Update to v43.0.0

Additionally, this builds the package with OPENSSL_NO_ENGINE=1 This drops the skip-overflow-tests-32bit.patch as its included in v43.0.0. It picks up the patch in https://github.com/pyca/cryptography/pull/11328 to allow building with OPENSSL_NO_ENGINE=1.
2024-07-24 16:23:21 -04:00 · 2024-07-24 16:23:21 -04:00 · 696a6afd84
commit 696a6afd84
parent 4dc6d7b0ba
5 changed files with 43 additions and 83 deletions
--- a/.gitignore
+++ b/.gitignore
@ -65,3 +65,5 @@
 /cryptography-42.0.5-vendor.tar.bz2
 /cryptography-42.0.8.tar.gz
 /cryptography-42.0.8-vendor.tar.bz2
+/cryptography-43.0.0.tar.gz
+/cryptography-43.0.0-vendor.tar.bz2
--- a/11328.patch
+++ b/11328.patch
@ -0,0 +1,36 @@
+From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Mon, 22 Jul 2024 09:09:05 +0200
+Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined
+
+Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE
+support. Downstream has moved `openssl/engine.h` into a separate RPM
+package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The
+compiler flag disables PyCA cryptography's ENGINE support successfully.
+We also like to build the downstream package without the `engine.h`
+header file present.
+
+This commit makes the include conditional. The `ENGINE` type is
+defined in `openssl/types.h`.
+
+See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide
+See: https://issues.redhat.com/browse/RHEL-33747
+Signed-off-by: Christian Heimes <christian@python.org>
+---
+ src/_cffi_src/openssl/engine.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
+index 9629a2c8f929..f47e20327003 100644
+--- a/src/_cffi_src/openssl/engine.py
+++ b/src/_cffi_src/openssl/engine.py
+@@ -5,7 +5,9 @@
+ from __future__ import annotations
+ 
+ INCLUDES = """
+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL
+ #include <openssl/engine.h>
+#endif
+ """
+ 
+ TYPES = """
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -5,7 +5,7 @@
 %global srcname cryptography

 Name:           python-%{srcname}
-Version:        42.0.8
+Version:        43.0.0
 Release:        %autorelease
 Summary:        PyCA's cryptography library

@ -19,12 +19,11 @@ Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py

-Patch1:         skip-overflow-tests-32bit.patch
+Patch:          11328.patch

 ExclusiveArch:  %{rust_arches}

 BuildRequires:  openssl-devel
-BuildRequires:  openssl-devel-engine
 BuildRequires:  gcc
 BuildRequires:  gnupg2
 %if 0%{?fedora}
@ -97,11 +96,7 @@ cd ../..
 %build
 export RUSTFLAGS="%build_rustflags"
 export OPENSSL_NO_VENDOR=1
-# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can
-# be dropped when a cryptography release bumps to pyo3 >= 0.22
-%if 0%{?rhel}
-export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1
-%endif
+export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
 %pyproject_wheel


--- a/skip-overflow-tests-32bit.patch
+++ b/skip-overflow-tests-32bit.patch
@ -1,73 +0,0 @@
-From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001
-From: Paul Kehrer <paul.l.kehrer@gmail.com>
-Date: Thu, 8 Feb 2024 09:11:21 -0600
-Subject: [PATCH] skip overflow aead tests on 32-bit systems
-
---
- tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------
- 1 file changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py
-index a1f99ab815ed..2f0d52d82682 100644
--- a/tests/hazmat/primitives/test_aead.py
-+++ b/tests/hazmat/primitives/test_aead.py
-@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend):
- )
- class TestChaCha20Poly1305:
-     @pytest.mark.skipif(
-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
-+        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
-+        reason="mmap and 64-bit platform required",
-     )
-     def test_data_too_large(self):
-         key = ChaCha20Poly1305.generate_key()
-@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend):
- )
- class TestAESCCM:
-     @pytest.mark.skipif(
-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
-+        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
-+        reason="mmap and 64-bit platform required",
-     )
-     def test_data_too_large(self):
-         key = AESCCM.generate_key(128)
-@@ -378,7 +380,8 @@ def _load_gcm_vectors():
- 
- class TestAESGCM:
-     @pytest.mark.skipif(
-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
-+        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
-+        reason="mmap and 64-bit platform required",
-     )
-     def test_data_too_large(self):
-         key = AESGCM.generate_key(128)
-@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend):
- )
- class TestAESOCB3:
-     @pytest.mark.skipif(
-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
-+        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
-+        reason="mmap and 64-bit platform required",
-     )
-     def test_data_too_large(self):
-         key = AESOCB3.generate_key(128)
-@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend):
- )
- class TestAESSIV:
-     @pytest.mark.skipif(
-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
-+        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
-+        reason="mmap and 64-bit platform required",
-     )
-     def test_data_too_large(self):
-         key = AESSIV.generate_key(256)
-@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend):
- )
- class TestAESGCMSIV:
-     @pytest.mark.skipif(
-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
-+        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
-+        reason="mmap and 64-bit platform required",
-     )
-     def test_data_too_large(self):
-         key = AESGCMSIV.generate_key(256)
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568
-SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c
+SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7
+SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924