Compare commits

..

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

19 changed files with 827 additions and 791 deletions

66
.gitignore vendored
View File

@ -1,65 +1 @@
/results_python-cryptography SOURCES/cryptography-3.2.1.tar.gz
/*.src.rpm
/cryptography-1.3.1.tar.gz
/cryptography-1.5.3.tar.gz
/cryptography-1.7.1.tar.gz
/cryptography-1.7.2.tar.gz
/cryptography-1.9.tar.gz
/cryptography-2.0.2.tar.gz
/cryptography-2.1.tar.gz
/cryptography-2.1.3.tar.gz
/cryptography-2.1.4.tar.gz
/cryptography-2.2.1.tar.gz
/cryptography-2.3.tar.gz
/cryptography-2.5.tar.gz
/cryptography-2.6.1.tar.gz
/cryptography-2.7.tar.gz
/cryptography-2.8.tar.gz
/cryptography-2.9.tar.gz
/cryptography-2.9.tar.gz.asc
/cryptography-3.0.tar.gz
/cryptography-3.0.tar.gz.asc
/cryptography-3.1.tar.gz
/cryptography-3.1.tar.gz.asc
/cryptography-3.2.tar.gz
/cryptography-3.2.tar.gz.asc
/cryptography-3.2.1.tar.gz
/cryptography-3.2.1.tar.gz.asc
/cryptography-3.3.1.tar.gz
/cryptography-3.3.1.tar.gz.asc
/cryptography-3.4.tar.gz
/cryptography-3.4.tar.gz.asc
/cryptography-3.4.1.tar.gz
/cryptography-3.4.1.tar.gz.asc
/cryptography-3.4.2.tar.gz
/cryptography-3.4.2.tar.gz.asc
/cryptography-3.4.4.tar.gz
/cryptography-3.4.4.tar.gz.asc
/cryptography-3.4.5.tar.gz
/cryptography-3.4.5.tar.gz.asc
/cryptography-3.4.6.tar.gz
/cryptography-3.4.6.tar.gz.asc
/cryptography-3.4.7.tar.gz
/cryptography-3.4.7-vendor.tar.bz2
/cryptography-35.0.0.tar.gz
/cryptography-35.0.0-vendor.tar.bz2
/cryptography-36.0.0.tar.gz
/cryptography-36.0.0-vendor.tar.bz2
/cryptography-37.0.2.tar.gz
/cryptography-37.0.2-vendor.tar.bz2
/cryptography-39.0.2.tar.gz
/cryptography-39.0.2-vendor.tar.bz2
/cryptography-40.0.0.tar.gz
/cryptography-40.0.0-vendor.tar.bz2
/cryptography-40.0.1.tar.gz
/cryptography-40.0.1-vendor.tar.bz2
/cryptography-40.0.2.tar.gz
/cryptography-40.0.2-vendor.tar.bz2
/cryptography-41.0.3.tar.gz
/cryptography-41.0.3-vendor.tar.bz2
/cryptography-41.0.5-vendor.tar.bz2
/cryptography-41.0.5.tar.gz
/cryptography-41.0.7.tar.gz
/cryptography-41.0.7-vendor.tar.bz2
/cryptography-43.0.0.tar.gz
/cryptography-43.0.0-vendor.tar.bz2

View File

@ -0,0 +1 @@
20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz

View File

@ -1,36 +0,0 @@
From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001
From: Christian Heimes <christian@python.org>
Date: Mon, 22 Jul 2024 09:09:05 +0200
Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined
Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE
support. Downstream has moved `openssl/engine.h` into a separate RPM
package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The
compiler flag disables PyCA cryptography's ENGINE support successfully.
We also like to build the downstream package without the `engine.h`
header file present.
This commit makes the include conditional. The `ENGINE` type is
defined in `openssl/types.h`.
See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide
See: https://issues.redhat.com/browse/RHEL-33747
Signed-off-by: Christian Heimes <christian@python.org>
---
src/_cffi_src/openssl/engine.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
index 9629a2c8f929..f47e20327003 100644
--- a/src/_cffi_src/openssl/engine.py
+++ b/src/_cffi_src/openssl/engine.py
@@ -5,7 +5,9 @@
from __future__ import annotations
INCLUDES = """
+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL
#include <openssl/engine.h>
+#endif
"""
TYPES = """

View File

@ -1,26 +0,0 @@
From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 3 Sep 2024 20:19:02 -0400
Subject: [PATCH] allow sha1 in OAEP (#11536)
fixes #11512
---
src/rust/src/backend/rsa.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs
index 3c01e7421..066b1412a 100644
--- a/src/rust/src/backend/rsa.rs
+++ b/src/rust/src/backend/rsa.rs
@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu
}
fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool {
- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1())
+ md == &openssl::hash::MessageDigest::sha1()
|| md == &openssl::hash::MessageDigest::sha224()
|| md == &openssl::hash::MessageDigest::sha256()
|| md == &openssl::hash::MessageDigest::sha384()
--
2.46.0

View File

@ -1,59 +0,0 @@
# PyCA cryptography
https://cryptography.io/en/latest/
## Packaging python-cryptography
The example assumes
* Fedora Rawhide (f34)
* PyCA cryptography release ``3.4``
* Update Bugzilla issue is ``RHBZ#00000001``
### Build new python-cryptography
Switch and update branch
```shell
fedpkg switch-branch rawhide
fedpkg pull
```
Bump version and get sources
```shell
rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec
spectool -gf python-cryptography.spec
```
Upload new source
```shell
fedpkg new-sources cryptography-3.4.tar.gz
```
Commit changes
```shell
fedpkg commit --clog
fedpkg push
```
Build
```shell
fedpkg build
```
## RHEL/CentOS builds
RHEL and CentOS use a different approach for Rust crates packaging than
Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g.
``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and
CentOS. Instead python-cryptography uses a tar ball with vendored crates.
The tar ball is created by a script:
```shell
./vendor_rust.py
rhpkg upload cryptography-3.4-vendor.tar.bz2
```

View File

@ -0,0 +1,254 @@
From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 27 Oct 2020 16:42:15 +0100
Subject: [PATCH 1] Re-add deprecated and removed features
* encode_rfc6979_signature()
* decode_rfc6979_signature()
* Certificate.serial property
* MACContext
* osrandom engine is disabled
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
.../hazmat/backends/openssl/cmac.py | 3 +-
.../hazmat/backends/openssl/hmac.py | 3 +-
.../hazmat/backends/openssl/x509.py | 4 ++
.../hazmat/primitives/asymmetric/utils.py | 8 ++++
src/cryptography/hazmat/primitives/cmac.py | 3 +-
src/cryptography/hazmat/primitives/hmac.py | 3 +-
src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++
src/cryptography/x509/extensions.py | 6 ++-
tests/hazmat/backends/test_openssl.py | 3 ++
tests/hazmat/primitives/test_asym_utils.py | 9 +++++
tests/x509/test_x509.py | 1 +
tests/x509/test_x509_ext.py | 5 +++
12 files changed, 80 insertions(+), 5 deletions(-)
create mode 100644 src/cryptography/hazmat/primitives/mac.py
diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
index 195fc230f..5281f634d 100644
--- a/src/cryptography/hazmat/backends/openssl/cmac.py
+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
@@ -11,10 +11,11 @@ from cryptography.exceptions import (
UnsupportedAlgorithm,
_Reasons,
)
-from cryptography.hazmat.primitives import constant_time
+from cryptography.hazmat.primitives import constant_time, mac
from cryptography.hazmat.primitives.ciphers.modes import CBC
+@utils.register_interface(mac.MACContext)
class _CMACContext(object):
def __init__(self, backend, algorithm, ctx=None):
if not backend.cmac_algorithm_supported(algorithm):
diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
index 5024223b2..11c850e10 100644
--- a/src/cryptography/hazmat/backends/openssl/hmac.py
+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
@@ -11,9 +11,10 @@ from cryptography.exceptions import (
UnsupportedAlgorithm,
_Reasons,
)
-from cryptography.hazmat.primitives import constant_time, hashes
+from cryptography.hazmat.primitives import constant_time, hashes, mac
+@utils.register_interface(mac.MACContext)
@utils.register_interface(hashes.HashContext)
class _HMACContext(object):
def __init__(self, backend, key, algorithm, ctx=None):
diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
index 4d0dac764..c9074f59e 100644
--- a/src/cryptography/hazmat/backends/openssl/x509.py
+++ b/src/cryptography/hazmat/backends/openssl/x509.py
@@ -73,6 +73,10 @@ class _Certificate(object):
self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
return _asn1_integer_to_int(self._backend, asn1_int)
+ @property
+ def serial(self):
+ return self.serial_number
+
def public_key(self):
pkey = self._backend._lib.X509_get_pubkey(self._x509)
if pkey == self._backend._ffi.NULL:
diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
index 5f9b67786..886d7565b 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -39,3 +39,11 @@ class Prehashed(object):
self._digest_size = algorithm.digest_size
digest_size = utils.read_only_property("_digest_size")
+
+
+def decode_rfc6979_signature(signature):
+ return decode_dss_signature(signature)
+
+
+def encode_rfc6979_signature(r, s):
+ return encode_dss_signature(r, s)
diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
index bf962c906..7f37f13cc 100644
--- a/src/cryptography/hazmat/primitives/cmac.py
+++ b/src/cryptography/hazmat/primitives/cmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
)
from cryptography.hazmat.backends import _get_backend
from cryptography.hazmat.backends.interfaces import CMACBackend
-from cryptography.hazmat.primitives import ciphers
+from cryptography.hazmat.primitives import ciphers, mac
+@utils.register_interface(mac.MACContext)
class CMAC(object):
def __init__(self, algorithm, backend=None, ctx=None):
backend = _get_backend(backend)
diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
index 8c421dc68..6f03a1071 100644
--- a/src/cryptography/hazmat/primitives/hmac.py
+++ b/src/cryptography/hazmat/primitives/hmac.py
@@ -12,9 +12,10 @@ from cryptography.exceptions import (
)
from cryptography.hazmat.backends import _get_backend
from cryptography.hazmat.backends.interfaces import HMACBackend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, mac
+@utils.register_interface(mac.MACContext)
@utils.register_interface(hashes.HashContext)
class HMAC(object):
def __init__(self, key, algorithm, backend=None, ctx=None):
diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
new file mode 100644
index 000000000..4c95190ba
--- /dev/null
+++ b/src/cryptography/hazmat/primitives/mac.py
@@ -0,0 +1,37 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+import abc
+
+import six
+
+
+@six.add_metaclass(abc.ABCMeta)
+class MACContext(object):
+ @abc.abstractmethod
+ def update(self, data):
+ """
+ Processes the provided bytes.
+ """
+
+ @abc.abstractmethod
+ def finalize(self):
+ """
+ Returns the message authentication code as bytes.
+ """
+
+ @abc.abstractmethod
+ def copy(self):
+ """
+ Return a MACContext that is a copy of the current context.
+ """
+
+ @abc.abstractmethod
+ def verify(self, signature):
+ """
+ Checks if the generated message authentication code matches the
+ signature.
+ """
diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
index 130ba69b8..ddbccdf3b 100644
--- a/src/cryptography/x509/extensions.py
+++ b/src/cryptography/x509/extensions.py
@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
@classmethod
def from_issuer_subject_key_identifier(cls, ski):
+ if isinstance(ski, SubjectKeyIdentifier):
+ digest = ski.digest
+ else:
+ digest = ski.value.digest
return cls(
- key_identifier=ski.digest,
+ key_identifier=digest,
authority_cert_issuer=None,
authority_cert_serial_number=None,
)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 2f7e7bebf..73c17d84f 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
res = backend._lib.ENGINE_free(e)
assert res == 1
+ def test_rhel8_no_osrandom(self):
+ pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
+
@pytest.mark.skipif(
backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index 70bff012f..334b459b5 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
Prehashed,
decode_dss_signature,
encode_dss_signature,
+ encode_rfc6979_signature,
+ decode_rfc6979_signature
)
@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
def test_pass_invalid_prehashed_arg():
with pytest.raises(TypeError):
Prehashed(object())
+
+
+def test_deprecated_rfc6979_signature():
+ sig = encode_rfc6979_signature(1, 1)
+ assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
+ decoded = decode_rfc6979_signature(sig)
+ assert decoded == (1, 1)
diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
index 11c80816c..e5bdf17d4 100644
--- a/tests/x509/test_x509.py
+++ b/tests/x509/test_x509.py
@@ -685,6 +685,7 @@ class TestRSACertificate(object):
)
assert isinstance(cert, x509.Certificate)
assert cert.serial_number == 11559813051657483483
+ assert cert.serial == cert.serial_number
fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
index 2cd216fb6..ac2b2c03d 100644
--- a/tests/x509/test_x509_ext.py
+++ b/tests/x509/test_x509_ext.py
@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
)
assert ext.value == aki
+ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+ ski_ext
+ )
+ assert ext.value == aki
+
class TestNameConstraints(object):
def test_ipaddress_wrong_type(self):
--
2.26.2

View File

@ -0,0 +1,86 @@
From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 28 Oct 2020 14:27:55 +0100
Subject: [PATCH 2] Support pytest 3.4.2
---
setup.py | 3 ++-
tests/conftest.py | 4 ++--
tests/test_utils.py | 4 ++--
tests/utils.py | 2 +-
4 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/setup.py b/setup.py
index 82800a96e..5678db004 100644
--- a/setup.py
+++ b/setup.py
@@ -93,7 +93,8 @@ setup(
extras_require={
":python_version < '3'": ["enum34", "ipaddress"],
"test": [
- "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
+ "pytest>=3.4.2,<3.6",
+ "attrs>=17.4.0,<18.0",
"pretend",
"iso8601",
"pytz",
diff --git a/tests/conftest.py b/tests/conftest.py
index 4e3124fa7..53c194830 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
def pytest_runtest_setup(item):
if openssl_backend._fips_enabled:
- for marker in item.iter_markers(name="skip_fips"):
+ for marker in item.get_marker(name="skip_fips") or []:
pytest.skip(marker.kwargs["reason"])
@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
def backend(request):
required_interfaces = [
mark.kwargs["interface"]
- for mark in request.node.iter_markers("requires_backend_interface")
+ for mark in request.node.get_marker("requires_backend_interface") or []
]
if not all(
isinstance(openssl_backend, iface) for iface in required_interfaces
diff --git a/tests/test_utils.py b/tests/test_utils.py
index d6afa3b34..e0a1be4f5 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
supported = pretend.stub(
kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
)
- node = pretend.stub(iter_markers=lambda x: [supported])
+ node = pretend.stub(get_marker=lambda x: [supported])
item = pretend.stub(node=node)
with pytest.raises(pytest.skip.Exception) as exc_info:
check_backend_support(True, item)
@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
supported = pretend.stub(
kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
)
- node = pretend.stub(iter_markers=lambda x: [supported])
+ node = pretend.stub(get_marker=lambda x: [supported])
item = pretend.stub(node=node)
assert check_backend_support(None, item) is None
diff --git a/tests/utils.py b/tests/utils.py
index 5d98af00e..a08f79c34 100644
--- a/tests/utils.py
+++ b/tests/utils.py
@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
def check_backend_support(backend, item):
- for mark in item.node.iter_markers("supported"):
+ for mark in item.node.get_marker("supported") or []:
if not mark.kwargs["only_if"](backend):
pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
--
2.26.2

View File

@ -0,0 +1,73 @@
From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Thu, 29 Oct 2020 09:21:06 +0100
Subject: [PATCH 3] Skip iso8601 test cases
---
tests/test_fernet.py | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/tests/test_fernet.py b/tests/test_fernet.py
index 38409b03e..343f3e4ec 100644
--- a/tests/test_fernet.py
+++ b/tests/test_fernet.py
@@ -10,7 +10,10 @@ import json
import os
import time
-import iso8601
+try:
+ import iso8601
+except ImportError:
+ iso8601 = None
import pytest
@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
import cryptography_vectors
+skip_iso8601 = pytest.mark.skipif(
+ iso8601 is None,
+ reason="is8601 is not available"
+)
+
+
def json_parametrize(keys, filename):
vector_file = cryptography_vectors.open_vector_file(
os.path.join("fernet", filename), "r"
@@ -49,6 +58,7 @@ def test_default_backend():
skip_message="Does not support AES CBC",
)
class TestFernet(object):
+ @skip_iso8601
@json_parametrize(
("secret", "now", "iv", "src", "token"),
"generate.json",
@@ -62,6 +72,7 @@ class TestFernet(object):
)
assert actual_token == token.encode("ascii")
+ @skip_iso8601
@json_parametrize(
("secret", "now", "src", "ttl_sec", "token"),
"verify.json",
@@ -81,6 +92,7 @@ class TestFernet(object):
payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
assert payload == src.encode("ascii")
+ @skip_iso8601
@json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
f = Fernet(secret.encode("ascii"), backend=backend)
@@ -117,6 +129,7 @@ class TestFernet(object):
with pytest.raises(TypeError):
f.decrypt(u"")
+ @skip_iso8601
def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
pt = b"encrypt me"
--
2.26.2

View File

@ -0,0 +1,75 @@
From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 14 Dec 2020 14:13:53 +0100
Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
(#4765)"
This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
---
src/_cffi_src/openssl/ssl.py | 20 +++++++++++++++++++-
tests/hazmat/bindings/test_openssl.py | 4 ++++
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index c38e309a1..fa854f5dd 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
static const long TLS_ST_BEFORE;
static const long TLS_ST_OK;
+static const long OPENSSL_NPN_NEGOTIATED;
+
typedef ... SSL_METHOD;
typedef ... SSL_CTX;
@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
long SSL_session_reused(SSL *);
+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
+ int (*)(SSL *,
+ const unsigned char **,
+ unsigned int *,
+ void *),
+ void *);
+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
+ int (*)(SSL *,
+ unsigned char **,
+ unsigned char *,
+ const unsigned char *,
+ unsigned int,
+ void *),
+ void *);
int SSL_select_next_proto(unsigned char **, unsigned char *,
const unsigned char *, unsigned int,
const unsigned char *, unsigned int);
+void SSL_get0_next_proto_negotiated(const SSL *,
+ const unsigned char **, unsigned *);
int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
-static const long Cryptography_HAS_NEXTPROTONEG = 0;
+static const long Cryptography_HAS_NEXTPROTONEG = 1;
static const long Cryptography_HAS_ALPN = 1;
#if CRYPTOGRAPHY_IS_LIBRESSL
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index ecee34091..aeb12a0dc 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -137,3 +137,7 @@ class TestOpenSSL(object):
)
with pytest.raises(RuntimeError):
_verify_openssl_version(lib)
+
+ def test_npn_binding(self):
+ b = Binding()
+ assert b.lib.Cryptography_HAS_NEXTPROTONEG
--
2.29.2

View File

@ -0,0 +1,18 @@
From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 7 Feb 2021 11:04:43 -0600
Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 2b10681b31..0f96795fdc 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -16,7 +16,7 @@
class _CipherContext(object):
_ENCRYPT = 1
_DECRYPT = 0
- _MAX_CHUNK_SIZE = 2 ** 31 - 1
+ _MAX_CHUNK_SIZE = 2 ** 30 - 1
def __init__(self, backend, cipher, mode, operation):
self._backend = backend

View File

@ -0,0 +1,42 @@
From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Tue, 31 Jan 2023 08:33:54 -0500
Subject: [PATCH] Don't allow update_into to mutate immutable objects
---
src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
tests/hazmat/primitives/test_ciphers.py | 8 ++++++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 286583f9325..075d68fb905 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
data_processed = 0
total_out = 0
outlen = self._backend._ffi.new("int *")
- baseoutbuf = self._backend._ffi.from_buffer(buf)
+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
baseinbuf = self._backend._ffi.from_buffer(data)
while data_processed != total_data_len:
diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
index 02127dd9cab..bf3b047dec2 100644
--- a/tests/hazmat/primitives/test_ciphers.py
+++ b/tests/hazmat/primitives/test_ciphers.py
@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
with pytest.raises(ValueError):
encryptor.update_into(b"testing", buf)
+ def test_update_into_immutable(self, backend):
+ key = b"\x00" * 16
+ c = ciphers.Cipher(AES(key), modes.ECB(), backend)
+ encryptor = c.encryptor()
+ buf = b"\x00" * 32
+ with pytest.raises((TypeError, BufferError)):
+ encryptor.update_into(b"testing", buf)
+
@pytest.mark.supported(
only_if=lambda backend: backend.cipher_supported(
AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)

View File

@ -0,0 +1,277 @@
%{!?python3_pkgversion:%global python3_pkgversion 3}
%global srcname cryptography
# rhbz#2172416: from_buffer(..., require_writable=True)
%global cffi_version 1.11.5-6
Name: python-%{srcname}
Version: 3.2.1
Release: 7%{?dist}
Summary: PyCA's cryptography library
Group: Development/Libraries
License: ASL 2.0 or BSD
URL: https://cryptography.io/en/latest/
Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
Patch0001: 0001-Re-add-deprecated-and-removed-features.patch
Patch0002: 0002-Support-pytest-3.4.2.patch
Patch0003: 0003-Skip-iso8601-test-cases.patch
Patch0004: 0004-Revert-remove-NPN-bindings.patch
Patch0005: 0005-CVE-2020-36242.patch
# https://github.com/pyca/cryptography/pull/8230
Patch0006: 0006-CVE-2023-23931.patch
BuildRequires: openssl-devel
BuildRequires: gcc
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-pytest >= 3.4.2
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-pretend
# BuildRequires: python{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version}
BuildRequires: python%{python3_pkgversion}-pytz
BuildRequires: python%{python3_pkgversion}-six >= 1.4.1
BuildRequires: python%{python3_pkgversion}-cffi >= %{cffi_version}
%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%package -n python%{python3_pkgversion}-%{srcname}
Group: Development/Libraries
Summary: PyCA's cryptography library
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
Requires: openssl-libs
Requires: python%{python3_pkgversion}-six >= 1.4.1
Requires: python%{python3_pkgversion}-cffi >= %{cffi_version}
Conflicts: python%{python3_pkgversion}-cryptography-vectors < %{version}
Conflicts: python%{python3_pkgversion}-cryptography-vectors > %{version}
%description -n python%{python3_pkgversion}-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%prep
%autosetup -p1 -n %{srcname}-%{version}
%build
%py3_build
%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
%py3_install
%check
# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
rm -f tests/hazmat/primitives/test_padding.py
# don't run hypothesis tests
rm -rf tests/hypothesis
PYTHONPATH=%{buildroot}%{python3_sitearch} \
%{__python3} -m pytest \
-k "not test_decrypt_invalid_decrypt"
%files -n python%{python3_pkgversion}-%{srcname}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%{python3_sitearch}/%{srcname}
%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
%changelog
* Fri Dec 01 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-7
- Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves: RHEL-17873
* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-6
- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172404
* Tue Jun 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-5
- Rebuild for RHEL 8.5
- Resolves: rhbz#1933071
* Tue Feb 09 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-4
- CVE-2020-36242: Fixed a bug where certain sequences of update() calls
when symmetrically encrypting very large payloads (>2GB) could result
in an integer overflow, leading to buffer overflows.
- Resolves: rhbz#1926528
* Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
- Conflict with non-matching vector package
* Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
- Re-add remove NPN bindings, required for pyOpenSSL
- Resolves: rhbz#1907429
* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
- Rebase to upstream release 3.2.1
- Resolves: rhbz#1873581
- Resolves: rhbz#1778939
- Removed dependencies on python-asn1crypto, python-idna
* Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
- Don't activate custom osrandom engine for FIPS compliance
- Resolves: rhbz#1762667
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615099
- Resolves: RHBZ#1611738
* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
- New upstream release 2.3
- Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
* Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
- Remove unnecessary copy and shebang mangling
* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
- New upstream release 2.2.1
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
- New upstream release 2.1.4
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
- Build requires gcc
* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
- Upstream 2.1.3
* Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
- Change Requires to openssl-libs
* Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
- New upstream release 2.1
* Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
- Cleanup spec file conditionals
* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
- Add workaround for pytest bug
* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
- New upstream release 2.0.2
- Modernize spec
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
- Upstream release 1.9
* Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
- Update to latest upstream
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
- Update to the latest upstream.
- Add a patch from https://github.com/pyca/cryptography/pull/3328
* Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
- Enable tests
* Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
- Rebuild for Python 3.6
- Disable python3 tests for now
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
- Revert previous change
* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
- Disable tests on releases earlier than 24
* Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
- Update to v1.5.3
- Update source URL
- Add BR for pytz
* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
- Remove versioned setuptools dependency
* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
- Make it easier to build on EL7
* Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
- Update to v1.3.1
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
- Move python-cryptograph => python2-cryptography
* Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
- Update to v1.2.1
* Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
- Update to v1.1
* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
- Rebuilt for Python3.5 rebuild
* Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
- New upstream release (fix #1267548)
* Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
- New upstream release
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
- New upstream release
- Run tests on RHEL
- New deps: python-idna, python-ipaddress
* Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
- New upstream release
- Add python3-pyasn1 Requires (#1211073)
* Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
- Add python-pyasn1 Requires (#1211073)
* Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
- New upstream release
- Remove upstreamed patch
* Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
- Add python3-cryptography-vectors build requires
- Add python-enum34 requires
* Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
- New upstream release. BSD is now an optional license.
- Fix test running on python3
- Add upstream patch to fix test paths
* Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
- Fix requires, for reasons why other development files were not
eliminated see https://github.com/pyca/cryptography/issues/1463.
* Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
- New upstream release.
* Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
- initial version

248
changelog
View File

@ -1,248 +0,0 @@
* Tue Jul 02 2024 Jeremy Cline <jeremycline@linux.microsoft.com> - 42.0.8-1
- Update to 42.0.8, fixes rhbz#2251816
* Sat Jun 08 2024 Python Maint <python-maint@redhat.com> - 41.0.7-3
- Rebuilt for Python 3.13
* Fri Jun 07 2024 Python Maint <python-maint@redhat.com> - 41.0.7-2
- Bootstrap for Python 3.13
* Thu Feb 01 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 41.0.7-1
- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083
* Fri Jan 26 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 41.0.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Dec 01 2023 Fabio Valentini <decathorpe@gmail.com> - 41.0.5-2
- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072)
* Thu Oct 26 2023 Christian Heimes <cheimes@redhat.com> - 41.0.5-1
- Update to 41.0.5, resolves RHBZ#2239707
* Mon Aug 14 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-2
- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042
* Wed Aug 09 2023 Christian Heimes <cheimes@redhat.com> - 41.0.3-1
- Update to 41.0.3, resolves rhbz#2211237
- Use pyo3 0.19
* Fri Jul 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 40.0.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon Jul 10 2023 Python Maint <python-maint@redhat.com> - 40.0.2-4
- Rebuilt for Python 3.12
* Wed Jun 14 2023 Python Maint <python-maint@redhat.com> - 40.0.2-3
- Bootstrap for Python 3.12
* Tue Jun 13 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 40.0.2-2
- Use vendored rust-pem in RHEL builds
* Tue Apr 18 2023 Christian Heimes <cheimes@redhat.com> - 40.0.2-1
- Update to 40.0.2, resolves rhbz#2181430
* Thu Mar 09 2023 Miro Hrončok <mhroncok@redhat.com> - 39.0.2-2
- Don't run tests requiring pytz on RHEL
- Don't try to run tests of vendored dependencies in %%check
* Sat Mar 04 2023 Christian Heimes <cheimes@redhat.com> - 39.0.2-1
- Update to 39.0.2, resolves rhbz#2124729
* Tue Feb 28 2023 Fabio Valentini <decathorpe@gmail.com> - 37.0.2-9
- Ensure correct compiler flags are used for Rust code.
* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 37.0.2-8
- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820
- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661
* Fri Jan 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 09 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-6
- Enable SHA1 signatures in test suite (ELN-only)
* Wed Aug 17 2022 Miro Hrončok <mhroncok@redhat.com> - 37.0.2-5
- Drop unused requirement of python3-six
* Fri Jul 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 37.0.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-3
- Rebuilt for Python 3.11
* Tue Jun 14 2022 Python Maint <python-maint@redhat.com> - 37.0.2-2
- Bootstrap for Python 3.11
* Thu May 05 2022 Christian Heimes <cheimes@redhat.com> - 37.0.2-1
- Update to 37.0.2, resolves rhbz#2078968
* Thu Jan 27 2022 Christian Heimes <cheimes@redhat.com> - 36.0.0-3
- Skip unstable memleak tests, resolves: RHBZ#2042413
* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 36.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Nov 22 2021 Christian Heimes <cheimes@redhat.com> - 36.0.0-1
- Update to 36.0.0, fixes RHBZ#2025347
* Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0.0-2
- Require rust-asn1 >= 0.6.4
* Thu Sep 30 2021 Christian Heimes <cheimes@redhat.com> - 35.0-1
- Update to 35.0.0 (#2009117)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 3.4.7-6
- Rebuilt with OpenSSL 3.0.0
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.4.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Thu Jun 10 2021 Stephen Gallagher <sgallagh@redhat.com> - 3.4.7-4
- Don't conditionalize Source: directives
* Wed Jun 02 2021 Python Maint <python-maint@redhat.com> - 3.4.7-3
- Rebuilt for Python 3.10
* Tue May 11 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-2
- Fix compatibility issue with Python 3.10. Enums now use same
representation as on Python 3.9. (#1952522)
- Backport OpenSSL 3.0.0 compatibility patches.
* Wed Apr 21 2021 Christian Heimes <cheimes@redhat.com> - 3.4.7-1
- Update to 3.4.7
- Remove dependency on python-cryptography-vectors package and use vectors
directly from Github source tar ball. (#1952024)
* Wed Mar 03 2021 Christian Heimes <cheimes@redhat.com> - 3.4.6-1
- Update to 3.4.6 (#1927044)
* Mon Feb 15 2021 Christian Heimes <cheimes@redhat.com> - 3.4.5-1
- Update to 3.4.5 (#1927044)
* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-3
- Skip iso8601 and pretend tests on RHEL
* Fri Feb 12 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-2
- Provide RHEL build infrastructure
* Wed Feb 10 2021 Christian Heimes <cheimes@redhat.com> - 3.4.4-1
- Update to 3.4.4 (#1927044)
* Mon Feb 08 2021 Christian Heimes <cheimes@redhat.com> - 3.4.2-1
- Update to 3.4.2 (#1926339)
- Package no longer depends on Rust (#1926181)
* Mon Feb 08 2021 Fabio Valentini <decathorpe@gmail.com> - 3.4.1-2
- Use dynamically generated BuildRequires for PyO3 Rust module.
- Drop unnecessary CARGO_NET_OFFLINE environment variable.
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4.1-1
- Update to 3.4.1 (#1925953)
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-2
- Add missing abi3 and pytest dependencies
* Sun Feb 07 2021 Christian Heimes <cheimes@redhat.com> - 3.4-1
- Update to 3.4 (#1925953)
- Remove Python 2 support
- Remove unused python-idna dependency
- Add Rust support
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.3.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Thu Dec 10 2020 Christian Heimes <cheimes@redhat.com> - 3.3.1-1
- Update to 3.3.1 (#1905756)
* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
- Update to 3.2.1 (#1892153)
* Mon Oct 26 2020 Christian Heimes <cheimes@redhat.com> - 3.2-1
- Update to 3.2 (#1891378)
* Mon Sep 07 2020 Christian Heimes <cheimes@redhat.com> - 3.1-1
- Update to 3.1 (#1872978)
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 21 2020 Christian Heimes <cheimes@redhat.com> - 3.0-1
- Update to 3.0 (#185897)
* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 2.9-3
- Rebuilt for Python 3.9
* Tue May 12 2020 Felix Schwarz <fschwarz@fedoraproject.org> - 2.9-2
- add source file verification
* Fri Apr 03 2020 Christian Heimes <cheimes@redhat.com> - 2.9-1
- Update to 2.9 (#1820348)
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Jan 13 2020 Christian Heimes <cheimes@redhat.com> - 2.8-2
- cryptography 2.8+ no longer depends on python-asn1crypto
* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
- Update to 2.8
- Resolves: rhbz#1762779
* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
- Skip unit tests that fail with OpenSSL 1.1.1.d
- Resolves: rhbz#1761194
- Fix and simplify Python 3 packaging
* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
- Drop Python 2 package
- Resolves: rhbz#1761081
* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
- Update to 2.7 (#1715680).
* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
- Rebuilt for Python 3.8
* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
- New upstream release 2.6.1, resolves RHBZ#1683691
* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
- Updated to 2.5.
* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
- Use TLSv1.2 in test as workaround for RHBZ#1615143
* Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
- New upstream release 2.3
- Fix AEAD tag truncation bug, RHBZ#1602752
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
- Rebuilt for Python 3.7
* Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
- New upstream release 2.2.1
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.4-1
- New upstream release 2.1.4
* Sun Feb 18 2018 Christian Heimes <cheimes@redhat.com> - 2.1.3-4
- Build requires gcc
* Mon Feb 12 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.1.3-3
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

View File

@ -1,22 +0,0 @@
class Skipper:
"""Skip iso8601 and pretend tests
RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip
all tests that use the excluded modules.
"""
def parse_date(self, datestring):
pytest.skip(f"iso8601 module is not available.")
def stub(self, **kwargs):
pytest.skip(f"pretend module is not available.")
def raiser(self, exc):
pytest.skip(f"pretend module is not available.")
import sys
sys.modules["iso8601"] = sys.modules["pretend"] = Skipper()

View File

@ -1,7 +0,0 @@
# recipients: abokovoy, frenaud, kaleem, ftrivino, cheimes
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

View File

@ -1,144 +0,0 @@
%bcond_without tests
%{!?python3_pkgversion:%global python3_pkgversion 3}
%global srcname cryptography
Name: python-%{srcname}
Version: 43.0.0
Release: %autorelease
Summary: PyCA's cryptography library
# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
# as well as the Python Software Foundation license for the OS random
# engine derived by CPython.
License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
URL: https://cryptography.io/en/latest/
Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
# created by ./vendor_rust.py helper script
Source1: cryptography-%{version}-vendor.tar.bz2
Source2: conftest-skipper.py
Patch: 11328.patch
Patch: 11536.patch
ExclusiveArch: %{rust_arches}
BuildRequires: openssl-devel
BuildRequires: gcc
BuildRequires: gnupg2
%if 0%{?fedora}
BuildRequires: rust-packaging
%else
BuildRequires: rust-toolset
%endif
BuildRequires: python%{python3_pkgversion}-cffi >= 1.12
BuildRequires: python%{python3_pkgversion}-devel
BuildRequires: python%{python3_pkgversion}-setuptools
BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4
%if %{with tests}
%if 0%{?fedora}
BuildRequires: python%{python3_pkgversion}-certifi
BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4
BuildRequires: python%{python3_pkgversion}-iso8601
BuildRequires: python%{python3_pkgversion}-pretend
BuildRequires: python%{python3_pkgversion}-pytest-benchmark
BuildRequires: python%{python3_pkgversion}-pytest-xdist
BuildRequires: python%{python3_pkgversion}-pytz
%endif
BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0
%endif
%description
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%package -n python%{python3_pkgversion}-%{srcname}
Summary: PyCA's cryptography library
%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
Requires: openssl-libs
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
# Can be safely removed in Fedora 37
Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7
%endif
%description -n python%{python3_pkgversion}-%{srcname}
cryptography is a package designed to expose cryptographic primitives and
recipes to Python developers.
%prep
%autosetup -p1 -n %{srcname}-%{version}
%if 0%{?fedora}
%cargo_prep
sed -i 's/locked = true//g' pyproject.toml
rm src/rust/Cargo.lock
%else
# RHEL: use vendored Rust crates
%cargo_prep -V 1
%endif
%if ! 0%{?fedora}
sed -i 's,--benchmark-disable,,' pyproject.toml
%endif
%generate_buildrequires
%pyproject_buildrequires
%if 0%{?fedora}
# Fedora: use RPMified crates
cd src/rust
%cargo_generate_buildrequires
cd ../..
%endif
%build
export RUSTFLAGS="%build_rustflags"
export OPENSSL_NO_VENDOR=1
export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
%pyproject_wheel
%install
# Actually other *.c and *.h are appropriate
# see https://github.com/pyca/cryptography/issues/1463
find . -name .keep -print -delete
%pyproject_install
%pyproject_save_files %{srcname}
%check
%if %{with tests}
%if 0%{?rhel}
# skip benchmark, hypothesis, and pytz tests on RHEL
rm -rf tests/bench tests/hypothesis tests/x509
# append skipper to skip iso8601 and pretend tests
cat < %{SOURCE2} >> tests/conftest.py
%endif
# enable SHA-1 signatures for RSA tests
# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343
export OPENSSL_ENABLE_SHA1_SIGNATURES=yes
# see https://github.com/pyca/cryptography/issues/4885 and
# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes
# not much sense for downstream testing.
# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure
PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
%{__python3} -m pytest \
--ignore vendor \
-k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
%endif
%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
%doc README.rst docs
%license LICENSE LICENSE.APACHE LICENSE.BSD
%changelog
%autochangelog

View File

@ -1,2 +0,0 @@
SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7
SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924

View File

@ -1,70 +0,0 @@
---
#
# 1minutetip --buildroot rhel10
#
- hosts: localhost
tags:
- classic
roles:
- role: standard-test-source
required_packages:
- rust-toolset
- role: standard-test-basic
required_packages:
- python3-cryptography
- python3-pytest
- python3-pytest-subtests
environment:
PYTHONPATH: "{{ srcdir }}/vectors"
OPENSSL_ENABLE_SHA1_SIGNATURES: "yes"
tests:
- remove_hypothesis:
# remove tests that depend on python3-hypothesis package
dir: "source"
run: rm -rf tests/hypothesis/
- remove_iso8601:
# remove tests that depend on python3-iso8601 package
dir: "source"
run: rm -rf tests/test_fernet.py
- remove_scrypt:
# scrypt tests require more memory than available
dir: "source"
run: rm -f tests/hazmat/primitives/test_scrypt.py
- patch_conftest:
dir: "source"
run: "cat ../conftest-skipper.py >> tests/conftest.py"
# tests take some time, split up to avoid CI timeouts.
- unittests-basic:
dir: "source"
run: pytest-3 tests/test_*.py
- unittests-x509:
dir: "source"
run: pytest-3 tests/x509/
- unittests-hazmat:
dir: "source"
run: pytest-3 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
- unittests-primitives-aead:
dir: "source"
run: pytest-3 tests/hazmat/primitives/test_aead.py
- unittests-primitives-aes:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_aes.py::TestAESModeCBC
tests/hazmat/primitives/test_aes.py::TestAESModeCTR
tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
- unittests-primitives-a-e:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_arc4.py
tests/hazmat/primitives/test_asym_utils.py
tests/hazmat/primitives/test_[b-e]*.py
- unittests-primitives-f-z:
dir: "source"
run: >-
pytest-3
tests/hazmat/primitives/test_[f-z]*.py
tests/hazmat/primitives/twofactor

View File

@ -1,112 +0,0 @@
#!/usr/bin/python3
"""Vendor PyCA cryptography's Rust crates
"""
import argparse
import os
import re
import tarfile
import tempfile
import shutil
import subprocess
import sys
VENDOR_DIR = "vendor"
CARGO_TOML = "src/rust/Cargo.toml"
RE_VERSION = re.compile(r"Version:\s*(.*)")
parser = argparse.ArgumentParser(description="Vendor Rust packages")
parser.add_argument(
"--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
)
def cargo(cmd, manifest):
args = ["cargo", cmd, f"--manifest-path={manifest}"]
return subprocess.check_call(
args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
)
def tar_reset(tarinfo):
"""Reset user, group, mtime, and mode to create reproducible tar"""
tarinfo.uid = 0
tarinfo.gid = 0
tarinfo.uname = "root"
tarinfo.gname = "root"
tarinfo.mtime = 0
if tarinfo.type == tarfile.DIRTYPE:
tarinfo.mode = 0o755
else:
tarinfo.mode = 0o644
if tarinfo.pax_headers:
raise ValueError(tarinfo.name, tarinfo.pax_headers)
return tarinfo
def tar_reproducible(tar, basedir):
"""Create reproducible tar file"""
content = [basedir]
for root, dirs, files in os.walk(basedir):
for directory in dirs:
content.append(os.path.join(root, directory))
for filename in files:
content.append(os.path.join(root, filename))
content.sort()
for fn in content:
tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
def main():
args = parser.parse_args()
spec = args.spec
# change cwd to work in bundle directory
here = os.path.dirname(os.path.abspath(spec))
os.chdir(here)
# extract version number from bundle name
with open(spec) as f:
for line in f:
mo = RE_VERSION.search(line)
if mo is not None:
version = mo.group(1)
break
else:
raise ValueError(f"Cannot find version in {spec}")
bundle_file = f"cryptography-{version}.tar.gz"
vendor_file = f"cryptography-{version}-vendor.tar.bz2"
# remove existing vendor directory and file
if os.path.isdir(VENDOR_DIR):
shutil.rmtree(VENDOR_DIR)
try:
os.unlink(vendor_file)
except FileNotFoundError:
pass
print(f"Getting crates for {bundle_file}", file=sys.stderr)
# extract tar file in tempdir
# fetch and vendor Rust crates
with tempfile.TemporaryDirectory(dir=here) as tmp:
with tarfile.open(bundle_file) as tar:
tar.extractall(path=tmp)
manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
cargo("fetch", manifest)
cargo("vendor", manifest)
print("\nCreating tar ball...", file=sys.stderr)
with tarfile.open(vendor_file, "x:bz2") as tar:
tar_reproducible(tar, VENDOR_DIR)
# remove vendor dir
shutil.rmtree(VENDOR_DIR)
parser.exit(0, f"Created {vendor_file}\n")
if __name__ == "__main__":
main()