.gitignore

@@ -1 +1 @@
-SOURCES/cryptography-3.2.1.tar.gz
+SOURCES/cryptography-2.8.tar.gz

.python-cryptography.metadata

@@ -1 +1 @@
-20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz
+94ef5dc1261a4388572ce3ad9af1515691276d2c SOURCES/cryptography-2.8.tar.gz

SOURCES/0001-Re-add-deprecated-and-removed-features.patch

@@ -1,254 +0,0 @@
-From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Tue, 27 Oct 2020 16:42:15 +0100
-Subject: [PATCH 1] Re-add deprecated and removed features
-
-* encode_rfc6979_signature()
-* decode_rfc6979_signature()
-* Certificate.serial property
-* MACContext
-* osrandom engine is disabled
-
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
----
- .../hazmat/backends/openssl/cmac.py           |  3 +-
- .../hazmat/backends/openssl/hmac.py           |  3 +-
- .../hazmat/backends/openssl/x509.py           |  4 ++
- .../hazmat/primitives/asymmetric/utils.py     |  8 ++++
- src/cryptography/hazmat/primitives/cmac.py    |  3 +-
- src/cryptography/hazmat/primitives/hmac.py    |  3 +-
- src/cryptography/hazmat/primitives/mac.py     | 37 +++++++++++++++++++
- src/cryptography/x509/extensions.py           |  6 ++-
- tests/hazmat/backends/test_openssl.py         |  3 ++
- tests/hazmat/primitives/test_asym_utils.py    |  9 +++++
- tests/x509/test_x509.py                       |  1 +
- tests/x509/test_x509_ext.py                   |  5 +++
- 12 files changed, 80 insertions(+), 5 deletions(-)
- create mode 100644 src/cryptography/hazmat/primitives/mac.py
-
-diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py
-index 195fc230f..5281f634d 100644
---- a/src/cryptography/hazmat/backends/openssl/cmac.py
-+++ b/src/cryptography/hazmat/backends/openssl/cmac.py
-@@ -11,10 +11,11 @@ from cryptography.exceptions import (
-     UnsupportedAlgorithm,
-     _Reasons,
- )
--from cryptography.hazmat.primitives import constant_time
-+from cryptography.hazmat.primitives import constant_time, mac
- from cryptography.hazmat.primitives.ciphers.modes import CBC
- 
- 
-+@utils.register_interface(mac.MACContext)
- class _CMACContext(object):
-     def __init__(self, backend, algorithm, ctx=None):
-         if not backend.cmac_algorithm_supported(algorithm):
-diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py
-index 5024223b2..11c850e10 100644
---- a/src/cryptography/hazmat/backends/openssl/hmac.py
-+++ b/src/cryptography/hazmat/backends/openssl/hmac.py
-@@ -11,9 +11,10 @@ from cryptography.exceptions import (
-     UnsupportedAlgorithm,
-     _Reasons,
- )
--from cryptography.hazmat.primitives import constant_time, hashes
-+from cryptography.hazmat.primitives import constant_time, hashes, mac
- 
- 
-+@utils.register_interface(mac.MACContext)
- @utils.register_interface(hashes.HashContext)
- class _HMACContext(object):
-     def __init__(self, backend, key, algorithm, ctx=None):
-diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py
-index 4d0dac764..c9074f59e 100644
---- a/src/cryptography/hazmat/backends/openssl/x509.py
-+++ b/src/cryptography/hazmat/backends/openssl/x509.py
-@@ -73,6 +73,10 @@ class _Certificate(object):
-         self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL)
-         return _asn1_integer_to_int(self._backend, asn1_int)
- 
-+    @property
-+    def serial(self):
-+        return self.serial_number
-+
-     def public_key(self):
-         pkey = self._backend._lib.X509_get_pubkey(self._x509)
-         if pkey == self._backend._ffi.NULL:
-diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
-index 5f9b67786..886d7565b 100644
---- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
-+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
-@@ -39,3 +39,11 @@ class Prehashed(object):
-         self._digest_size = algorithm.digest_size
- 
-     digest_size = utils.read_only_property("_digest_size")
-+
-+
-+def decode_rfc6979_signature(signature):
-+    return decode_dss_signature(signature)
-+
-+
-+def encode_rfc6979_signature(r, s):
-+    return encode_dss_signature(r, s)
-diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py
-index bf962c906..7f37f13cc 100644
---- a/src/cryptography/hazmat/primitives/cmac.py
-+++ b/src/cryptography/hazmat/primitives/cmac.py
-@@ -12,9 +12,10 @@ from cryptography.exceptions import (
- )
- from cryptography.hazmat.backends import _get_backend
- from cryptography.hazmat.backends.interfaces import CMACBackend
--from cryptography.hazmat.primitives import ciphers
-+from cryptography.hazmat.primitives import ciphers, mac
- 
- 
-+@utils.register_interface(mac.MACContext)
- class CMAC(object):
-     def __init__(self, algorithm, backend=None, ctx=None):
-         backend = _get_backend(backend)
-diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py
-index 8c421dc68..6f03a1071 100644
---- a/src/cryptography/hazmat/primitives/hmac.py
-+++ b/src/cryptography/hazmat/primitives/hmac.py
-@@ -12,9 +12,10 @@ from cryptography.exceptions import (
- )
- from cryptography.hazmat.backends import _get_backend
- from cryptography.hazmat.backends.interfaces import HMACBackend
--from cryptography.hazmat.primitives import hashes
-+from cryptography.hazmat.primitives import hashes, mac
- 
- 
-+@utils.register_interface(mac.MACContext)
- @utils.register_interface(hashes.HashContext)
- class HMAC(object):
-     def __init__(self, key, algorithm, backend=None, ctx=None):
-diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py
-new file mode 100644
-index 000000000..4c95190ba
---- /dev/null
-+++ b/src/cryptography/hazmat/primitives/mac.py
-@@ -0,0 +1,37 @@
-+# This file is dual licensed under the terms of the Apache License, Version
-+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
-+# for complete details.
-+
-+from __future__ import absolute_import, division, print_function
-+
-+import abc
-+
-+import six
-+
-+
-+@six.add_metaclass(abc.ABCMeta)
-+class MACContext(object):
-+    @abc.abstractmethod
-+    def update(self, data):
-+        """
-+        Processes the provided bytes.
-+        """
-+
-+    @abc.abstractmethod
-+    def finalize(self):
-+        """
-+        Returns the message authentication code as bytes.
-+        """
-+
-+    @abc.abstractmethod
-+    def copy(self):
-+        """
-+        Return a MACContext that is a copy of the current context.
-+        """
-+
-+    @abc.abstractmethod
-+    def verify(self, signature):
-+        """
-+        Checks if the generated message authentication code matches the
-+        signature.
-+        """
-diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py
-index 130ba69b8..ddbccdf3b 100644
---- a/src/cryptography/x509/extensions.py
-+++ b/src/cryptography/x509/extensions.py
-@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object):
- 
-     @classmethod
-     def from_issuer_subject_key_identifier(cls, ski):
-+        if isinstance(ski, SubjectKeyIdentifier):
-+            digest = ski.digest
-+        else:
-+            digest = ski.value.digest
-         return cls(
--            key_identifier=ski.digest,
-+            key_identifier=digest,
-             authority_cert_issuer=None,
-             authority_cert_serial_number=None,
-         )
-diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
-index 2f7e7bebf..73c17d84f 100644
---- a/tests/hazmat/backends/test_openssl.py
-+++ b/tests/hazmat/backends/test_openssl.py
-@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object):
-         res = backend._lib.ENGINE_free(e)
-         assert res == 1
- 
-+    def test_rhel8_no_osrandom(self):
-+        pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667")
-+
- 
- @pytest.mark.skipif(
-     backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE,
-diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
-index 70bff012f..334b459b5 100644
---- a/tests/hazmat/primitives/test_asym_utils.py
-+++ b/tests/hazmat/primitives/test_asym_utils.py
-@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import (
-     Prehashed,
-     decode_dss_signature,
-     encode_dss_signature,
-+    encode_rfc6979_signature,
-+    decode_rfc6979_signature
- )
- 
- 
-@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1():
- def test_pass_invalid_prehashed_arg():
-     with pytest.raises(TypeError):
-         Prehashed(object())
-+
-+
-+def test_deprecated_rfc6979_signature():
-+    sig = encode_rfc6979_signature(1, 1)
-+    assert sig == b"0\x06\x02\x01\x01\x02\x01\x01"
-+    decoded = decode_rfc6979_signature(sig)
-+    assert decoded == (1, 1)
-diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
-index 11c80816c..e5bdf17d4 100644
---- a/tests/x509/test_x509.py
-+++ b/tests/x509/test_x509.py
-@@ -685,6 +685,7 @@ class TestRSACertificate(object):
-         )
-         assert isinstance(cert, x509.Certificate)
-         assert cert.serial_number == 11559813051657483483
-+        assert cert.serial == cert.serial_number
-         fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1()))
-         assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8"
-         assert isinstance(cert.signature_hash_algorithm, hashes.SHA1)
-diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py
-index 2cd216fb6..ac2b2c03d 100644
---- a/tests/x509/test_x509_ext.py
-+++ b/tests/x509/test_x509_ext.py
-@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object):
-         )
-         assert ext.value == aki
- 
-+        aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
-+            ski_ext
-+        )
-+        assert ext.value == aki
-+
- 
- class TestNameConstraints(object):
-     def test_ipaddress_wrong_type(self):
--- 
-2.26.2
-

SOURCES/0002-Support-pytest-3.4.2.patch

@@ -1,86 +0,0 @@
-From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Wed, 28 Oct 2020 14:27:55 +0100
-Subject: [PATCH 2] Support pytest 3.4.2
-
----
- setup.py            | 3 ++-
- tests/conftest.py   | 4 ++--
- tests/test_utils.py | 4 ++--
- tests/utils.py      | 2 +-
- 4 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/setup.py b/setup.py
-index 82800a96e..5678db004 100644
---- a/setup.py
-+++ b/setup.py
-@@ -93,7 +93,8 @@ setup(
-     extras_require={
-         ":python_version < '3'": ["enum34", "ipaddress"],
-         "test": [
--            "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2",
-+            "pytest>=3.4.2,<3.6",
-+            "attrs>=17.4.0,<18.0",
-             "pretend",
-             "iso8601",
-             "pytz",
-diff --git a/tests/conftest.py b/tests/conftest.py
-index 4e3124fa7..53c194830 100644
---- a/tests/conftest.py
-+++ b/tests/conftest.py
-@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc):
- 
- def pytest_runtest_setup(item):
-     if openssl_backend._fips_enabled:
--        for marker in item.iter_markers(name="skip_fips"):
-+        for marker in item.get_marker(name="skip_fips") or []:
-             pytest.skip(marker.kwargs["reason"])
- 
- 
-@@ -50,7 +50,7 @@ def pytest_runtest_setup(item):
- def backend(request):
-     required_interfaces = [
-         mark.kwargs["interface"]
--        for mark in request.node.iter_markers("requires_backend_interface")
-+        for mark in request.node.get_marker("requires_backend_interface") or []
-     ]
-     if not all(
-         isinstance(openssl_backend, iface) for iface in required_interfaces
-diff --git a/tests/test_utils.py b/tests/test_utils.py
-index d6afa3b34..e0a1be4f5 100644
---- a/tests/test_utils.py
-+++ b/tests/test_utils.py
-@@ -43,7 +43,7 @@ def test_check_backend_support_skip():
-     supported = pretend.stub(
-         kwargs={"only_if": lambda backend: False, "skip_message": "Nope"}
-     )
--    node = pretend.stub(iter_markers=lambda x: [supported])
-+    node = pretend.stub(get_marker=lambda x: [supported])
-     item = pretend.stub(node=node)
-     with pytest.raises(pytest.skip.Exception) as exc_info:
-         check_backend_support(True, item)
-@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip():
-     supported = pretend.stub(
-         kwargs={"only_if": lambda backend: True, "skip_message": "Nope"}
-     )
--    node = pretend.stub(iter_markers=lambda x: [supported])
-+    node = pretend.stub(get_marker=lambda x: [supported])
-     item = pretend.stub(node=node)
-     assert check_backend_support(None, item) is None
- 
-diff --git a/tests/utils.py b/tests/utils.py
-index 5d98af00e..a08f79c34 100644
---- a/tests/utils.py
-+++ b/tests/utils.py
-@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple(
- 
- 
- def check_backend_support(backend, item):
--    for mark in item.node.iter_markers("supported"):
-+    for mark in item.node.get_marker("supported") or []:
-         if not mark.kwargs["only_if"](backend):
-             pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend))
- 
--- 
-2.26.2
-

SOURCES/0003-Skip-iso8601-test-cases.patch

@@ -1,73 +0,0 @@
-From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Thu, 29 Oct 2020 09:21:06 +0100
-Subject: [PATCH 3] Skip iso8601 test cases
-
----
- tests/test_fernet.py | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-diff --git a/tests/test_fernet.py b/tests/test_fernet.py
-index 38409b03e..343f3e4ec 100644
---- a/tests/test_fernet.py
-+++ b/tests/test_fernet.py
-@@ -10,7 +10,10 @@ import json
- import os
- import time
- 
--import iso8601
-+try:
-+    import iso8601
-+except ImportError:
-+    iso8601 = None
- 
- import pytest
- 
-@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes
- import cryptography_vectors
- 
- 
-+skip_iso8601 = pytest.mark.skipif(
-+    iso8601 is None,
-+    reason="is8601 is not available"
-+)
-+
-+
- def json_parametrize(keys, filename):
-     vector_file = cryptography_vectors.open_vector_file(
-         os.path.join("fernet", filename), "r"
-@@ -49,6 +58,7 @@ def test_default_backend():
-     skip_message="Does not support AES CBC",
- )
- class TestFernet(object):
-+    @skip_iso8601
-     @json_parametrize(
-         ("secret", "now", "iv", "src", "token"),
-         "generate.json",
-@@ -62,6 +72,7 @@ class TestFernet(object):
-         )
-         assert actual_token == token.encode("ascii")
- 
-+    @skip_iso8601
-     @json_parametrize(
-         ("secret", "now", "src", "ttl_sec", "token"),
-         "verify.json",
-@@ -81,6 +92,7 @@ class TestFernet(object):
-         payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec)
-         assert payload == src.encode("ascii")
- 
-+    @skip_iso8601
-     @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json")
-     def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch):
-         f = Fernet(secret.encode("ascii"), backend=backend)
-@@ -117,6 +129,7 @@ class TestFernet(object):
-         with pytest.raises(TypeError):
-             f.decrypt(u"")
- 
-+    @skip_iso8601
-     def test_timestamp_ignored_no_ttl(self, monkeypatch, backend):
-         f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend)
-         pt = b"encrypt me"
--- 
-2.26.2
-

SOURCES/0004-Revert-remove-NPN-bindings.patch

@@ -1,75 +0,0 @@
-From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Mon, 14 Dec 2020 14:13:53 +0100
-Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN!
- (#4765)"
-
-This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c.
----
- src/_cffi_src/openssl/ssl.py          | 20 +++++++++++++++++++-
- tests/hazmat/bindings/test_openssl.py |  4 ++++
- 2 files changed, 23 insertions(+), 1 deletion(-)
-
-diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
-index c38e309a1..fa854f5dd 100644
---- a/src/_cffi_src/openssl/ssl.py
-+++ b/src/_cffi_src/openssl/ssl.py
-@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE;
- static const long TLS_ST_BEFORE;
- static const long TLS_ST_OK;
- 
-+static const long OPENSSL_NPN_NEGOTIATED;
-+
- typedef ... SSL_METHOD;
- typedef ... SSL_CTX;
- 
-@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *);
- 
- long SSL_session_reused(SSL *);
- 
-+void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *,
-+                                           int (*)(SSL *,
-+                                                   const unsigned char **,
-+                                                   unsigned int *,
-+                                                   void *),
-+                                           void *);
-+void SSL_CTX_set_next_proto_select_cb(SSL_CTX *,
-+                                      int (*)(SSL *,
-+                                              unsigned char **,
-+                                              unsigned char *,
-+                                              const unsigned char *,
-+                                              unsigned int,
-+                                              void *),
-+                                      void *);
- int SSL_select_next_proto(unsigned char **, unsigned char *,
-                           const unsigned char *, unsigned int,
-                           const unsigned char *, unsigned int);
-+void SSL_get0_next_proto_negotiated(const SSL *,
-+                                    const unsigned char **, unsigned *);
- 
- int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *);
- const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int);
-@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1;
- static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
- static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
- static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
--static const long Cryptography_HAS_NEXTPROTONEG = 0;
-+static const long Cryptography_HAS_NEXTPROTONEG = 1;
- static const long Cryptography_HAS_ALPN = 1;
- 
- #if CRYPTOGRAPHY_IS_LIBRESSL
-diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
-index ecee34091..aeb12a0dc 100644
---- a/tests/hazmat/bindings/test_openssl.py
-+++ b/tests/hazmat/bindings/test_openssl.py
-@@ -137,3 +137,7 @@ class TestOpenSSL(object):
-         )
-         with pytest.raises(RuntimeError):
-             _verify_openssl_version(lib)
-+
-+    def test_npn_binding(self):
-+        b = Binding()
-+        assert b.lib.Cryptography_HAS_NEXTPROTONEG
--- 
-2.29.2
-

SOURCES/0005-CVE-2020-36242.patch

@@ -1,18 +0,0 @@
-From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001
-From: Paul Kehrer <paul.l.kehrer@gmail.com>
-Date: Sun, 7 Feb 2021 11:04:43 -0600
-Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242
-
-diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
-index 2b10681b31..0f96795fdc 100644
---- a/src/cryptography/hazmat/backends/openssl/ciphers.py
-+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
-@@ -16,7 +16,7 @@
- class _CipherContext(object):
-     _ENCRYPT = 1
-     _DECRYPT = 0
--    _MAX_CHUNK_SIZE = 2 ** 31 - 1
-+    _MAX_CHUNK_SIZE = 2 ** 30 - 1
- 
-     def __init__(self, backend, cipher, mode, operation):
-         self._backend = backend

SOURCES/0006-CVE-2023-23931.patch

@@ -1,42 +0,0 @@
-From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Tue, 31 Jan 2023 08:33:54 -0500
-Subject: [PATCH] Don't allow update_into to mutate immutable objects
-
----
- src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
- tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
-index 286583f9325..075d68fb905 100644
---- a/src/cryptography/hazmat/backends/openssl/ciphers.py
-+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
-@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int:
-         data_processed = 0
-         total_out = 0
-         outlen = self._backend._ffi.new("int *")
--        baseoutbuf = self._backend._ffi.from_buffer(buf)
-+        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
-         baseinbuf = self._backend._ffi.from_buffer(data)
- 
-         while data_processed != total_data_len:
-diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
-index 02127dd9cab..bf3b047dec2 100644
---- a/tests/hazmat/primitives/test_ciphers.py
-+++ b/tests/hazmat/primitives/test_ciphers.py
-@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend):
-         with pytest.raises(ValueError):
-             encryptor.update_into(b"testing", buf)
- 
-+    def test_update_into_immutable(self, backend):
-+        key = b"\x00" * 16
-+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
-+        encryptor = c.encryptor()
-+        buf = b"\x00" * 32
-+        with pytest.raises((TypeError, BufferError)):
-+            encryptor.update_into(b"testing", buf)
-+
-     @pytest.mark.supported(
-         only_if=lambda backend: backend.cipher_supported(
-             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)

SPECS/python-cryptography.spec

@@ -1,137 +1,226 @@
+%if 0%{?fedora} || 0%{?rhel} > 7
+# Enable python3 build by default
+%bcond_without python3
+%else
+%bcond_with python3
+%endif
+
+%if 0%{?fedora} > 31 || 0%{?rhel} > 7
+# Disable python2 build by default
+%bcond_with python2
+%else
+%bcond_without python2
+%endif
+
+%bcond_with tests
+
 %{!?python3_pkgversion:%global python3_pkgversion 3}
 
 %global srcname cryptography
-# rhbz#2172416: from_buffer(..., require_writable=True)
-%global cffi_version 1.11.5-6
 
 Name:           python-%{srcname}
-Version:        3.2.1
-Release:        7%{?dist}
+Version:        2.8
+Release:        3%{?dist}
 Summary:        PyCA's cryptography library
 
-Group:          Development/Libraries
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/
 Source0:        https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz
 
-Patch0001:      0001-Re-add-deprecated-and-removed-features.patch
-Patch0002:      0002-Support-pytest-3.4.2.patch
-Patch0003:	0003-Skip-iso8601-test-cases.patch
-Patch0004:	0004-Revert-remove-NPN-bindings.patch
-Patch0005:	0005-CVE-2020-36242.patch
-# https://github.com/pyca/cryptography/pull/8230
-Patch0006:		0006-CVE-2023-23931.patch
+# Exclude i686 arch. Due to a modularity issue it's being added to the
+# x86_64 compose of CRB, but we don't want to ship it at all.
+# See: https://projects.engineering.redhat.com/browse/RCM-72605
+ExcludeArch: i686
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
 
+%if 0%{?with_python2}
+BuildRequires:  python2-asn1crypto >= 0.21
+BuildRequires:  python2-cffi >= 1.7
+BuildRequires:  python2-cryptography-vectors = %{version}
+BuildRequires:  python2-devel
+BuildRequires:  python2-enum34
+BuildRequires:  python2-idna >= 2.1
+BuildRequires:  python2-ipaddress
+BuildRequires:  python2-setuptools
+BuildRequires:  python2-six >= 1.4.1
+
+%if %{with tests}
+BuildRequires:  python2-hypothesis >= 1.11.4
+BuildRequires:  python2-iso8601
+BuildRequires:  python2-pretend
+BuildRequires:  python2-pytest >= 3.2.1
+BuildRequires:  python2-pytz
+%endif
+%endif
+
+%if 0%{?with_python3}
+BuildRequires:  python%{python3_pkgversion}-asn1crypto >= 0.21
+BuildRequires:  python%{python3_pkgversion}-cffi >= 1.7
 BuildRequires:  python%{python3_pkgversion}-devel
-BuildRequires:  python%{python3_pkgversion}-pytest >= 3.4.2
+BuildRequires:  python%{python3_pkgversion}-idna >= 2.1
 BuildRequires:  python%{python3_pkgversion}-setuptools
-BuildRequires:  python%{python3_pkgversion}-pretend
-# BuildRequires:  python{python3_pkgversion}-iso8601
-BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
-BuildRequires:  python%{python3_pkgversion}-pytz
 BuildRequires:  python%{python3_pkgversion}-six >= 1.4.1
-BuildRequires:  python%{python3_pkgversion}-cffi >= %{cffi_version}
+BuildRequires:  python%{python3_pkgversion}-rpm-macros
+
+%if %{with tests}
+BuildRequires:  python%{python3_pkgversion}-cryptography-vectors = %{version}
+BuildRequires:  python%{python3_pkgversion}-hypothesis >= 1.11.4
+BuildRequires:  python%{python3_pkgversion}-iso8601
+BuildRequires:  python%{python3_pkgversion}-pretend
+BuildRequires:  python%{python3_pkgversion}-pytest >= 3.2.1
+BuildRequires:  python%{python3_pkgversion}-pytz
+%endif
+%endif
 
 %description
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
 
+%if 0%{?with_python2}
+%package -n  python2-%{srcname}
+Summary:        PyCA's cryptography library
+
+%if 0%{?with_python3}
+%{?python_provide:%python_provide python2-%{srcname}}
+%else
+Provides:       python-%{srcname}
+%endif
+
+Requires:       openssl-libs
+Requires:       python2-idna >= 2.1
+Requires:       python2-asn1crypto >= 0.21
+Requires:       python2-six >= 1.4.1
+Requires:       python2-cffi >= 1.7
+Requires:       python2-enum34
+Requires:       python2-ipaddress
+
+%description -n python2-%{srcname}
+cryptography is a package designed to expose cryptographic primitives and
+recipes to Python developers.
+%endif
+
+%if 0%{?with_python3}
 %package -n  python%{python3_pkgversion}-%{srcname}
-Group:          Development/Libraries
 Summary:        PyCA's cryptography library
 %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}}
 
 Requires:       openssl-libs
+Requires:       python%{python3_pkgversion}-idna >= 2.1
+Requires:       python%{python3_pkgversion}-asn1crypto >= 0.21
 Requires:       python%{python3_pkgversion}-six >= 1.4.1
-Requires:       python%{python3_pkgversion}-cffi >= %{cffi_version}
-Conflicts:      python%{python3_pkgversion}-cryptography-vectors < %{version}
-Conflicts:      python%{python3_pkgversion}-cryptography-vectors > %{version}
+Requires:       python%{python3_pkgversion}-cffi >= 1.7
 
 %description -n python%{python3_pkgversion}-%{srcname}
 cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.
-
+%endif
 
 %prep
 %autosetup -p1 -n %{srcname}-%{version}
 
-
 %build
+%if 0%{?with_python2}
+%py2_build
+%endif
+%if 0%{?with_python3}
 %py3_build
-
+%endif
 
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
-%py3_install
 
+%if 0%{?with_python2}
+%py2_install
+%endif
+%if 0%{?with_python3}
+%py3_install
+%endif
 
 %check
-# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644
-rm -f tests/hazmat/primitives/test_padding.py
-# don't run hypothesis tests
-rm -rf tests/hypothesis
-PYTHONPATH=%{buildroot}%{python3_sitearch} \
-    %{__python3} -m pytest \
-    -k "not test_decrypt_invalid_decrypt"
+%if %{with tests}
+%if 0%{?with_python2}
+# see https://github.com/pyca/cryptography/issues/4885 and
+# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests
+PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
+%endif
+
+%if 0%{?with_python3}
+PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)"
+%endif
+%endif
 
 
+%if 0%{?with_python2}
+%files -n python2-%{srcname}
+%doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs
+%{python2_sitearch}/%{srcname}
+%{python2_sitearch}/%{srcname}-%{version}-py*.egg-info
+%endif
+
+
+%if 0%{?with_python3}
 %files -n python%{python3_pkgversion}-%{srcname}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
 %{python3_sitearch}/%{srcname}
 %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
+%endif
 
 
 %changelog
-* Fri Dec 01 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-7
-- Fix FTBFS caused by rsa_pkcs1_implicit_rejection OpenSSL feature, resolves: RHEL-17873
+* Fri Dec 13 2019 Tomas Orsava <torsava@redhat.com> - 2.8-3
+- Exclude unsupported i686 arch
 
-* Wed Feb 22 2023 Christian Heimes <cheimes@redhat.com> - 3.2.1-6
-- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2172404
+* Thu Nov 21 2019 Lumír Balhar <lbalhar@redhat.com> - 2.8-2
+- Adjusted for Python 3.8 module in RHEL 8
 
-* Tue Jun 08 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-5
-- Rebuild for RHEL 8.5
-- Resolves: rhbz#1933071
+* Thu Oct 17 2019 Christian Heimes <cheimes@redhat.com> - 2.8-1
+- Update to 2.8
+- Resolves: rhbz#1762779
 
-* Tue Feb 09 2021 Christian Heimes <cheimes@redhat.com> - 3.2.1-4
-- CVE-2020-36242: Fixed a bug where certain sequences of update() calls
-  when symmetrically encrypting very large payloads (>2GB) could result
-  in an integer overflow, leading to buffer overflows.
-- Resolves: rhbz#1926528
+* Sun Oct 13 2019 Christian Heimes <cheimes@redhat.com> - 2.7-3
+- Skip unit tests that fail with OpenSSL 1.1.1.d
+- Resolves: rhbz#1761194
+- Fix and simplify Python 3 packaging
 
-* Mon Dec 14 17:24:01 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-3
-- Conflict with non-matching vector package
+* Sat Oct 12 2019 Christian Heimes <cheimes@redhat.com> - 2.7-2
+- Drop Python 2 package
+- Resolves: rhbz#1761081
 
-* Mon Dec 14 14:19:42 CET 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-2
-- Re-add remove NPN bindings, required for pyOpenSSL
-- Resolves: rhbz#1907429
+* Tue Sep 03 2019 Randy Barlow <bowlofeggs@fedoraproject.org> - 2.7-1
+- Update to 2.7 (#1715680).
 
-* Wed Oct 28 2020 Christian Heimes <cheimes@redhat.com> - 3.2.1-1
-- Rebase to upstream release 3.2.1
-- Resolves: rhbz#1873581
-- Resolves: rhbz#1778939
-- Removed dependencies on python-asn1crypto, python-idna
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.6.1-3
+- Rebuilt for Python 3.8
 
-* Tue Nov 12 2019 Christian Heimes <cheimes@redhat.com> - 2.3-3
-- Don't activate custom osrandom engine for FIPS compliance
-- Resolves: rhbz#1762667
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.6.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Feb 28 2019 Christian Heimes <cheimes@redhat.com> - 2.6.1-1
+- New upstream release 2.6.1, resolves RHBZ#1683691
+
+* Wed Feb 13 2019 Alfredo Moralejo <amoralej@redhat.com> - 2.5-1
+- Updated to 2.5.
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 
 * Mon Aug 13 2018 Christian Heimes <cheimes@redhat.com> - 2.3-2
-- Use TLSv1.2 in test as workaround for RHBZ#1615099
-- Resolves: RHBZ#1611738
+- Use TLSv1.2 in test as workaround for RHBZ#1615143
 
 * Wed Jul 18 2018 Christian Heimes <cheimes@redhat.com> - 2.3-1
 - New upstream release 2.3
-- Fix AEAD tag truncation bug, CVE-2018-10903, RHBZ#1602755, RHBZ#1602932
+- Fix AEAD tag truncation bug, RHBZ#1602752
 
-* Tue Jun 19 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-2
-- Drop Python 2 subpackages from RHEL 8, fixes RHBZ#1589754
-- Remove unnecessary copy and shebang mangling
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.2.1-2
+- Rebuilt for Python 3.7
 
 * Wed Mar 21 2018 Christian Heimes <cheimes@redhat.com> - 2.2.1-1
 - New upstream release 2.2.1
@@ -148,130 +237,3 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} \
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Thu Nov 23 2017 Haïkel Guémar <hguemar@fedoraproject.org> - 2.1.3-1
-- Upstream 2.1.3
-
-* Tue Oct 24 2017 Christian Heimes <cheimes@redhat.com> - 2.1-2
-- Change Requires to openssl-libs
-
-* Thu Oct 12 2017 Christian Heimes <cheimes@redhat.com> - 2.1-1
-- New upstream release 2.1
-
-* Wed Sep 27 2017 Troy Dawson <tdawson@redhat.com> - 2.0.2-3
-- Cleanup spec file conditionals
-
-* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-2
-- Add workaround for pytest bug
-
-* Thu Aug 03 2017 Christian Heimes <cheimes@redhat.com> - 2.0.2-1
-- New upstream release 2.0.2
-- Modernize spec
-
-* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
-
-* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.9-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Tue Jun 27 2017 Christian Heimes <cheimes@redhat.com> - 1.9-1
-- Upstream release 1.9
-
-* Wed Feb 15 2017 Christian Heimes <cheimes@redhat.com> - 1.7.2-1
-- Update to latest upstream
-
-* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.1-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
-
-* Thu Jan 05 2017 Matěj Cepl <mcepl@redhat.com> - 1.7.1-1
-- Update to the latest upstream.
-- Add a patch from https://github.com/pyca/cryptography/pull/3328
-
-* Tue Dec 13 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-5
-- Enable tests
-
-* Mon Dec 12 2016 Charalampos Stratakis <cstratak@redhat.com> - 1.5.3-4
-- Rebuild for Python 3.6
-- Disable python3 tests for now
-
-* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-3
-- Revert previous change
-
-* Thu Nov 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-2
-- Disable tests on releases earlier than 24
-
-* Mon Nov 07 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.5.3-1
-- Update to v1.5.3
-- Update source URL
-- Add BR for pytz
-
-* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.3.1-4
-- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
-
-* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-3
-- Remove versioned setuptools dependency
-
-* Tue May 10 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-2
-- Make it easier to build on EL7
-
-* Tue May 03 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.3.1-1
-- Update to v1.3.1
-
-* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
-
-* Mon Jan 11 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-2
-- Move python-cryptograph => python2-cryptography
-
-* Sat Jan 09 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1.2.1-1
-- Update to v1.2.1
-
-* Wed Nov 11 2015 Robert Kuska <rkuska@redhat.com> - 1.1-1
-- Update to v1.1
-
-* Wed Nov 04 2015 Robert Kuska <rkuska@redhat.com> - 1.0.2-2
-- Rebuilt for Python3.5 rebuild
-
-* Wed Sep 30 2015 Matěj Cepl <mcepl@redhat.com> - 1.0.2-1
-- New upstream release (fix #1267548)
-
-* Wed Aug 12 2015 Nathaniel McCallum <npmccallum@redhat.com> - 1.0-1
-- New upstream release
-
-* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
-
-* Thu May 14 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.9-1
-- New upstream release
-- Run tests on RHEL
-- New deps: python-idna, python-ipaddress
-
-* Fri Apr 17 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8.2-1
-- New upstream release
-- Add python3-pyasn1 Requires (#1211073)
-
-* Tue Apr 14 2015 Matej Cepl <mcepl@redhat.com> - 0.8-2
-- Add python-pyasn1 Requires (#1211073)
-
-* Fri Mar 13 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.8-1
-- New upstream release
-- Remove upstreamed patch
-
-* Wed Mar 04 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-2
-- Add python3-cryptography-vectors build requires
-- Add python-enum34 requires
-
-* Tue Feb 03 2015 Nathaniel McCallum <npmccallum@redhat.com> - 0.7.2-1
-- New upstream release. BSD is now an optional license.
-- Fix test running on python3
-- Add upstream patch to fix test paths
-
-* Fri Nov 07 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-2
-- Fix requires, for reasons why other development files were not
-  eliminated see https://github.com/pyca/cryptography/issues/1463.
-
-* Wed Nov 05 2014 Matej Cepl <mcepl@redhat.com> - 0.6.1-1
-- New upstream release.
-
-* Sun Jun 29 2014 Terry Chia <terrycwk1994@gmail.com> 0.4-1
-- initial version