:       python2-asn1crypto >= 0.21
 Requires:       python2-six >= 1.4.1
 Requires:       python2-cffi >= 1.7
 Requires:       python2-enum34
 Requires:       python2-ipaddress
 %description -n python2-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 %endif
 %if 0%{?with_python3}
 %package -n  python%{python3_pkgversion}-%{srcname}
 Group:          Development/Libraries
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 Requires:       openssl-libs
 Requires:       python%{python3_pkgversion}-idna >= 2.1
 Requires:       python%{python3_pkgversion}-asn1crypto >= 0.21
 Requires:       python%{python3_pkgversion}-six >= 1.4.1
 Requires:       python%{python3_pkgversion}-cffi >= 1.7
 Conflicts:      python%{python3_pkgversion}-cryptography-vectors < %{version}
 Conflicts:      python%{python3_pkgversion}-cryptography-vectors > %{version}
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
-%endif
+
 %prep
 %autosetup -p1 -n %{srcname}-%{version}
 %build
 %if 0%{?with_python2}
 %py2_build
 %endif
 %if 0%{?with_python3}
 %py3_build
-%endif
+
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
 %if 0%{?with_python2}
 %py2_install
 %endif
 %if 0%{?with_python3}
 %py3_install
 %endif
 %check
 # workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
 rm -f tests/hazmat/primitives/test_padding.py
-%if 0%{?with_python2}
+# don't run hypothesis tests
-%{__python2} setup.py test
+rm -rf tests/hypothesis
-%endif
+PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest
 %if 0%{?with_python3}
 %{__python3} setup.py test
 %endif
 %if 0%{?with_python2}
 %files -n python2-%{srcname}
 %doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs
 %{python2_sitearch}/%{srcname}
 %{python2_sitearch}/%{srcname}-%{version}-py*.egg-info
 %endif
 %if 0%{?with_python3}
 %files -n python%{python3_pkgversion}-%{srcname}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %{python3_sitearch}/%{srcname}
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 %endif
 %changelog
 * Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
 - Conflict with non-matching vector package
 * Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
 - Re-add remove NPN bindings, required for pyOpenSSL
 - Resolves: rhbz#1907429
 * Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
 - Rebase to upstream release 3.2.1
 - Resolves: rhbz#1873581
 - Resolves: rhbz#1778939
 - Removed dependencies on python-asn1crypto, python-idna
 * Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
 - Don't activate custom osrandom engine for FIPS compliance
 - Resolves: rhbz#1762667
`@ -1 +1 @@`
	`SOURCES/cryptography-2.3.tar.gz`	`SOURCES/cryptography-3.2.1.tar.gz`
`@ -1 +1 @@`
	`2bb0184cab9ac1f78e011d243fbcb039028e79e6 SOURCES/cryptography-2.3.tar.gz`	`20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz`