From ddbe35c909e48946cd8736280c8d17c8de9340e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Sun, 29 Apr 2018 17:00:13 +0000 Subject: [PATCH 001/111] Run tests with python2, not python --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 219b017..57633d9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -134,7 +134,7 @@ popd %check # workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644 rm -f tests/hazmat/primitives/test_padding.py -%{__python} setup.py test +%{__python2} setup.py test %if 0%{?with_python3} pushd %{py3dir} From 8390e45d004b112578921ad356d375c1044c3ddd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 15 Jun 2018 21:00:07 +0200 Subject: [PATCH 002/111] Rebuilt for Python 3.7 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 57633d9..02ee669 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -161,6 +161,9 @@ popd %changelog +* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 +- Rebuilt for Python 3.7 + * Wed Mar 21 2018 Christian Heimes - 2.2.1-1 - New upstream release 2.2.1 From ee5c33e173c21b75012ee2e1655a1c9ebf4feb33 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 13 Jul 2018 23:54:05 +0000 Subject: [PATCH 003/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 02ee669..3e6fd0d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.2.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -161,6 +161,9 @@ popd %changelog +* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + * Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 - Rebuilt for Python 3.7 From aa22128d5f9c86237a06b71f8ad320af2d4a29fc Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 18 Jul 2018 15:03:14 +0200 Subject: [PATCH 004/111] New upstream release 2.3, fixes security bug RHBZ#1602752 --- .gitignore | 1 + python-cryptography.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4153e2f..b059147 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,4 @@ /cryptography-2.1.3.tar.gz /cryptography-2.1.4.tar.gz /cryptography-2.2.1.tar.gz +/cryptography-2.3.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 3e6fd0d..312adbb 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,8 +10,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.2.1 -Release: 3%{?dist} +Version: 2.3 +Release: 1%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -161,6 +161,10 @@ popd %changelog +* Wed Jul 18 2018 Christian Heimes - 2.3-1 +- New upstream release 2.3 +- Fix AEAD tag truncation bug, RHBZ#1602752 + * Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/sources b/sources index 209669a..b8c32ea 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptography-2.2.1.tar.gz) = 8fcd7e023ed65b2d8997475639154727a537696e5fcb01206cad2a6b2249702115a2788b7fa623e6bd700040e9ffdd25cc7cae6d002d1c8d4bf64132f4c18afa +SHA512 (cryptography-2.3.tar.gz) = 75e14020da500fdbbd578f004b22ef3237844185329adf59288b29f1b3ee9dd2005a2c4a933fe8609a59d168012a9f687bab0f31ab39ed6ca325198aa9295e52 From f0e48c20b6d8ab1ad04abd291db54927340cc01b Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 13 Aug 2018 08:56:41 +0200 Subject: [PATCH 005/111] No TLS 1.0 in tests, fixes FTBFS RHBZ#1615143 --- ...t-assume-TLSv1-is-available-in-OpenS.patch | 66 +++++++++++++++++++ python-cryptography.spec | 7 +- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch diff --git a/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch b/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch new file mode 100644 index 0000000..288d3fb --- /dev/null +++ b/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch @@ -0,0 +1,66 @@ +From 2716cd2fa55cc867656a3e797797f5a1386afd69 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Sun, 12 Aug 2018 15:48:24 -0400 +Subject: [PATCH] Fixed #4380 -- do not assume TLSv1 is available in OpenSSL + (#4389) + +* Fixed #4380 -- do not assume TLSv1 is available in OpenSSL + +Hallelujah! It's starting to become the case that some OpenSSLs are disabling it. + +* cover this file as well +--- + tests/hazmat/backends/test_openssl.py | 2 +- + tests/hazmat/bindings/test_openssl.py | 9 ++++++--- + 2 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py +index 31b34cd0..e77f5dc3 100644 +--- a/tests/hazmat/backends/test_openssl.py ++++ b/tests/hazmat/backends/test_openssl.py +@@ -115,7 +115,7 @@ class TestOpenSSL(object): + assert len(errors) == 10 + + def test_ssl_ciphers_registered(self): +- meth = backend._lib.TLSv1_method() ++ meth = backend._lib.SSLv23_method() + ctx = backend._lib.SSL_CTX_new(meth) + assert ctx != backend._ffi.NULL + backend._lib.SSL_CTX_free(ctx) +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index 488f64e1..f317f07f 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -37,7 +37,8 @@ class TestOpenSSL(object): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 +- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) ++ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) ++ assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + current_options = b.lib.SSL_CTX_get_options(ctx) + resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL) +@@ -49,7 +50,8 @@ class TestOpenSSL(object): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 +- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) ++ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) ++ assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + ssl = b.lib.SSL_new(ctx) + ssl = b.ffi.gc(ssl, b.lib.SSL_free) +@@ -63,7 +65,8 @@ class TestOpenSSL(object): + # Test that we're properly handling 32-bit unsigned on all platforms. + b = Binding() + assert b.lib.SSL_OP_ALL > 0 +- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) ++ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) ++ assert ctx != b.ffi.NULL + ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) + ssl = b.lib.SSL_new(ctx) + ssl = b.ffi.gc(ssl, b.lib.SSL_free) +-- +2.17.1 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 312adbb..098c1d1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -19,6 +19,8 @@ License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz +Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch + BuildRequires: openssl-devel BuildRequires: gcc @@ -161,6 +163,9 @@ popd %changelog +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + * Wed Jul 18 2018 Christian Heimes - 2.3-1 - New upstream release 2.3 - Fix AEAD tag truncation bug, RHBZ#1602752 From e0ef913767a4245feb8c211b18420bdc99174911 Mon Sep 17 00:00:00 2001 From: Igor Gnatenko Date: Mon, 28 Jan 2019 20:18:15 +0100 Subject: [PATCH 006/111] Remove obsolete Group tag References: https://fedoraproject.org/wiki/Changes/Remove_Group_Tag --- python-cryptography.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 098c1d1..e503018 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -14,7 +14,6 @@ Version: 2.3 Release: 2%{?dist} Summary: PyCA's cryptography library -Group: Development/Libraries License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz @@ -61,7 +60,6 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %package -n python2-%{srcname} -Group: Development/Libraries Summary: PyCA's cryptography library %if 0%{?with_python3} @@ -84,7 +82,6 @@ recipes to Python developers. %if 0%{?with_python3} %package -n python%{python3_pkgversion}-%{srcname} -Group: Development/Libraries Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} From 3b94213d08285c80f775aa819d4c1faab9b545f5 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 2 Feb 2019 06:14:43 +0000 Subject: [PATCH 007/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e503018..ad29c28 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -160,6 +160,9 @@ popd %changelog +* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + * Mon Aug 13 2018 Christian Heimes - 2.3-2 - Use TLSv1.2 in test as workaround for RHBZ#1615143 From 437c09bb12d0b3e1795ae236b273a35ea4455af3 Mon Sep 17 00:00:00 2001 From: Alfredo Moralejo Date: Thu, 14 Feb 2019 12:31:45 -0500 Subject: [PATCH 008/111] Update to 2.5 --- .gitignore | 1 + ...t-assume-TLSv1-is-available-in-OpenS.patch | 66 ------------------- python-cryptography.spec | 13 ++-- sources | 2 +- 4 files changed, 7 insertions(+), 75 deletions(-) delete mode 100644 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch diff --git a/.gitignore b/.gitignore index b059147..1bdca22 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ /cryptography-2.1.4.tar.gz /cryptography-2.2.1.tar.gz /cryptography-2.3.tar.gz +/cryptography-2.5.tar.gz diff --git a/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch b/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch deleted file mode 100644 index 288d3fb..0000000 --- a/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 2716cd2fa55cc867656a3e797797f5a1386afd69 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Sun, 12 Aug 2018 15:48:24 -0400 -Subject: [PATCH] Fixed #4380 -- do not assume TLSv1 is available in OpenSSL - (#4389) - -* Fixed #4380 -- do not assume TLSv1 is available in OpenSSL - -Hallelujah! It's starting to become the case that some OpenSSLs are disabling it. - -* cover this file as well ---- - tests/hazmat/backends/test_openssl.py | 2 +- - tests/hazmat/bindings/test_openssl.py | 9 ++++++--- - 2 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py -index 31b34cd0..e77f5dc3 100644 ---- a/tests/hazmat/backends/test_openssl.py -+++ b/tests/hazmat/backends/test_openssl.py -@@ -115,7 +115,7 @@ class TestOpenSSL(object): - assert len(errors) == 10 - - def test_ssl_ciphers_registered(self): -- meth = backend._lib.TLSv1_method() -+ meth = backend._lib.SSLv23_method() - ctx = backend._lib.SSL_CTX_new(meth) - assert ctx != backend._ffi.NULL - backend._lib.SSL_CTX_free(ctx) -diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py -index 488f64e1..f317f07f 100644 ---- a/tests/hazmat/bindings/test_openssl.py -+++ b/tests/hazmat/bindings/test_openssl.py -@@ -37,7 +37,8 @@ class TestOpenSSL(object): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 -- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) -+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) -+ assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - current_options = b.lib.SSL_CTX_get_options(ctx) - resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL) -@@ -49,7 +50,8 @@ class TestOpenSSL(object): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 -- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) -+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) -+ assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - ssl = b.lib.SSL_new(ctx) - ssl = b.ffi.gc(ssl, b.lib.SSL_free) -@@ -63,7 +65,8 @@ class TestOpenSSL(object): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 -- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) -+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) -+ assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - ssl = b.lib.SSL_new(ctx) - ssl = b.ffi.gc(ssl, b.lib.SSL_free) --- -2.17.1 - diff --git a/python-cryptography.spec b/python-cryptography.spec index ad29c28..717fcc5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,16 +10,14 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.3 -Release: 3%{?dist} +Version: 2.5 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz -Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch - BuildRequires: openssl-devel BuildRequires: gcc @@ -131,14 +129,10 @@ popd %check -# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644 -rm -f tests/hazmat/primitives/test_padding.py %{__python2} setup.py test %if 0%{?with_python3} pushd %{py3dir} -# workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644 -rm -f tests/hazmat/primitives/test_padding.py %{__python3} setup.py test popd %endif @@ -160,6 +154,9 @@ popd %changelog +* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 +- Updated to 2.5. + * Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index b8c32ea..d7ff933 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptography-2.3.tar.gz) = 75e14020da500fdbbd578f004b22ef3237844185329adf59288b29f1b3ee9dd2005a2c4a933fe8609a59d168012a9f687bab0f31ab39ed6ca325198aa9295e52 +SHA512 (cryptography-2.5.tar.gz) = 5e8f8818fcaa8143526006b027107b8afbdc925d40c846701e65b2c7ee02235b7e0918246515520ef2030b1c87bb157d0d403c28ad68c31459d677af7e2d0b3f From 080edf51050a630704457b2639f80cf8957b7712 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 28 Feb 2019 10:16:02 +0100 Subject: [PATCH 009/111] New upstream release 2.6.1 Resolves: RHBZ#1683691 --- .gitignore | 1 + python-cryptography.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 1bdca22..698737f 100644 --- a/.gitignore +++ b/.gitignore @@ -10,3 +10,4 @@ /cryptography-2.2.1.tar.gz /cryptography-2.3.tar.gz /cryptography-2.5.tar.gz +/cryptography-2.6.1.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 717fcc5..69987de 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,7 +10,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.5 +Version: 2.6.1 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -154,6 +154,9 @@ popd %changelog +* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 +- New upstream release 2.6.1, resolves RHBZ#1683691 + * Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 - Updated to 2.5. diff --git a/sources b/sources index d7ff933..219cd46 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptography-2.5.tar.gz) = 5e8f8818fcaa8143526006b027107b8afbdc925d40c846701e65b2c7ee02235b7e0918246515520ef2030b1c87bb157d0d403c28ad68c31459d677af7e2d0b3f +SHA512 (cryptography-2.6.1.tar.gz) = f14319e24d9dca52e74548cada5b78a6235f089ef875dbff4799e862f94da8b087f1b6e03e84dcef9fc7d7693c4a349c5f0cd54b8535806da777420ce8757d39 From a7f7f7376f5c7225b0c7eddbae148262f0edb208 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 13 May 2019 15:34:51 +0200 Subject: [PATCH 010/111] Workaround pyca/cryptography#4885 https://github.com/pyca/cryptography/issues/4885 https://bugzilla.redhat.com/show_bug.cgi?id=1708353 --- python-cryptography.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 69987de..6781574 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -129,11 +129,12 @@ popd %check -%{__python2} setup.py test +# see https://github.com/pyca/cryptography/issues/4885 for the deselected test +PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not test_buffer_protocol_alternate_modes[mode5]" %if 0%{?with_python3} pushd %{py3dir} -%{__python3} setup.py test +PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not test_buffer_protocol_alternate_modes[mode5]" popd %endif From 7395bb85158c3a4eaa53ceb2429982e440ca75d1 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 26 Jul 2019 12:55:15 +0000 Subject: [PATCH 011/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6781574..1f18bb6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.6.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -155,6 +155,9 @@ popd %changelog +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + * Thu Feb 28 2019 Christian Heimes - 2.6.1-1 - New upstream release 2.6.1, resolves RHBZ#1683691 From 3f9ce036b9dddfa9231f6b03ed4f8ef342cf4f87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Fri, 16 Aug 2019 02:52:48 +0200 Subject: [PATCH 012/111] Rebuilt for Python 3.8 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 1f18bb6..9865c94 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -11,7 +11,7 @@ Name: python-%{srcname} Version: 2.6.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -155,6 +155,9 @@ popd %changelog +* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 +- Rebuilt for Python 3.8 + * Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild From 0deb0e62d8aade5564f7c7fd1eefa0bb5cbbed48 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Tue, 3 Sep 2019 13:06:11 -0400 Subject: [PATCH 013/111] Update to 2.7 (#1715680) Signed-off-by: Randy Barlow --- .gitignore | 1 + python-cryptography.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 698737f..1ff05b9 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ /cryptography-2.3.tar.gz /cryptography-2.5.tar.gz /cryptography-2.6.1.tar.gz +/cryptography-2.7.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 9865c94..1fc983c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,8 +10,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.6.1 -Release: 3%{?dist} +Version: 2.7 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -155,6 +155,9 @@ popd %changelog +* Tue Sep 03 2019 Randy Barlow - 2.7-1 +- Update to 2.7 (#1715680). + * Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 - Rebuilt for Python 3.8 diff --git a/sources b/sources index 219cd46..5613e0c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptography-2.6.1.tar.gz) = f14319e24d9dca52e74548cada5b78a6235f089ef875dbff4799e862f94da8b087f1b6e03e84dcef9fc7d7693c4a349c5f0cd54b8535806da777420ce8757d39 +SHA512 (cryptography-2.7.tar.gz) = fa420f44b038b6fe1983c6f2c6d830e2668017c26e1e125ad621e37ea627a927ffe64d0e987e0a26dcc260834f2ec817cccd22da03b892190f46cb6e8131a5a8 From 81f93220de1afd842adb3fcf2d040ab23f813c6c Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Tue, 3 Sep 2019 16:47:46 -0400 Subject: [PATCH 014/111] Trim changelog entries prior to 2018 Signed-off-by: Randy Barlow --- python-cryptography.spec | 127 --------------------------------------- 1 file changed, 127 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 1fc983c..630dd41 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -201,130 +201,3 @@ popd * Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Thu Nov 23 2017 Haïkel Guémar - 2.1.3-1 -- Upstream 2.1.3 - -* Tue Oct 24 2017 Christian Heimes - 2.1-2 -- Change Requires to openssl-libs - -* Thu Oct 12 2017 Christian Heimes - 2.1-1 -- New upstream release 2.1 - -* Wed Sep 27 2017 Troy Dawson - 2.0.2-3 -- Cleanup spec file conditionals - -* Thu Aug 03 2017 Christian Heimes - 2.0.2-2 -- Add workaround for pytest bug - -* Thu Aug 03 2017 Christian Heimes - 2.0.2-1 -- New upstream release 2.0.2 -- Modernize spec - -* Thu Aug 03 2017 Fedora Release Engineering - 1.9-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - -* Thu Jul 27 2017 Fedora Release Engineering - 1.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Tue Jun 27 2017 Christian Heimes - 1.9-1 -- Upstream release 1.9 - -* Wed Feb 15 2017 Christian Heimes - 1.7.2-1 -- Update to latest upstream - -* Sat Feb 11 2017 Fedora Release Engineering - 1.7.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Thu Jan 05 2017 Matěj Cepl - 1.7.1-1 -- Update to the latest upstream. -- Add a patch from https://github.com/pyca/cryptography/pull/3328 - -* Tue Dec 13 2016 Charalampos Stratakis - 1.5.3-5 -- Enable tests - -* Mon Dec 12 2016 Charalampos Stratakis - 1.5.3-4 -- Rebuild for Python 3.6 -- Disable python3 tests for now - -* Thu Nov 10 2016 Nathaniel McCallum - 1.5.3-3 -- Revert previous change - -* Thu Nov 10 2016 Nathaniel McCallum - 1.5.3-2 -- Disable tests on releases earlier than 24 - -* Mon Nov 07 2016 Nathaniel McCallum - 1.5.3-1 -- Update to v1.5.3 -- Update source URL -- Add BR for pytz - -* Tue Jul 19 2016 Fedora Release Engineering - 1.3.1-4 -- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages - -* Tue May 10 2016 Nathaniel McCallum - 1.3.1-3 -- Remove versioned setuptools dependency - -* Tue May 10 2016 Nathaniel McCallum - 1.3.1-2 -- Make it easier to build on EL7 - -* Tue May 03 2016 Nathaniel McCallum - 1.3.1-1 -- Update to v1.3.1 - -* Thu Feb 04 2016 Fedora Release Engineering - 1.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Mon Jan 11 2016 Nathaniel McCallum - 1.2.1-2 -- Move python-cryptograph => python2-cryptography - -* Sat Jan 09 2016 Nathaniel McCallum - 1.2.1-1 -- Update to v1.2.1 - -* Wed Nov 11 2015 Robert Kuska - 1.1-1 -- Update to v1.1 - -* Wed Nov 04 2015 Robert Kuska - 1.0.2-2 -- Rebuilt for Python3.5 rebuild - -* Wed Sep 30 2015 Matěj Cepl - 1.0.2-1 -- New upstream release (fix #1267548) - -* Wed Aug 12 2015 Nathaniel McCallum - 1.0-1 -- New upstream release - -* Thu Jun 18 2015 Fedora Release Engineering - 0.9-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Thu May 14 2015 Nathaniel McCallum - 0.9-1 -- New upstream release -- Run tests on RHEL -- New deps: python-idna, python-ipaddress - -* Fri Apr 17 2015 Nathaniel McCallum - 0.8.2-1 -- New upstream release -- Add python3-pyasn1 Requires (#1211073) - -* Tue Apr 14 2015 Matej Cepl - 0.8-2 -- Add python-pyasn1 Requires (#1211073) - -* Fri Mar 13 2015 Nathaniel McCallum - 0.8-1 -- New upstream release -- Remove upstreamed patch - -* Wed Mar 04 2015 Nathaniel McCallum - 0.7.2-2 -- Add python3-cryptography-vectors build requires -- Add python-enum34 requires - -* Tue Feb 03 2015 Nathaniel McCallum - 0.7.2-1 -- New upstream release. BSD is now an optional license. -- Fix test running on python3 -- Add upstream patch to fix test paths - -* Fri Nov 07 2014 Matej Cepl - 0.6.1-2 -- Fix requires, for reasons why other development files were not - eliminated see https://github.com/pyca/cryptography/issues/1463. - -* Wed Nov 05 2014 Matej Cepl - 0.6.1-1 -- New upstream release. - -* Sun Jun 29 2014 Terry Chia 0.4-1 -- initial version From 1ba330ec7486fabb125fd78a6571102190b1fc0b Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sat, 12 Oct 2019 21:11:54 +0200 Subject: [PATCH 015/111] Drop Python 2 package Resolves: rhbz#1761081 --- python-cryptography.spec | 47 +++++++++++++++++++++++++++------------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 630dd41..876dbb6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,8 +1,15 @@ -%if 0%{?fedora} || 0%{?rhel} >= 8 -%global with_python3 1 +%if 0%{?fedora} || 0%{?rhel} > 7 +# Enable python3 build by default +%bcond_without python3 %else -%{!?__python2: %global __python2 /usr/bin/python2} -%{!?python2_sitearch: %global python2_sitearch %(%{__python2} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +%bcond_with python3 +%endif + +%if 0%{?fedora} > 31 || 0%{?rhel} > 7 +# Disable python2 build by default +%bcond_with python2 +%else +%bcond_without python2 %endif %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -11,7 +18,7 @@ Name: python-%{srcname} Version: 2.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -21,6 +28,7 @@ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{versio BuildRequires: openssl-devel BuildRequires: gcc +%if 0%{?with_python2} BuildRequires: python2-devel BuildRequires: python2-pytest >= 3.2.1 BuildRequires: python2-setuptools @@ -36,6 +44,7 @@ BuildRequires: python2-six >= 1.4.1 BuildRequires: python2-cffi >= 1.7 BuildRequires: python2-enum34 BuildRequires: python2-ipaddress +%endif %if 0%{?with_python3} BuildRequires: python%{python3_pkgversion}-devel @@ -57,6 +66,7 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. +%if 0%{?with_python2} %package -n python2-%{srcname} Summary: PyCA's cryptography library @@ -77,6 +87,7 @@ Requires: python2-ipaddress %description -n python2-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. +%endif %if 0%{?with_python3} %package -n python%{python3_pkgversion}-%{srcname} @@ -104,33 +115,33 @@ find %{py3dir} -name '*.py' | xargs sed -i '1s|^#!/usr/bin/python|#!%{__python3} %endif %build -%if 0%{?with_python3} +%if 0%{?with_python2} %py2_build +%endif +%if 0%{?with_python3} pushd %{py3dir} %py3_build popd -%else -%{__python2} setup.py build -%endif # with_python3 +%endif %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%if 0%{?with_python3} +%if 0%{?with_python2} %py2_install +%endif +%if 0%{?with_python3} pushd %{py3dir} %py3_install -popd -%else -%{__python2} setup.py install --skip-build --prefix=%{_prefix} --root %{buildroot} -%endif # with_python3 - +%endif %check +%if 0%{?with_python2} # see https://github.com/pyca/cryptography/issues/4885 for the deselected test PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not test_buffer_protocol_alternate_modes[mode5]" +%endif %if 0%{?with_python3} pushd %{py3dir} @@ -139,10 +150,12 @@ popd %endif +%if 0%{?with_python2} %files -n python2-%{srcname} %doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs %{python2_sitearch}/%{srcname} %{python2_sitearch}/%{srcname}-%{version}-py*.egg-info +%endif %if 0%{?with_python3} @@ -155,6 +168,10 @@ popd %changelog +* Sat Oct 12 2019 Christian Heimes - 2.7-2 +- Drop Python 2 package +- Resolves: rhbz#1761081 + * Tue Sep 03 2019 Randy Barlow - 2.7-1 - Update to 2.7 (#1715680). From 16edebe9b700ffb3a44be7c86f298da079508316 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 13 Oct 2019 14:26:19 +0200 Subject: [PATCH 016/111] Skip unit tests that fail with OpenSSL 1.1.1.d Fix and simplify Python 3 packaging Resolves: rhbz#1761194 --- python-cryptography.spec | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 876dbb6..d42fb4b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -18,7 +18,7 @@ Name: python-%{srcname} Version: 2.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -108,20 +108,12 @@ recipes to Python developers. %prep %autosetup -p1 -n %{srcname}-%{version} -%if 0%{?with_python3} -rm -rf %{py3dir} -cp -a . %{py3dir} -find %{py3dir} -name '*.py' | xargs sed -i '1s|^#!/usr/bin/python|#!%{__python3}|' -%endif - %build %if 0%{?with_python2} %py2_build %endif %if 0%{?with_python3} -pushd %{py3dir} %py3_build -popd %endif %install @@ -133,20 +125,18 @@ find . -name .keep -print -delete %py2_install %endif %if 0%{?with_python3} -pushd %{py3dir} %py3_install %endif %check %if 0%{?with_python2} -# see https://github.com/pyca/cryptography/issues/4885 for the deselected test -PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not test_buffer_protocol_alternate_modes[mode5]" +# see https://github.com/pyca/cryptography/issues/4885 and +# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif %if 0%{?with_python3} -pushd %{py3dir} -PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not test_buffer_protocol_alternate_modes[mode5]" -popd +PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif @@ -162,12 +152,17 @@ popd %files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/* +%{python3_sitearch}/%{srcname} %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %endif %changelog +* Sun Oct 13 2019 Christian Heimes - 2.7-3 +- Skip unit tests that fail with OpenSSL 1.1.1.d +- Resolves: rhbz#1761194 +- Fix and simplify Python 3 packaging + * Sat Oct 12 2019 Christian Heimes - 2.7-2 - Drop Python 2 package - Resolves: rhbz#1761081 From 004fe01826621d0247540af5c464253e88ae4d5b Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 17 Oct 2019 16:19:35 +0200 Subject: [PATCH 017/111] Update to 2.8 Resolves: rhbz#1762779 --- .gitignore | 1 + python-cryptography.spec | 8 ++++++-- sources | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 1ff05b9..fad9f4b 100644 --- a/.gitignore +++ b/.gitignore @@ -12,3 +12,4 @@ /cryptography-2.5.tar.gz /cryptography-2.6.1.tar.gz /cryptography-2.7.tar.gz +/cryptography-2.8.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index d42fb4b..8e693b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -17,8 +17,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.7 -Release: 3%{?dist} +Version: 2.8 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -158,6 +158,10 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Thu Oct 17 2019 Christian Heimes - 2.8-1 +- Update to 2.8 +- Resolves: rhbz#1762779 + * Sun Oct 13 2019 Christian Heimes - 2.7-3 - Skip unit tests that fail with OpenSSL 1.1.1.d - Resolves: rhbz#1761194 diff --git a/sources b/sources index 5613e0c..99ad16a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptography-2.7.tar.gz) = fa420f44b038b6fe1983c6f2c6d830e2668017c26e1e125ad621e37ea627a927ffe64d0e987e0a26dcc260834f2ec817cccd22da03b892190f46cb6e8131a5a8 +SHA512 (cryptography-2.8.tar.gz) = bf3ca44123c693b0602be19445925f9efebd46c469909e47b7907d57141fb6bd99268c33e1fe3f42a08ab8b4edd4f98f21b6a682f530352313334dfd31ba91e7 From c3f035031cf90d5aa352a2a020a77724521d60d3 Mon Sep 17 00:00:00 2001 From: Lumir Balhar Date: Mon, 18 Nov 2019 14:16:21 +0100 Subject: [PATCH 018/111] Bcond for tests which allows to disable them --- python-cryptography.spec | 52 +++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8e693b9..585ce1d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -12,6 +12,8 @@ %bcond_without python2 %endif +%bcond_without tests + %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography @@ -29,37 +31,41 @@ BuildRequires: openssl-devel BuildRequires: gcc %if 0%{?with_python2} -BuildRequires: python2-devel -BuildRequires: python2-pytest >= 3.2.1 -BuildRequires: python2-setuptools -BuildRequires: python2-pretend -BuildRequires: python2-iso8601 -BuildRequires: python2-cryptography-vectors = %{version} BuildRequires: python2-asn1crypto >= 0.21 -BuildRequires: python2-hypothesis >= 1.11.4 -BuildRequires: python2-pytz - -BuildRequires: python2-idna >= 2.1 -BuildRequires: python2-six >= 1.4.1 BuildRequires: python2-cffi >= 1.7 +BuildRequires: python2-cryptography-vectors = %{version} +BuildRequires: python2-devel BuildRequires: python2-enum34 +BuildRequires: python2-idna >= 2.1 BuildRequires: python2-ipaddress +BuildRequires: python2-setuptools +BuildRequires: python2-six >= 1.4.1 + +%if %{with tests} +BuildRequires: python2-hypothesis >= 1.11.4 +BuildRequires: python2-iso8601 +BuildRequires: python2-pretend +BuildRequires: python2-pytest >= 3.2.1 +BuildRequires: python2-pytz +%endif %endif %if 0%{?with_python3} -BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 -BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-pretend -BuildRequires: python%{python3_pkgversion}-iso8601 -BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21 -BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 -BuildRequires: python%{python3_pkgversion}-pytz - -BuildRequires: python%{python3_pkgversion}-idna >= 2.1 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-idna >= 2.1 +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 + +%if %{with tests} +BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} +BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 +BuildRequires: python%{python3_pkgversion}-iso8601 +BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 +BuildRequires: python%{python3_pkgversion}-pytz +%endif %endif %description @@ -129,6 +135,7 @@ find . -name .keep -print -delete %endif %check +%if %{with tests} %if 0%{?with_python2} # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests @@ -138,6 +145,7 @@ PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_ %if 0%{?with_python3} PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif +%endif %if 0%{?with_python2} From 52a29359189206efc11752a3c0ff9183dfa862e6 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 13 Jan 2020 10:36:18 +0100 Subject: [PATCH 019/111] cryptography 2.8+ no longer depends on python-asn1crypto --- python-cryptography.spec | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 585ce1d..70c207b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 2.8 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -31,7 +31,6 @@ BuildRequires: openssl-devel BuildRequires: gcc %if 0%{?with_python2} -BuildRequires: python2-asn1crypto >= 0.21 BuildRequires: python2-cffi >= 1.7 BuildRequires: python2-cryptography-vectors = %{version} BuildRequires: python2-devel @@ -51,7 +50,6 @@ BuildRequires: python2-pytz %endif %if 0%{?with_python3} -BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21 BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-idna >= 2.1 @@ -84,7 +82,6 @@ Provides: python-%{srcname} Requires: openssl-libs Requires: python2-idna >= 2.1 -Requires: python2-asn1crypto >= 0.21 Requires: python2-six >= 1.4.1 Requires: python2-cffi >= 1.7 Requires: python2-enum34 @@ -102,7 +99,6 @@ Summary: PyCA's cryptography library Requires: openssl-libs Requires: python%{python3_pkgversion}-idna >= 2.1 -Requires: python%{python3_pkgversion}-asn1crypto >= 0.21 Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 @@ -166,6 +162,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Jan 13 2020 Christian Heimes - 2.8-2 +- cryptography 2.8+ no longer depends on python-asn1crypto + * Thu Oct 17 2019 Christian Heimes - 2.8-1 - Update to 2.8 - Resolves: rhbz#1762779 From 71ca0a3e2ac964249a4e892aa09fe5543a56d505 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 30 Jan 2020 11:29:05 +0000 Subject: [PATCH 020/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 70c207b..dae9970 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 2.8 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -162,6 +162,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Mon Jan 13 2020 Christian Heimes - 2.8-2 - cryptography 2.8+ no longer depends on python-asn1crypto From 4d908272661f526c3ed52b84ed2564bd6126cbd8 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 8 Apr 2020 12:50:55 +0200 Subject: [PATCH 021/111] Update to 2.9 (#1820348) --- .gitignore | 1 + python-cryptography.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index fad9f4b..a2635bb 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ /cryptography-2.6.1.tar.gz /cryptography-2.7.tar.gz /cryptography-2.8.tar.gz +/cryptography-2.9.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index dae9970..d01a7f1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,8 +19,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.8 -Release: 3%{?dist} +Version: 2.9 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -162,6 +162,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Fri Apr 03 2020 Christian Heimes - 2.9-1 +- Update to 2.9 (#1820348) + * Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/sources b/sources index 99ad16a..78d2a9a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (cryptography-2.8.tar.gz) = bf3ca44123c693b0602be19445925f9efebd46c469909e47b7907d57141fb6bd99268c33e1fe3f42a08ab8b4edd4f98f21b6a682f530352313334dfd31ba91e7 +SHA512 (cryptography-2.9.tar.gz) = 7db2846b901e42ddc4caa9851235e5a0894ef702d4c4692eb60fcae17bc4e7833782a8001679ea41b78f9273d7d68a4b85810248590e12ca33cfade3208e2849 From 18a3ed28c7c1b57c1427adbf090eedfd023381a4 Mon Sep 17 00:00:00 2001 From: Felix Schwarz Date: Tue, 12 May 2020 10:39:43 +0200 Subject: [PATCH 022/111] add source file verification --- .gitignore | 1 + ...1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg | Bin 0 -> 1188 bytes python-cryptography.spec | 15 +++++++++++++-- sources | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg diff --git a/.gitignore b/.gitignore index a2635bb..266fb17 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,4 @@ /cryptography-2.7.tar.gz /cryptography-2.8.tar.gz /cryptography-2.9.tar.gz +/cryptography-2.9.tar.gz.asc diff --git a/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg b/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg new file mode 100644 index 0000000000000000000000000000000000000000..dcae2d294ee960fa1eef388915659a59fa32b11d GIT binary patch literal 1188 zcmV;V1Y7%=0SyFFBCR_C2mru&73El&3H2t5nI68Q9hzL>cT6mwg4zkC{+7HPTeg8I z5C7)pzdb1LWju5%BxHBsP5O}OCXjdQEW2i$Lc+)O4ZOLxR^_+WviC;x)2|n`7borH zlrmsn)=F-Ho)o7%uUf!Q>Yx>9Vp)dWmAs3e|O^!kSv_QwU>+~kgjV=sbx zG_MY5!uxRNARqsoa}NL!0RRECB~W2?Y#>WzXmVw8AUtqkb!;wdE^B3Ia%FNrXKi6= zY%XJOZ9a(sI0O>`0stZf0#YKaI|3U61`7!Y2Ll2I6$k?hwshfU)IXoeRR;O;Hl&0joy8{$+b?307y>Hw#e2 zJ#MXXZ+O6C6Q)@WYf}5PDzBN=KS&W0skd_(ad2fj5zp%~A!(0Y%SW02Q;Supcd40($4vJ{JY9kGNjS!)Rk#yu* z(&X#V9BFp}Bi`3arWBhy=N-TgidssU_h-GqkF788NsqUMSeT8tM<8SNRbflj3C@z46XJ_GltsY7hNpD#p3*0NR;IX(;tNxIUZAsp zvjrv5&pWLPa@OxSbk4_AoNwSVa%`p-QSMMy>LXK~o2aan76TNt+ zDck+9&Z^K!qC4oS0_0JBrP){@>SfU>%js_t{o{pPu7AV6cf~{?y9$Y|9Gf}%7gY>) zoy7Gp;9k9dgut!<8{2(s#E}#$7tV%J|8DBf(OWWwZ^Lk}7`vl1UWL{52xxj7!X z7ih~}%ROYB{F_#F;5kf8x~D$-2>AEWPu4N-OhF`_8Y#xZ9_QbJcFF|>A91rmEwi$; z*Hici!kJ_R)x!~a=Tr;EdY;ia^|!vO#PUj~E7UXPt!hCPJ@@WHq@+{FNG1$0Ubbi@ CEhzZ_ literal 0 HcmV?d00001 diff --git a/python-cryptography.spec b/python-cryptography.spec index d01a7f1..4e91e64 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,15 +20,22 @@ Name: python-%{srcname} Version: 2.9 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ -Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz +Source0: %{pypi_source} +Source1: %{pypi_source}.asc +# key ids of upstream authors are published in the AUTHORS file: +# https://github.com/pyca/cryptography/blob/master/AUTHORS.rst +# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" +# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg BuildRequires: openssl-devel BuildRequires: gcc +BuildRequires: gnupg2 %if 0%{?with_python2} BuildRequires: python2-cffi >= 1.7 @@ -108,6 +115,7 @@ recipes to Python developers. %endif %prep +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} %build @@ -162,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Tue May 12 2020 Felix Schwarz - 2.9-2 +- add source file verification + * Fri Apr 03 2020 Christian Heimes - 2.9-1 - Update to 2.9 (#1820348) diff --git a/sources b/sources index 78d2a9a..1fc2f1e 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (cryptography-2.9.tar.gz) = 7db2846b901e42ddc4caa9851235e5a0894ef702d4c4692eb60fcae17bc4e7833782a8001679ea41b78f9273d7d68a4b85810248590e12ca33cfade3208e2849 +SHA512 (cryptography-2.9.tar.gz.asc) = 916a9b013e2f0760dfa965997c7cde0fbfde4b6a6c017325606a134ce8860c3db3a0b6820f79102612ab484105d74a03cd6d80eb494032a3ffb96e82a66b5b92 From a2b3c457b5485cdd195965e8f9960f456a70d454 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Sat, 23 May 2020 05:04:32 +0200 Subject: [PATCH 023/111] Rebuilt for Python 3.9 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 4e91e64..7e4922b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 2.9 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Sat May 23 2020 Miro Hrončok - 2.9-3 +- Rebuilt for Python 3.9 + * Tue May 12 2020 Felix Schwarz - 2.9-2 - add source file verification From 799485870e86a905eb9cfa336a16aa7eb1d39393 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 21 Jul 2020 08:06:29 +0200 Subject: [PATCH 024/111] Update to 3.0 (#185897) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 266fb17..b35eadf 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,5 @@ /cryptography-2.8.tar.gz /cryptography-2.9.tar.gz /cryptography-2.9.tar.gz.asc +/cryptography-3.0.tar.gz +/cryptography-3.0.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 7e4922b..244c8e1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,8 +19,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 2.9 -Release: 3%{?dist} +Version: 3.0 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Tue Jul 21 2020 Christian Heimes - 3.0-1 +- Update to 3.0 (#185897) + * Sat May 23 2020 Miro Hrončok - 2.9-3 - Rebuilt for Python 3.9 diff --git a/sources b/sources index 1fc2f1e..aa13c06 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-2.9.tar.gz) = 7db2846b901e42ddc4caa9851235e5a0894ef702d4c4692eb60fcae17bc4e7833782a8001679ea41b78f9273d7d68a4b85810248590e12ca33cfade3208e2849 -SHA512 (cryptography-2.9.tar.gz.asc) = 916a9b013e2f0760dfa965997c7cde0fbfde4b6a6c017325606a134ce8860c3db3a0b6820f79102612ab484105d74a03cd6d80eb494032a3ffb96e82a66b5b92 +SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15 +SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8 From 0656b7b132c4ca224f1c0e8bb194a89e07d5848d Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 29 Jul 2020 00:26:31 +0000 Subject: [PATCH 025/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 244c8e1..c81c700 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 3.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + * Tue Jul 21 2020 Christian Heimes - 3.0-1 - Update to 3.0 (#185897) From 1811890378778136f7d6624238110588a38f4963 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 7 Sep 2020 08:57:53 +0200 Subject: [PATCH 026/111] Update to 3.1 (#1872978) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index b35eadf..31354d0 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ /cryptography-2.9.tar.gz.asc /cryptography-3.0.tar.gz /cryptography-3.0.tar.gz.asc +/cryptography-3.1.tar.gz +/cryptography-3.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index c81c700..820b880 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,8 +19,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.0 -Release: 2%{?dist} +Version: 3.1 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + * Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index aa13c06..9db3a37 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15 -SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8 +SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e +SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e From 2abb980d58db7196a389c7bb2b7b3162681640fb Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 26 Oct 2020 09:13:36 +0100 Subject: [PATCH 027/111] Update to 3.2 (#1891378) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 31354d0..cda710e 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ /cryptography-3.0.tar.gz.asc /cryptography-3.1.tar.gz /cryptography-3.1.tar.gz.asc +/cryptography-3.2.tar.gz +/cryptography-3.2.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 820b880..89ff850 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.1 +Version: 3.2 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + * Mon Sep 07 2020 Christian Heimes - 3.1-1 - Update to 3.1 (#1872978) diff --git a/sources b/sources index 9db3a37..e6e0771 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e -SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e +SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e +SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2 From 6417bbcc758cd6f07d051bcd5435061b8fc741ec Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 28 Oct 2020 07:28:58 +0100 Subject: [PATCH 028/111] Update to 3.2.1 (#1892153) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cda710e..607872b 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,5 @@ /cryptography-3.1.tar.gz.asc /cryptography-3.2.tar.gz /cryptography-3.2.tar.gz.asc +/cryptography-3.2.1.tar.gz +/cryptography-3.2.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 89ff850..4d748d5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.2 +Version: 3.2.1 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + * Mon Oct 26 2020 Christian Heimes - 3.2-1 - Update to 3.2 (#1891378) diff --git a/sources b/sources index e6e0771..b2f4b8f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e -SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2 +SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175 +SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b From 2d60d5642f5887f38105723882bef3e8ba9e6b8c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 10 Dec 2020 09:51:20 +0100 Subject: [PATCH 029/111] Update to 3.3.1 (#1905756) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 607872b..258afbe 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,5 @@ /cryptography-3.2.tar.gz.asc /cryptography-3.2.1.tar.gz /cryptography-3.2.1.tar.gz.asc +/cryptography-3.3.1.tar.gz +/cryptography-3.3.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 4d748d5..6723f65 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.2.1 +Version: 3.3.1 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + * Wed Oct 28 2020 Christian Heimes - 3.2.1-1 - Update to 3.2.1 (#1892153) diff --git a/sources b/sources index b2f4b8f..67acd25 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175 -SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b +SHA512 (cryptography-3.3.1.tar.gz) = 62192fe0fd3bb8844ccc0056ab72a42b038db2a4ecb0928543c520b85e1de93066dab0d604acf23d37395d68172b9618f81c6022a59ec49725bc1862096d15d1 +SHA512 (cryptography-3.3.1.tar.gz.asc) = 5ec77aa93142cafc7b8c4d2ba355da477ac403e73b30740bf4ef42ab8065efb7cc1efa6c007ae67a13b44cf43f715f1cc7fee005bfa89b5a490c0f968a7373ff From 660907b847900513b8770540b8347b89aabc10b6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 27 Jan 2021 10:04:48 +0000 Subject: [PATCH 030/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6723f65..dab9ad2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 3.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Thu Dec 10 2020 Christian Heimes - 3.3.1-1 - Update to 3.3.1 (#1905756) From bf3babc383437e5411e1c6ce5a5c31b6163e4a1e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 7 Feb 2021 20:36:07 +0100 Subject: [PATCH 031/111] Update to 3.4 (#1925953) Remove Python 2 support Remove unused python-idna dependency Add Rust support --- .gitignore | 2 + README.md | 98 +++++++++++++++++++++++++++++++++++ python-cryptography.spec | 108 ++++++--------------------------------- sources | 4 +- 4 files changed, 118 insertions(+), 94 deletions(-) create mode 100644 README.md diff --git a/.gitignore b/.gitignore index 258afbe..f66525f 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,5 @@ /cryptography-3.2.1.tar.gz.asc /cryptography-3.3.1.tar.gz /cryptography-3.3.1.tar.gz.asc +/cryptography-3.4.tar.gz +/cryptography-3.4.tar.gz.asc diff --git a/README.md b/README.md new file mode 100644 index 0000000..c100762 --- /dev/null +++ b/README.md @@ -0,0 +1,98 @@ +# PyCA cryptography + +https://cryptography.io/en/latest/ + +## Packaging python-cryptography + +The example assumes + +* Fedora Rawhide (f34) +* PyCA cryptography release ``3.4`` +* Update Bugzilla issues are ``RHBZ#00000001`` and ``RHBZ#00000002`` +* Build side tag is ``f34-build-side-12345`` + +### Request a side tag for building + +python-cryptography builds depend on python-cryptography-vectors +package. Both packages must be build in a side tag. + +```shell +fedpkg request-side-tag --base-tag f34-build +``` + +### Build new python-cryptography-vectors first + +```shell +pushd ../python-cryptography-vectors +``` + +Switch and update branch + +```shell +fedpkg switch-branch rawhide +fedpkg pull +``` + +Bump version and get sources + +```shell +rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography-vectors.spec +spectool -gf python-cryptography-vectors.spec +``` + +Upload sources + +```shell +fedpkg new-sources cryptography_vectors-3.4.tar.gz +``` + +Commit changes + +```shell +git add sources .gitignore python-cryptography-vectors.spec +fedpkg commit --clog +fedpkg push +``` + +Build and wait for repo to regenerate + +```shell +fedpkg build --target=f34-build-side-12345 +koji wait-repo --build python-cryptography-vectors-3.4-1 f34-build-side-12345 +``` + +### Build new python-cryptography + +Switch and update branch + +```shell +fedpkg switch-branch rawhide +fedpkg pull +``` + +Bump version and get sources + +```shell +rpmdev-bumpspec -c "Update to 3.4 (#00000002)" -n 3.4 python-cryptography.spec +spectool -gf python-cryptography.spec +``` + +Upload new sources (**two files!**) + +```shell +fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc +``` + +Commit changes + +```shell +git add sources .gitignore python-cryptography.spec +fedpkg commit --clog +fedpkg push +``` + +Build + +```shell +fedpkg build --target=f34-build-side-12345 +``` diff --git a/python-cryptography.spec b/python-cryptography.spec index dab9ad2..4ff1761 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,26 +1,13 @@ -%if 0%{?fedora} || 0%{?rhel} > 7 -# Enable python3 build by default -%bcond_without python3 -%else -%bcond_with python3 -%endif - -%if 0%{?fedora} > 31 || 0%{?rhel} > 7 -# Disable python2 build by default -%bcond_with python2 -%else -%bcond_without python2 -%endif - %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography +%global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.3.1 -Release: 2%{?dist} +Version: 3.4 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -36,31 +23,14 @@ Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 +BuildRequires: rust-packaging +BuildRequires: rust-pyo3+default-devel >= %{pyo3_version} +BuildRequires: rust-pyo3+extension-module-devel >= %{pyo3_version} -%if 0%{?with_python2} -BuildRequires: python2-cffi >= 1.7 -BuildRequires: python2-cryptography-vectors = %{version} -BuildRequires: python2-devel -BuildRequires: python2-enum34 -BuildRequires: python2-idna >= 2.1 -BuildRequires: python2-ipaddress -BuildRequires: python2-setuptools -BuildRequires: python2-six >= 1.4.1 - -%if %{with tests} -BuildRequires: python2-hypothesis >= 1.11.4 -BuildRequires: python2-iso8601 -BuildRequires: python2-pretend -BuildRequires: python2-pytest >= 3.2.1 -BuildRequires: python2-pytz -%endif -%endif - -%if 0%{?with_python3} BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-idna >= 2.1 BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 %if %{with tests} @@ -71,105 +41,59 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 BuildRequires: python%{python3_pkgversion}-pytz %endif -%endif %description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%if 0%{?with_python2} -%package -n python2-%{srcname} -Summary: PyCA's cryptography library - -%if 0%{?with_python3} -%{?python_provide:%python_provide python2-%{srcname}} -%else -Provides: python-%{srcname} -%endif - -Requires: openssl-libs -Requires: python2-idna >= 2.1 -Requires: python2-six >= 1.4.1 -Requires: python2-cffi >= 1.7 -Requires: python2-enum34 -Requires: python2-ipaddress - -%description -n python2-%{srcname} -cryptography is a package designed to expose cryptographic primitives and -recipes to Python developers. -%endif - -%if 0%{?with_python3} %package -n python%{python3_pkgversion}-%{srcname} Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-idna >= 2.1 Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 %description -n python%{python3_pkgversion}-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%endif %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} +%cargo_prep +rm -f src/rust/Cargo.lock %build -%if 0%{?with_python2} -%py2_build -%endif -%if 0%{?with_python3} +export CARGO_NET_OFFLINE=true %py3_build -%endif %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete - -%if 0%{?with_python2} -%py2_install -%endif -%if 0%{?with_python3} %py3_install -%endif %check %if %{with tests} -%if 0%{?with_python2} # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests -PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" -%endif - -%if 0%{?with_python3} PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif -%endif - -%if 0%{?with_python2} -%files -n python2-%{srcname} -%doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs -%{python2_sitearch}/%{srcname} -%{python2_sitearch}/%{srcname}-%{version}-py*.egg-info -%endif - - -%if 0%{?with_python3} %files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{srcname} %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info -%endif - %changelog +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + * Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/sources b/sources index 67acd25..0b150c5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.3.1.tar.gz) = 62192fe0fd3bb8844ccc0056ab72a42b038db2a4ecb0928543c520b85e1de93066dab0d604acf23d37395d68172b9618f81c6022a59ec49725bc1862096d15d1 -SHA512 (cryptography-3.3.1.tar.gz.asc) = 5ec77aa93142cafc7b8c4d2ba355da477ac403e73b30740bf4ef42ab8065efb7cc1efa6c007ae67a13b44cf43f715f1cc7fee005bfa89b5a490c0f968a7373ff +SHA512 (cryptography-3.4.tar.gz) = 5d0d1b62d67e1722f19810738dcae7a9d9ca8b228c06b334486c37d836f20a37332aa59b975d0e4154e4ae91e18546280faf6e18bef8230da42948bc02920c9f +SHA512 (cryptography-3.4.tar.gz.asc) = c26828fffa3db224d24dc1e4937bdd6061548e53d51a772743570e3896e9f1d0810fcafc8b6ad45c75ac8ebca6e97bf7a86c2de5133438856e6b8a3cafbc22e0 From 5a77f343f815d1fb25163e41087fffb6dd80de61 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 7 Feb 2021 20:48:39 +0100 Subject: [PATCH 032/111] Add missing abi3 and pytest dependencies --- python-cryptography.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 4ff1761..ae1259d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -26,6 +26,7 @@ BuildRequires: gnupg2 BuildRequires: rust-packaging BuildRequires: rust-pyo3+default-devel >= %{pyo3_version} BuildRequires: rust-pyo3+extension-module-devel >= %{pyo3_version} +BuildRequires: rust-pyo3+abi3-py36-devel >= %{pyo3_version} BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel @@ -38,7 +39,9 @@ BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend -BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 +BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif @@ -88,6 +91,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + * Sun Feb 07 2021 Christian Heimes - 3.4-1 - Update to 3.4 (#1925953) - Remove Python 2 support From b5705ea4832990b4e551bb56d2662ad88a59e91a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 7 Feb 2021 23:00:22 +0100 Subject: [PATCH 033/111] Update to 3.4.1 (#1925953) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index f66525f..e6495aa 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,5 @@ /cryptography-3.3.1.tar.gz.asc /cryptography-3.4.tar.gz /cryptography-3.4.tar.gz.asc +/cryptography-3.4.1.tar.gz +/cryptography-3.4.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index ae1259d..2014eb6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4 -Release: 2%{?dist} +Version: 3.4.1 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -91,6 +91,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + * Sun Feb 07 2021 Christian Heimes - 3.4-2 - Add missing abi3 and pytest dependencies diff --git a/sources b/sources index 0b150c5..31d2ccd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.tar.gz) = 5d0d1b62d67e1722f19810738dcae7a9d9ca8b228c06b334486c37d836f20a37332aa59b975d0e4154e4ae91e18546280faf6e18bef8230da42948bc02920c9f -SHA512 (cryptography-3.4.tar.gz.asc) = c26828fffa3db224d24dc1e4937bdd6061548e53d51a772743570e3896e9f1d0810fcafc8b6ad45c75ac8ebca6e97bf7a86c2de5133438856e6b8a3cafbc22e0 +SHA512 (cryptography-3.4.1.tar.gz) = 929cfceeb9ebfd4f14236678235f10c9de42b8c12750f03f8c52d6ff77d43784dd17acfa2145bce27fd59e346191b05840c7d4f68efcf8648d375c1e6b70ab48 +SHA512 (cryptography-3.4.1.tar.gz.asc) = 804603f18468ba21155974b43ac117bad9d33913b78336326387c29a4074a0e3dc848a4b2f9ebfe0c3ea561b806ee2172668076f60ef4a5d00ba9354c4c37139 From be860bdcae953dd9b03217cee1682c4a0c0767bf Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Mon, 8 Feb 2021 13:51:48 +0100 Subject: [PATCH 034/111] small improvements for building the PyO3 Rust module Signed-off-by: Fabio Valentini --- python-cryptography.spec | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 2014eb6..affdc2d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -24,9 +24,6 @@ BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 BuildRequires: rust-packaging -BuildRequires: rust-pyo3+default-devel >= %{pyo3_version} -BuildRequires: rust-pyo3+extension-module-devel >= %{pyo3_version} -BuildRequires: rust-pyo3+abi3-py36-devel >= %{pyo3_version} BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel @@ -67,8 +64,12 @@ recipes to Python developers. %cargo_prep rm -f src/rust/Cargo.lock +%generate_buildrequires +cd src/rust +%cargo_generate_buildrequires +cd ../.. + %build -export CARGO_NET_OFFLINE=true %py3_build %install @@ -91,6 +92,10 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + * Sun Feb 07 2021 Christian Heimes - 3.4.1-1 - Update to 3.4.1 (#1925953) From 8fd31561e0c8e57fab71e32c7ec88e8f530c4274 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 8 Feb 2021 17:51:03 +0100 Subject: [PATCH 035/111] Update to 3.4.2 (#1926339) Package no longer depends on Rust (#1926181) --- .gitignore | 2 ++ python-cryptography.spec | 8 ++++++-- sources | 4 ++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e6495aa..5f81814 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,5 @@ /cryptography-3.4.tar.gz.asc /cryptography-3.4.1.tar.gz /cryptography-3.4.1.tar.gz.asc +/cryptography-3.4.2.tar.gz +/cryptography-3.4.2.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index affdc2d..51d1de8 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.1 -Release: 2%{?dist} +Version: 3.4.2 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -92,6 +92,10 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + * Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 - Use dynamically generated BuildRequires for PyO3 Rust module. - Drop unnecessary CARGO_NET_OFFLINE environment variable. diff --git a/sources b/sources index 31d2ccd..00d5b88 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.1.tar.gz) = 929cfceeb9ebfd4f14236678235f10c9de42b8c12750f03f8c52d6ff77d43784dd17acfa2145bce27fd59e346191b05840c7d4f68efcf8648d375c1e6b70ab48 -SHA512 (cryptography-3.4.1.tar.gz.asc) = 804603f18468ba21155974b43ac117bad9d33913b78336326387c29a4074a0e3dc848a4b2f9ebfe0c3ea561b806ee2172668076f60ef4a5d00ba9354c4c37139 +SHA512 (cryptography-3.4.2.tar.gz) = 8fa9fad24d55d3ff129d4ebf0837cd267bbd180429cda09e60730e67fb18e6af7ff4630989b18ab31ffc85046259eba546ad63388fd6e252bfbc850e7cbc62fc +SHA512 (cryptography-3.4.2.tar.gz.asc) = ae8ef10065db06d58879a3eb553f0d0c430f28da9a48789f09410cee694409c715972a3506c5bd3c8519125df412805b547e1109d9d3867d79858578e3082098 From e3b20e8f2628b1bfea819f71e5ded8bd039711fc Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 10 Feb 2021 10:59:27 +0100 Subject: [PATCH 036/111] Update to 3.4.4 (#1927044) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 5f81814..87f501d 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,5 @@ /cryptography-3.4.1.tar.gz.asc /cryptography-3.4.2.tar.gz /cryptography-3.4.2.tar.gz.asc +/cryptography-3.4.4.tar.gz +/cryptography-3.4.4.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 51d1de8..5b080f1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.2 +Version: 3.4.4 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -92,6 +92,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + * Mon Feb 08 2021 Christian Heimes - 3.4.2-1 - Update to 3.4.2 (#1926339) - Package no longer depends on Rust (#1926181) diff --git a/sources b/sources index 00d5b88..20b61a3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.2.tar.gz) = 8fa9fad24d55d3ff129d4ebf0837cd267bbd180429cda09e60730e67fb18e6af7ff4630989b18ab31ffc85046259eba546ad63388fd6e252bfbc850e7cbc62fc -SHA512 (cryptography-3.4.2.tar.gz.asc) = ae8ef10065db06d58879a3eb553f0d0c430f28da9a48789f09410cee694409c715972a3506c5bd3c8519125df412805b547e1109d9d3867d79858578e3082098 +SHA512 (cryptography-3.4.4.tar.gz) = 3c94cb3eccc67cd1d7be9d16353f94a08019534517bbe9cd97ee75f05631418d1688fa7efc7284a62482d22b731de524f45268cf357d47a37a2fb033f1b9b3fc +SHA512 (cryptography-3.4.4.tar.gz.asc) = 395c8af891a2ae9c2a5954291e58d223fb5a9157794f22cf83bb798dd13534277d44846edca723b44dcbcb609e5db55e3fca7416fd452f23c5bb6e126c4c5284 From cb7384560068a5cf6866717cad6364b76cd0856f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 12 Feb 2021 10:53:26 +0100 Subject: [PATCH 037/111] Provide RHEL build infrastructure --- python-cryptography.spec | 33 ++++++++++++++-- vendor_rust.py | 82 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+), 4 deletions(-) create mode 100755 vendor_rust.py diff --git a/python-cryptography.spec b/python-cryptography.spec index 5b080f1..527d6ae 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -19,11 +19,19 @@ Source1: %{pypi_source}.asc # gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +%if 0%{?rhel} + # created by ./vendor_rust.py helper script +Source3: cryptography-%{version}-vendor.tar.bz2 +%endif BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 +%if 0%{?fedora} BuildRequires: rust-packaging +%else +BuildRequires: rust-toolset +%endif BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel @@ -33,12 +41,14 @@ BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 %if %{with tests} BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} +%if 0%{?fedora} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 +BuildRequires: python%{python3_pkgversion}-pytest-xdist +%endif BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 -BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif @@ -61,13 +71,20 @@ recipes to Python developers. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} -%cargo_prep -rm -f src/rust/Cargo.lock %generate_buildrequires + +%if 0%{?fedora} +# Fedora: use cargo macros to make use of RPMified crates +%cargo_prep cd src/rust +rm -f Cargo.lock %cargo_generate_buildrequires cd ../.. +%else +# RHEL: use vendored Rust crates +%cargo_prep -V 3 +%endif %build %py3_build @@ -80,6 +97,11 @@ find . -name .keep -print -delete %check %if %{with tests} +%if 0%{?rhel} +# skip hypothesis tests on RHEL +rm -rf tests/hypothesis +%endif + # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" @@ -92,6 +114,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + * Wed Feb 10 2021 Christian Heimes - 3.4.4-1 - Update to 3.4.4 (#1927044) diff --git a/vendor_rust.py b/vendor_rust.py new file mode 100755 index 0000000..4e25214 --- /dev/null +++ b/vendor_rust.py @@ -0,0 +1,82 @@ +#!/usr/bin/python3 +"""Vendor PyCA cryptography's Rust crates +""" +import argparse +import glob +import os +import re +import tarfile +import tempfile +import shutil +import subprocess +import sys + +VENDOR_DIR = "vendor" +CARGO_TOML = "src/rust/Cargo.toml" +RE_VERSION = re.compile("Version:\s*(.*)") + +parser = argparse.ArgumentParser(description="Vendor Rust packages") +parser.add_argument( + "--spec", default="python-cryptography.spec", help="cryptography source tar bundle" +) + + +def cargo(cmd, manifest): + args = ["cargo", cmd, f"--manifest-path={manifest}"] + return subprocess.check_call( + args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={} + ) + + +def main(): + args = parser.parse_args() + spec = args.spec + + # change cwd to work in bundle directory + here = os.path.dirname(os.path.abspath(spec)) + os.chdir(here) + + # extract version number from bundle name + with open(spec) as f: + for line in f: + mo = RE_VERSION.search(line) + if mo is not None: + version = mo.group(1) + break + else: + raise ValueError(f"Cannot find version in {spec}") + + bundle_file = f"cryptography-{version}.tar.gz" + vendor_file = f"cryptography-{version}-vendor.tar.bz2" + + # remove existing vendor directory and file + if os.path.isdir(VENDOR_DIR): + shutil.rmtree(VENDOR_DIR) + try: + os.unlink(vendor_file) + except FileNotFoundError: + pass + + print(f"Getting crates for {bundle_file}", file=sys.stderr) + + # extract tar file in tempdir + # fetch and vendor Rust crates + with tempfile.TemporaryDirectory(dir=here) as tmp: + with tarfile.open(bundle_file) as tar: + tar.extractall(path=tmp) + manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML) + cargo("fetch", manifest) + cargo("vendor", manifest) + + print("\nCreating tar ball...", file=sys.stderr) + with tarfile.open(vendor_file, "x:bz2") as tar: + tar.add(VENDOR_DIR) + + # remove vendor dir + shutil.rmtree(VENDOR_DIR) + + parser.exit(0, f"Created {vendor_file}\n") + + +if __name__ == "__main__": + main() From cf06cdcb9415cffdbff0f698a15f71b3f6d077fe Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 12 Feb 2021 16:47:08 +0100 Subject: [PATCH 038/111] Skip iso8601 and pretend tests on RHEL --- conftest-skipper.py | 22 ++++++++++++++++++++++ python-cryptography.spec | 12 +++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 conftest-skipper.py diff --git a/conftest-skipper.py b/conftest-skipper.py new file mode 100644 index 0000000..5a1de83 --- /dev/null +++ b/conftest-skipper.py @@ -0,0 +1,22 @@ + +class Skipper: + """Skip iso8601 and pretend tests + + RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip + all tests that use the excluded modules. + """ + + def parse_date(self, datestring): + pytest.skip(f"iso8601 module is not available.") + + def stub(self, **kwargs): + pytest.skip(f"pretend module is not available.") + + def raiser(self, exc): + pytest.skip(f"pretend module is not available.") + + +import sys + +sys.modules["iso8601"] = sys.modules["pretend"] = Skipper() + diff --git a/python-cryptography.spec b/python-cryptography.spec index 527d6ae..2c40030 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -22,6 +22,7 @@ Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg %if 0%{?rhel} # created by ./vendor_rust.py helper script Source3: cryptography-%{version}-vendor.tar.bz2 +Source4: conftest-skipper.py %endif BuildRequires: openssl-devel @@ -43,10 +44,10 @@ BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} %if 0%{?fedora} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 -BuildRequires: python%{python3_pkgversion}-pytest-xdist -%endif BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-xdist +%endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz @@ -100,6 +101,8 @@ find . -name .keep -print -delete %if 0%{?rhel} # skip hypothesis tests on RHEL rm -rf tests/hypothesis +# append skipper to skip iso8601 and pretend tests +cat < %{SOURCE4} >> tests/conftest.py %endif # see https://github.com/pyca/cryptography/issues/4885 and @@ -114,6 +117,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + * Fri Feb 12 2021 Christian Heimes - 3.4.4-2 - Provide RHEL build infrastructure From f8b1daa766bc824103a28e784098e769d665c428 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 15 Feb 2021 08:22:18 +0100 Subject: [PATCH 039/111] Update to 3.4.5 (#1927044) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 87f501d..6f739f1 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,5 @@ /cryptography-3.4.2.tar.gz.asc /cryptography-3.4.4.tar.gz /cryptography-3.4.4.tar.gz.asc +/cryptography-3.4.5.tar.gz +/cryptography-3.4.5.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 2c40030..d4ca3f3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.4 -Release: 3%{?dist} +Version: 3.4.5 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -117,6 +117,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + * Fri Feb 12 2021 Christian Heimes - 3.4.4-3 - Skip iso8601 and pretend tests on RHEL diff --git a/sources b/sources index 20b61a3..3d2089b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.4.tar.gz) = 3c94cb3eccc67cd1d7be9d16353f94a08019534517bbe9cd97ee75f05631418d1688fa7efc7284a62482d22b731de524f45268cf357d47a37a2fb033f1b9b3fc -SHA512 (cryptography-3.4.4.tar.gz.asc) = 395c8af891a2ae9c2a5954291e58d223fb5a9157794f22cf83bb798dd13534277d44846edca723b44dcbcb609e5db55e3fca7416fd452f23c5bb6e126c4c5284 +SHA512 (cryptography-3.4.5.tar.gz) = a8cf49193cbc11eb36fbcdd6987e7333a29af849607f63ea2bb6faad9caf4b3d7d8f09b9c30bee0e5ccda115bb64b3665d5be3f143759c7d6e3772ebf652642c +SHA512 (cryptography-3.4.5.tar.gz.asc) = 38763a62ab15370819f9aaac7464f5ea2613ceff9caecdca5a7d073ae65f1ec3366f1f32e8b8922d7c6f397ff0c138b3a4ae460648daa93f8847a3f7b01f0e22 From fd227175fd8e3425efeede8063ae47861bccfcca Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 16 Feb 2021 14:33:41 +0100 Subject: [PATCH 040/111] Create reproducible tar file --- vendor_rust.py | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/vendor_rust.py b/vendor_rust.py index 4e25214..cd8355e 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -2,7 +2,6 @@ """Vendor PyCA cryptography's Rust crates """ import argparse -import glob import os import re import tarfile @@ -28,6 +27,37 @@ def cargo(cmd, manifest): ) +def tar_reset(tarinfo): + """Reset user, group, mtime, and mode to create reproducible tar""" + tarinfo.uid = 0 + tarinfo.gid = 0 + tarinfo.uname = "root" + tarinfo.gname = "root" + tarinfo.mtime = 0 + if tarinfo.type == tarfile.DIRTYPE: + tarinfo.mode = 0o755 + else: + tarinfo.mode = 0o644 + if tarinfo.pax_headers: + raise ValueError(tarinfo.name, tarinfo.pax_headers) + return tarinfo + + +def tar_reproducible(tar, basedir): + """Create reproducible tar file""" + + content = [basedir] + for root, dirs, files in os.walk(basedir): + for directory in dirs: + content.append(os.path.join(root, directory)) + for filename in files: + content.append(os.path.join(root, filename)) + content.sort() + + for fn in content: + tar.add(fn, filter=tar_reset, recursive=False, arcname=fn) + + def main(): args = parser.parse_args() spec = args.spec @@ -70,7 +100,7 @@ def main(): print("\nCreating tar ball...", file=sys.stderr) with tarfile.open(vendor_file, "x:bz2") as tar: - tar.add(VENDOR_DIR) + tar_reproducible(tar, VENDOR_DIR) # remove vendor dir shutil.rmtree(VENDOR_DIR) From 7898d952a8384ad1481b6d451d55a1ac4f8a6594 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 3 Mar 2021 13:20:21 +0100 Subject: [PATCH 041/111] Update to 3.4.6 (#1927044) --- .gitignore | 2 ++ README.md | 2 -- python-cryptography.spec | 5 ++++- sources | 4 ++-- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 6f739f1..bd7832a 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,5 @@ /cryptography-3.4.4.tar.gz.asc /cryptography-3.4.5.tar.gz /cryptography-3.4.5.tar.gz.asc +/cryptography-3.4.6.tar.gz +/cryptography-3.4.6.tar.gz.asc diff --git a/README.md b/README.md index c100762..d673048 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,6 @@ fedpkg new-sources cryptography_vectors-3.4.tar.gz Commit changes ```shell -git add sources .gitignore python-cryptography-vectors.spec fedpkg commit --clog fedpkg push ``` @@ -86,7 +85,6 @@ fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc Commit changes ```shell -git add sources .gitignore python-cryptography.spec fedpkg commit --clog fedpkg push ``` diff --git a/python-cryptography.spec b/python-cryptography.spec index d4ca3f3..e4f3235 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.5 +Version: 3.4.6 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -117,6 +117,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + * Mon Feb 15 2021 Christian Heimes - 3.4.5-1 - Update to 3.4.5 (#1927044) diff --git a/sources b/sources index 3d2089b..da81927 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.5.tar.gz) = a8cf49193cbc11eb36fbcdd6987e7333a29af849607f63ea2bb6faad9caf4b3d7d8f09b9c30bee0e5ccda115bb64b3665d5be3f143759c7d6e3772ebf652642c -SHA512 (cryptography-3.4.5.tar.gz.asc) = 38763a62ab15370819f9aaac7464f5ea2613ceff9caecdca5a7d073ae65f1ec3366f1f32e8b8922d7c6f397ff0c138b3a4ae460648daa93f8847a3f7b01f0e22 +SHA512 (cryptography-3.4.6.tar.gz) = 30b712adc5cc114faeb7bfef0b9de88c6daefa5a8b99e53bd6d37b8ed560bd1d396cbb202902c307b90f40d695bde151164436bf233fb726dc836c8b70126653 +SHA512 (cryptography-3.4.6.tar.gz.asc) = 91e8c5f5e9e0d440d0882f0bf2f5f039b299c88f03f52d4060f0ee2a18d46ca6503d77444196db91b8d29c7b302b238461795d252777f9bc2953c52789df9fad From 7e4d2cc3e898c5e2eabb91dc75e23f62e0cd950c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 10 Mar 2021 13:18:44 +0100 Subject: [PATCH 042/111] This is now a Rust package, hence it only builds on %{rust_arches} No real difference for Fedora or modern RHEL, but the guidelines say so: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_exclusivearch --- python-cryptography.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index e4f3235..f157ee4 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -25,6 +25,8 @@ Source3: cryptography-%{version}-vendor.tar.bz2 Source4: conftest-skipper.py %endif +ExclusiveArch: %{rust_arches} + BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 From 19b6996e722be8ce4912a40e5c7b307d207ea965 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 13 Apr 2021 08:44:13 +0200 Subject: [PATCH 043/111] Mention vendoring for RHEL/CentOS packaging --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index d673048..ee71b2b 100644 --- a/README.md +++ b/README.md @@ -94,3 +94,16 @@ Build ```shell fedpkg build --target=f34-build-side-12345 ``` + +## RHEL/CentOS builds + +RHEL and CentOS use a different approach for Rust crates packaging than +Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g. +``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and +CentOS. Instead python-cryptography uses a tar ball with vendored crates. +The tar ball is created by a script: + +```shell +./vendor_rust.py +rhpkg upload cryptography-3.4-vendor.tar.bz2 +``` From 5fdccbab1d77ad7362acbb66c4694e4d86e30f6c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 21 Apr 2021 13:39:53 +0200 Subject: [PATCH 044/111] Update to 3.4.7, use vectors from sources (#1952024) python-cryptography now uses source bundle from Github, which contains sources of vectors, too. Tests are no longer depending on python3-cryptography-vectors. Instead tests are using the bundles vectors package. Resolves RHBZ#1952024 --- .gitignore | 1 + README.md | 60 ++---------------- ...CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg | Bin 1188 -> 0 bytes python-cryptography.spec | 33 +++++----- sources | 3 +- 5 files changed, 25 insertions(+), 72 deletions(-) delete mode 100644 gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg diff --git a/.gitignore b/.gitignore index bd7832a..cf9ac7e 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ /cryptography-3.4.5.tar.gz.asc /cryptography-3.4.6.tar.gz /cryptography-3.4.6.tar.gz.asc +/cryptography-3.4.7.tar.gz diff --git a/README.md b/README.md index ee71b2b..33554c0 100644 --- a/README.md +++ b/README.md @@ -8,57 +8,7 @@ The example assumes * Fedora Rawhide (f34) * PyCA cryptography release ``3.4`` -* Update Bugzilla issues are ``RHBZ#00000001`` and ``RHBZ#00000002`` -* Build side tag is ``f34-build-side-12345`` - -### Request a side tag for building - -python-cryptography builds depend on python-cryptography-vectors -package. Both packages must be build in a side tag. - -```shell -fedpkg request-side-tag --base-tag f34-build -``` - -### Build new python-cryptography-vectors first - -```shell -pushd ../python-cryptography-vectors -``` - -Switch and update branch - -```shell -fedpkg switch-branch rawhide -fedpkg pull -``` - -Bump version and get sources - -```shell -rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography-vectors.spec -spectool -gf python-cryptography-vectors.spec -``` - -Upload sources - -```shell -fedpkg new-sources cryptography_vectors-3.4.tar.gz -``` - -Commit changes - -```shell -fedpkg commit --clog -fedpkg push -``` - -Build and wait for repo to regenerate - -```shell -fedpkg build --target=f34-build-side-12345 -koji wait-repo --build python-cryptography-vectors-3.4-1 f34-build-side-12345 -``` +* Update Bugzilla issue is ``RHBZ#00000001`` ### Build new python-cryptography @@ -72,14 +22,14 @@ fedpkg pull Bump version and get sources ```shell -rpmdev-bumpspec -c "Update to 3.4 (#00000002)" -n 3.4 python-cryptography.spec +rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec spectool -gf python-cryptography.spec ``` -Upload new sources (**two files!**) +Upload new source ```shell -fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc +fedpkg new-sources cryptography-3.4.tar.gz ``` Commit changes @@ -92,7 +42,7 @@ fedpkg push Build ```shell -fedpkg build --target=f34-build-side-12345 +fedpkg build ``` ## RHEL/CentOS builds diff --git a/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg b/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg deleted file mode 100644 index dcae2d294ee960fa1eef388915659a59fa32b11d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1188 zcmV;V1Y7%=0SyFFBCR_C2mru&73El&3H2t5nI68Q9hzL>cT6mwg4zkC{+7HPTeg8I z5C7)pzdb1LWju5%BxHBsP5O}OCXjdQEW2i$Lc+)O4ZOLxR^_+WviC;x)2|n`7borH zlrmsn)=F-Ho)o7%uUf!Q>Yx>9Vp)dWmAs3e|O^!kSv_QwU>+~kgjV=sbx zG_MY5!uxRNARqsoa}NL!0RRECB~W2?Y#>WzXmVw8AUtqkb!;wdE^B3Ia%FNrXKi6= zY%XJOZ9a(sI0O>`0stZf0#YKaI|3U61`7!Y2Ll2I6$k?hwshfU)IXoeRR;O;Hl&0joy8{$+b?307y>Hw#e2 zJ#MXXZ+O6C6Q)@WYf}5PDzBN=KS&W0skd_(ad2fj5zp%~A!(0Y%SW02Q;Supcd40($4vJ{JY9kGNjS!)Rk#yu* z(&X#V9BFp}Bi`3arWBhy=N-TgidssU_h-GqkF788NsqUMSeT8tM<8SNRbflj3C@z46XJ_GltsY7hNpD#p3*0NR;IX(;tNxIUZAsp zvjrv5&pWLPa@OxSbk4_AoNwSVa%`p-QSMMy>LXK~o2aan76TNt+ zDck+9&Z^K!qC4oS0_0JBrP){@>SfU>%js_t{o{pPu7AV6cf~{?y9$Y|9Gf}%7gY>) zoy7Gp;9k9dgut!<8{2(s#E}#$7tV%J|8DBf(OWWwZ^Lk}7`vl1UWL{52xxj7!X z7ih~}%ROYB{F_#F;5kf8x~D$-2>AEWPu4N-OhF`_8Y#xZ9_QbJcFF|>A91rmEwi$; z*Hici!kJ_R)x!~a=Tr;EdY;ia^|!vO#PUj~E7UXPt!hCPJ@@WHq@+{FNG1$0Ubbi@ CEhzZ_ diff --git a/python-cryptography.spec b/python-cryptography.spec index f157ee4..f107e9b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,23 +6,17 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.6 +Version: 3.4.7 Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ -Source0: %{pypi_source} -Source1: %{pypi_source}.asc -# key ids of upstream authors are published in the AUTHORS file: -# https://github.com/pyca/cryptography/blob/master/AUTHORS.rst -# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" -# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg -Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz %if 0%{?rhel} # created by ./vendor_rust.py helper script -Source3: cryptography-%{version}-vendor.tar.bz2 -Source4: conftest-skipper.py +Source1: cryptography-%{version}-vendor.tar.bz2 +Source2: conftest-skipper.py %endif ExclusiveArch: %{rust_arches} @@ -43,7 +37,6 @@ BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 %if %{with tests} -BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} %if 0%{?fedora} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 @@ -66,13 +59,16 @@ Summary: PyCA's cryptography library Requires: openssl-libs Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 +%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 +# Can be safely removed in Fedora 37 +Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 +%endif %description -n python%{python3_pkgversion}-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} %generate_buildrequires @@ -86,7 +82,7 @@ rm -f Cargo.lock cd ../.. %else # RHEL: use vendored Rust crates -%cargo_prep -V 3 +%cargo_prep -V 1 %endif %build @@ -104,12 +100,14 @@ find . -name .keep -print -delete # skip hypothesis tests on RHEL rm -rf tests/hypothesis # append skipper to skip iso8601 and pretend tests -cat < %{SOURCE4} >> tests/conftest.py +cat < %{SOURCE2} >> tests/conftest.py %endif # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests -PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" +PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ + %{__python3} -m pytest \ + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -119,6 +117,11 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. (#1952024) + * Wed Mar 03 2021 Christian Heimes - 3.4.6-1 - Update to 3.4.6 (#1927044) diff --git a/sources b/sources index da81927..a6bf867 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (cryptography-3.4.6.tar.gz) = 30b712adc5cc114faeb7bfef0b9de88c6daefa5a8b99e53bd6d37b8ed560bd1d396cbb202902c307b90f40d695bde151164436bf233fb726dc836c8b70126653 -SHA512 (cryptography-3.4.6.tar.gz.asc) = 91e8c5f5e9e0d440d0882f0bf2f5f039b299c88f03f52d4060f0ee2a18d46ca6503d77444196db91b8d29c7b302b238461795d252777f9bc2953c52789df9fad +SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 From b166e77e86d756b18cd79aeced13f5f3b6341a50 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 11 May 2021 10:19:55 +0200 Subject: [PATCH 045/111] Python 3.10 and OpenSSL 3.0.0 fixes (#1952522) Fix compatibility issue with Python 3.10. Enums now use same representation as on Python 3.9. Backport OpenSSL 3.0.0 compatibility patches. Resolves: RHBZ#1952522 --- ...cs12-parse-ordering.-fixes-5872-5879.patch | 130 ++++++ 0002-WIP-3.0.0-support-5250.patch | 415 ++++++++++++++++++ ...EVP_PKEY_derive-instead-of-DH_comput.patch | 151 +++++++ ...Use-well-defined-enum-representation.patch | 366 +++++++++++++++ python-cryptography.spec | 11 +- 5 files changed, 1072 insertions(+), 1 deletion(-) create mode 100644 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch create mode 100644 0002-WIP-3.0.0-support-5250.patch create mode 100644 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch create mode 100644 0004-Use-well-defined-enum-representation.patch diff --git a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch new file mode 100644 index 0000000..e73331a --- /dev/null +++ b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch @@ -0,0 +1,130 @@ +From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 28 Feb 2021 16:06:11 -0600 +Subject: [PATCH 1/4] fix pkcs12 parse ordering. fixes #5872 (#5879) + +* fix pkcs12 parse ordering. fixes #5872 + +* remove an unneeded print + +* simplify the test a bit more + +* index + +* black + +* Update tests/hazmat/primitives/test_pkcs12.py + +Co-authored-by: Alex Gaynor + +Co-authored-by: Alex Gaynor +--- + .../hazmat/backends/openssl/backend.py | 5 +- + tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- + 2 files changed, 59 insertions(+), 4 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 271873d9..a96d08d8 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -6,6 +6,7 @@ + import collections + import contextlib + import itertools ++import typing + import warnings + from contextlib import contextmanager + +@@ -2562,9 +2563,7 @@ class Backend(object): + sk_x509 = self._lib.sk_X509_new_null() + sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) + +- # reverse the list when building the stack so that they're encoded +- # in the order they were originally provided. it is a mystery +- for ca in reversed(cas): ++ for ca in cas: + res = self._lib.sk_X509_push(sk_x509, ca._x509) + backend.openssl_assert(res >= 1) + +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index b5de09f9..b1759a1b 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -4,13 +4,15 @@ + + + import os ++from datetime import datetime + + import pytest + + from cryptography import x509 + from cryptography.hazmat.backends.interfaces import DERSerializationBackend + from cryptography.hazmat.backends.openssl.backend import _RC2 +-from cryptography.hazmat.primitives import serialization ++from cryptography.hazmat.primitives import hashes, serialization ++from cryptography.hazmat.primitives.asymmetric import ec + from cryptography.hazmat.primitives.serialization import load_pem_private_key + from cryptography.hazmat.primitives.serialization.pkcs12 import ( + load_key_and_certificates, +@@ -273,3 +275,57 @@ class TestPKCS12Creation(object): + DummyKeySerializationEncryption(), + ) + assert str(exc.value) == "Unsupported key encryption type" ++ ++ ++def test_pkcs12_ordering(): ++ """ ++ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we ++ accidentally thought it was **encoding** that did it, leading to bug ++ https://github.com/pyca/cryptography/issues/5872 ++ This test ensures our ordering is correct going forward. ++ """ ++ ++ def make_cert(name): ++ key = ec.generate_private_key(ec.SECP256R1()) ++ subject = x509.Name( ++ [ ++ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), ++ ] ++ ) ++ now = datetime.utcnow() ++ cert = ( ++ x509.CertificateBuilder() ++ .subject_name(subject) ++ .issuer_name(subject) ++ .public_key(key.public_key()) ++ .serial_number(x509.random_serial_number()) ++ .not_valid_before(now) ++ .not_valid_after(now) ++ .sign(key, hashes.SHA256()) ++ ) ++ return (key, cert) ++ ++ # Make some certificates with distinct names. ++ a_name = "A" * 20 ++ b_name = "B" * 20 ++ c_name = "C" * 20 ++ a_key, a_cert = make_cert(a_name) ++ _, b_cert = make_cert(b_name) ++ _, c_cert = make_cert(c_name) ++ ++ # Bundle them in a PKCS#12 file in order A, B, C. ++ p12 = serialize_key_and_certificates( ++ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() ++ ) ++ ++ # Parse them out. The API should report them in the same order. ++ (key, cert, certs) = load_key_and_certificates(p12, None) ++ assert cert == a_cert ++ assert certs == [b_cert, c_cert] ++ ++ # The ordering in the PKCS#12 file itself should also match. ++ a_idx = p12.index(a_name.encode("utf-8")) ++ b_idx = p12.index(b_name.encode("utf-8")) ++ c_idx = p12.index(c_name.encode("utf-8")) ++ ++ assert a_idx < b_idx < c_idx +-- +2.31.1 + diff --git a/0002-WIP-3.0.0-support-5250.patch b/0002-WIP-3.0.0-support-5250.patch new file mode 100644 index 0000000..c99eea8 --- /dev/null +++ b/0002-WIP-3.0.0-support-5250.patch @@ -0,0 +1,415 @@ +From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 22 Apr 2021 19:16:38 -0500 +Subject: [PATCH 2/4] [WIP] 3.0.0 support (#5250) + +* 3.0.0 support + +* almost...there... + +* make mypy happy +--- + .github/workflows/ci.yml | 7 ++-- + src/_cffi_src/build_openssl.py | 1 + + src/_cffi_src/openssl/cryptography.py | 3 ++ + src/_cffi_src/openssl/err.py | 6 +++ + src/_cffi_src/openssl/fips.py | 2 +- + src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ + .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- + .../hazmat/backends/openssl/ciphers.py | 15 ++++++- + .../hazmat/bindings/openssl/_conditional.py | 11 +++++ + .../hazmat/bindings/openssl/binding.py | 20 +++++++++ + tests/hazmat/backends/test_openssl_memleak.py | 6 ++- + tests/hazmat/bindings/test_openssl.py | 4 +- + tests/hazmat/primitives/test_dh.py | 24 ++++++++++- + 13 files changed, 167 insertions(+), 14 deletions(-) + create mode 100644 src/_cffi_src/openssl/provider.py + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index cd967a3a..747f84c1 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -18,9 +18,10 @@ jobs: + - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} + - {VERSION: "pypy3", TOXENV: "pypy3"} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} +- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} ++ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} +diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py +index 08499d66..557296ed 100644 +--- a/src/_cffi_src/build_openssl.py ++++ b/src/_cffi_src/build_openssl.py +@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding( + "osrandom_engine", + "pem", + "pkcs12", ++ "provider", + "rand", + "rsa", + "ssl", +diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py +index e2b5a132..06d1e778 100644 +--- a/src/_cffi_src/openssl/cryptography.py ++++ b/src/_cffi_src/openssl/cryptography.py +@@ -34,6 +34,8 @@ INCLUDES = """ + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ ++ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) +@@ -53,6 +55,7 @@ INCLUDES = """ + + TYPES = """ + static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; ++static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; + + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; +diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py +index 0634b656..8cfeaf5b 100644 +--- a/src/_cffi_src/openssl/err.py ++++ b/src/_cffi_src/openssl/err.py +@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM; + + static const int ERR_LIB_EVP; + static const int ERR_LIB_PEM; ++static const int ERR_LIB_PROV; + static const int ERR_LIB_ASN1; + static const int ERR_LIB_PKCS12; + +@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long); + """ + + CUSTOMIZATIONS = """ ++/* This define is tied to provider support and is conditionally ++ removed if Cryptography_HAS_PROVIDERS is false */ ++#ifndef ERR_LIB_PROV ++#define ERR_LIB_PROV 0 ++#endif + """ +diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py +index b9d0d64d..23c10af9 100644 +--- a/src/_cffi_src/openssl/fips.py ++++ b/src/_cffi_src/openssl/fips.py +@@ -17,7 +17,7 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL ++#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + static const long Cryptography_HAS_FIPS = 0; + int (*FIPS_mode_set)(int) = NULL; + int (*FIPS_mode)(void) = NULL; +diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py +new file mode 100644 +index 00000000..d7d659ea +--- /dev/null ++++ b/src/_cffi_src/openssl/provider.py +@@ -0,0 +1,40 @@ ++# This file is dual licensed under the terms of the Apache License, Version ++# 2.0, and the BSD License. See the LICENSE file in the root of this repository ++# for complete details. ++ ++ ++INCLUDES = """ ++#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++#include ++#include ++#endif ++""" ++ ++TYPES = """ ++static const long Cryptography_HAS_PROVIDERS; ++ ++typedef ... OSSL_PROVIDER; ++typedef ... OSSL_LIB_CTX; ++ ++static const long PROV_R_BAD_DECRYPT; ++static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; ++""" ++ ++FUNCTIONS = """ ++OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); ++int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); ++""" ++ ++CUSTOMIZATIONS = """ ++#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++static const long Cryptography_HAS_PROVIDERS = 1; ++#else ++static const long Cryptography_HAS_PROVIDERS = 0; ++typedef void OSSL_PROVIDER; ++typedef void OSSL_LIB_CTX; ++static const long PROV_R_BAD_DECRYPT = 0; ++static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; ++OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; ++int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; ++#endif ++""" +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index a96d08d8..86e8f0a8 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1281,6 +1281,11 @@ class Backend(object): + def _evp_pkey_from_der_traditional_key(self, bio_data, password): + key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) + if key != self._ffi.NULL: ++ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will ++ # successfully load but errors are still put on the stack. Tracked ++ # as https://github.com/openssl/openssl/issues/14996 ++ self._consume_errors() ++ + key = self._ffi.gc(key, self._lib.EVP_PKEY_free) + if password is not None: + raise TypeError( +@@ -1448,6 +1453,11 @@ class Backend(object): + else: + self._handle_key_loading_error() + ++ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will ++ # successfully load but errors are still put on the stack. Tracked ++ # as https://github.com/openssl/openssl/issues/14996 ++ self._consume_errors() ++ + evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) + + if password is not None and userdata.called == 0: +@@ -1470,11 +1480,22 @@ class Backend(object): + "incorrect format or it may be encrypted with an unsupported " + "algorithm." + ) +- elif errors[0]._lib_reason_match( +- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT +- ) or errors[0]._lib_reason_match( +- self._lib.ERR_LIB_PKCS12, +- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, ++ ++ elif ( ++ errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT ++ ) ++ or errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_PKCS12, ++ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, ++ ) ++ or ( ++ self._lib.Cryptography_HAS_PROVIDERS ++ and errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_PROV, ++ self._lib.PROV_R_BAD_DECRYPT, ++ ) ++ ) + ): + raise ValueError("Bad decrypt. Incorrect password?") + +@@ -2520,7 +2541,16 @@ class Backend(object): + if sk_x509_ptr[0] != self._ffi.NULL: + sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) + num = self._lib.sk_X509_num(sk_x509_ptr[0]) +- for i in range(num): ++ ++ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the ++ # certificates. ++ indices: typing.Iterable[int] ++ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ indices = range(num) ++ else: ++ indices = reversed(range(num)) ++ ++ for i in indices: + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) + x509 = self._ffi.gc(x509, self._lib.X509_free) +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 0f96795f..a2dd6894 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -145,7 +145,13 @@ class _CipherContext(object): + res = self._backend._lib.EVP_CipherUpdate( + self._ctx, outbuf, outlen, inbuf, inlen + ) +- self._backend.openssl_assert(res != 0) ++ if res == 0 and isinstance(self._mode, modes.XTS): ++ raise ValueError( ++ "In XTS mode you must supply at least a full block in the " ++ "first update call. For AES this is 16 bytes." ++ ) ++ else: ++ self._backend.openssl_assert(res != 0) + data_processed += inlen + total_out += outlen[0] + +@@ -174,6 +180,13 @@ class _CipherContext(object): + errors[0]._lib_reason_match( + self._backend._lib.ERR_LIB_EVP, + self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, ++ ) ++ or ( ++ self._backend._lib.Cryptography_HAS_PROVIDERS ++ and errors[0]._lib_reason_match( ++ self._backend._lib.ERR_LIB_PROV, ++ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, ++ ) + ), + errors=errors, + ) +diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py +index 86548357..1f42c7be 100644 +--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py ++++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py +@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): + ] + + ++def cryptography_has_providers(): ++ return [ ++ "OSSL_PROVIDER_load", ++ "OSSL_PROVIDER_unload", ++ "ERR_LIB_PROV", ++ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", ++ "PROV_R_BAD_DECRYPT", ++ ] ++ ++ + # This is a mapping of + # {condition: function-returning-names-dependent-on-that-condition} so we can + # loop over them and delete unsupported names at runtime. It will be removed +@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = { + "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, + "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, ++ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, + } +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index a2bc36a8..6dcec26a 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -113,6 +113,8 @@ class Binding(object): + ffi = ffi + _lib_loaded = False + _init_lock = threading.Lock() ++ _legacy_provider: typing.Any = None ++ _default_provider: typing.Any = None + + def __init__(self): + self._ensure_ffi_initialized() +@@ -140,6 +142,24 @@ class Binding(object): + # adds all ciphers/digests for EVP + cls.lib.OpenSSL_add_all_algorithms() + cls._register_osrandom_engine() ++ # As of OpenSSL 3.0.0 we must register a legacy cipher provider ++ # to get RC2 (needed for junk asymmetric private key ++ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things ++ # are ugly legacy, but we aren't going to get rid of them ++ # any time soon. ++ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"legacy" ++ ) ++ _openssl_assert( ++ cls.lib, cls._legacy_provider != cls.ffi.NULL ++ ) ++ cls._default_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"default" ++ ) ++ _openssl_assert( ++ cls.lib, cls._default_provider != cls.ffi.NULL ++ ) + + @classmethod + def init_static_locks(cls): +diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py +index 0c96516f..0316b5d9 100644 +--- a/tests/hazmat/backends/test_openssl_memleak.py ++++ b/tests/hazmat/backends/test_openssl_memleak.py +@@ -82,7 +82,7 @@ def main(argv): + assert result == 1 + + # Trigger a bunch of initialization stuff. +- import cryptography.hazmat.backends.openssl ++ from cryptography.hazmat.backends.openssl.backend import backend + + start_heap = set(heap) + +@@ -91,6 +91,10 @@ def main(argv): + gc.collect() + gc.collect() + ++ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) ++ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) ++ + if lib.Cryptography_HAS_OPENSSL_CLEANUP: + lib.OPENSSL_cleanup() + +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index fb9a1e36..4d1e3b55 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -91,7 +91,9 @@ class TestOpenSSL(object): + _openssl_assert(b.lib, False) + + error = exc_info.value.err_code[0] +- assert error.code == 101183626 ++ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined ++ # code is a different value ++ assert error.code in (101183626, 50331786) + assert error.lib == b.lib.ERR_LIB_EVP + assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX + assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH +diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py +index 131807fc..bb29919f 100644 +--- a/tests/hazmat/primitives/test_dh.py ++++ b/tests/hazmat/primitives/test_dh.py +@@ -180,7 +180,23 @@ class TestDH(object): + params = dh.DHParameterNumbers(p, int(vector["g"])) + param = params.parameters(backend) + key = param.generate_private_key() +- assert key.private_numbers().public_numbers.parameter_numbers == params ++ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in ++ # a scenario where loading a known group with p and g returns a ++ # re-serialized form that has q as well (the Sophie Germain prime of ++ # that group). This makes a naive comparison of the parameter numbers ++ # objects fail, so we have to be a bit smarter ++ serialized_params = ( ++ key.private_numbers().public_numbers.parameter_numbers ++ ) ++ if serialized_params.q is None: ++ # This is the path OpenSSL < 3.0 takes ++ assert serialized_params == params ++ else: ++ assert serialized_params.p == params.p ++ assert serialized_params.g == params.g ++ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute ++ # what we expect OpenSSL to have done here. ++ assert serialized_params.q == (params.p - 1) // 2 + + @pytest.mark.skip_fips(reason="non-FIPS parameters") + @pytest.mark.parametrize( +@@ -382,6 +398,12 @@ class TestDH(object): + assert symkey1 != symkey2 + + @pytest.mark.skip_fips(reason="key_size too small for FIPS") ++ @pytest.mark.supported( ++ only_if=lambda backend: ( ++ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++ ), ++ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", ++ ) + def test_load_256bit_key_from_pkcs8(self, backend): + data = load_vectors_from_file( + os.path.join("asymmetric", "DH", "dh_key_256.pem"), +-- +2.31.1 + diff --git a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch new file mode 100644 index 0000000..078950e --- /dev/null +++ b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch @@ -0,0 +1,151 @@ +From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 14 Apr 2021 13:15:57 -0500 +Subject: [PATCH 3/4] switch to using EVP_PKEY_derive instead of DH_compute_key + in DH (#5972) + +* switch to using EVP_PKEY_derive instead of DH_compute_key in DH + +Where checks are occurring is changing in OpenSSL 3.0 and this makes it +easier to be consistent (and is the API we should be using anyway). The +tests change because EVP_PKEY_derive now verifies that we have shared +parameters, which the test previously only verified by asserting that +the derived keys didn't match + +* review feedback + +* type ignores required for typeerror tests. some day i will remember this +--- + src/_cffi_src/openssl/dh.py | 1 - + .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- + tests/hazmat/primitives/test_dh.py | 19 ++++--- + 3 files changed, 45 insertions(+), 32 deletions(-) + +diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py +index 979dafa9..50989e45 100644 +--- a/src/_cffi_src/openssl/dh.py ++++ b/src/_cffi_src/openssl/dh.py +@@ -18,7 +18,6 @@ DH *DH_new(void); + void DH_free(DH *); + int DH_size(const DH *); + int DH_generate_key(DH *); +-int DH_compute_key(unsigned char *, const BIGNUM *, DH *); + DH *DHparams_dup(DH *); + + /* added in 1.1.0 when the DH struct was opaqued */ +diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py +index 65ddaeec..b928f024 100644 +--- a/src/cryptography/hazmat/backends/openssl/dh.py ++++ b/src/cryptography/hazmat/backends/openssl/dh.py +@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey): + ) + + def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: +- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) +- pub_key = self._backend._ffi.new("BIGNUM **") +- self._backend._lib.DH_get0_key( +- peer_public_key._dh_cdata, # type: ignore[attr-defined] +- pub_key, +- self._backend._ffi.NULL, ++ if not isinstance(peer_public_key, _DHPublicKey): ++ raise TypeError("peer_public_key must be a DHPublicKey") ++ ++ ctx = self._backend._lib.EVP_PKEY_CTX_new( ++ self._evp_pkey, self._backend._ffi.NULL + ) +- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) +- res = self._backend._lib.DH_compute_key( +- buf, pub_key[0], self._dh_cdata ++ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) ++ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) ++ res = self._backend._lib.EVP_PKEY_derive_init(ctx) ++ self._backend.openssl_assert(res == 1) ++ res = self._backend._lib.EVP_PKEY_derive_set_peer( ++ ctx, peer_public_key._evp_pkey ++ ) ++ # Invalid kex errors here in OpenSSL 3.0 because checks were moved ++ # to EVP_PKEY_derive_set_peer ++ self._exchange_assert(res == 1) ++ keylen = self._backend._ffi.new("size_t *") ++ res = self._backend._lib.EVP_PKEY_derive( ++ ctx, self._backend._ffi.NULL, keylen + ) ++ # Invalid kex errors here in OpenSSL < 3 ++ self._exchange_assert(res == 1) ++ self._backend.openssl_assert(keylen[0] > 0) ++ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) ++ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) ++ self._backend.openssl_assert(res == 1) + +- if res == -1: ++ key = self._backend._ffi.buffer(buf, keylen[0])[:] ++ pad = self._key_size_bytes - len(key) ++ ++ if pad > 0: ++ key = (b"\x00" * pad) + key ++ ++ return key ++ ++ def _exchange_assert(self, ok): ++ if not ok: + errors_with_text = self._backend._consume_errors_with_text() + raise ValueError( +- "Error computing shared key. Public key is likely invalid " +- "for this exchange.", ++ "Error computing shared key.", + errors_with_text, + ) +- else: +- self._backend.openssl_assert(res >= 1) +- +- key = self._backend._ffi.buffer(buf)[:res] +- pad = self._key_size_bytes - len(key) +- +- if pad > 0: +- key = (b"\x00" * pad) + key +- +- return key + + def public_key(self) -> dh.DHPublicKey: + dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) +diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py +index bb29919f..2914f7e7 100644 +--- a/tests/hazmat/primitives/test_dh.py ++++ b/tests/hazmat/primitives/test_dh.py +@@ -296,6 +296,12 @@ class TestDH(object): + assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) + assert isinstance(key.parameters(), dh.DHParameters) + ++ def test_exchange_wrong_type(self, backend): ++ parameters = FFDH3072_P.parameters(backend) ++ key1 = parameters.generate_private_key() ++ with pytest.raises(TypeError): ++ key1.exchange(b"invalidtype") # type: ignore[arg-type] ++ + def test_exchange(self, backend): + parameters = FFDH3072_P.parameters(backend) + assert isinstance(parameters, dh.DHParameters) +@@ -386,16 +392,11 @@ class TestDH(object): + key2 = private2.private_key(backend) + pub_key2 = key2.public_key() + +- if pub_key2.public_numbers().y >= parameters1.p: +- with pytest.raises(ValueError): +- key1.exchange(pub_key2) +- else: +- symkey1 = key1.exchange(pub_key2) +- assert symkey1 +- +- symkey2 = key2.exchange(pub_key1) ++ with pytest.raises(ValueError): ++ key1.exchange(pub_key2) + +- assert symkey1 != symkey2 ++ with pytest.raises(ValueError): ++ key2.exchange(pub_key1) + + @pytest.mark.skip_fips(reason="key_size too small for FIPS") + @pytest.mark.supported( +-- +2.31.1 + diff --git a/0004-Use-well-defined-enum-representation.patch b/0004-Use-well-defined-enum-representation.patch new file mode 100644 index 0000000..c006543 --- /dev/null +++ b/0004-Use-well-defined-enum-representation.patch @@ -0,0 +1,366 @@ +From 0a164d2c985b4655929591b191824ed361890b8d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 10 May 2021 13:27:54 +0200 +Subject: [PATCH 4/4] Use well-defined enum representation + +Python 3.10 changed enum's object and string representation. PyCA +cryptography now uses a custom subclass of enum.Enum() will well-defined +__repr__ and __str__ from Python 3.9. + +Related: https://bugs.python.org/issue40066 +Fixes: https://github.com/pyca/cryptography/issues/5995 +Signed-off-by: Christian Heimes +--- + .github/workflows/ci.yml | 13 +++++++------ + src/cryptography/exceptions.py | 4 ++-- + .../hazmat/primitives/_serialization.py | 11 ++++++----- + src/cryptography/hazmat/primitives/kdf/kbkdf.py | 5 ++--- + .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- + src/cryptography/utils.py | 11 +++++++++++ + src/cryptography/x509/base.py | 4 ++-- + src/cryptography/x509/certificate_transparency.py | 7 ++++--- + src/cryptography/x509/extensions.py | 5 ++--- + src/cryptography/x509/name.py | 3 +-- + src/cryptography/x509/ocsp.py | 8 ++++---- + tests/test_cryptography_utils.py | 11 +++++++++++ + 12 files changed, 54 insertions(+), 32 deletions(-) + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index 747f84c1..ca298f96 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -18,15 +18,16 @@ jobs: + - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} + - {VERSION: "pypy3", TOXENV: "pypy3"} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} +- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} ++ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha16"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.3"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.1"}} ++ - {VERSION: "3.10-dev", TOXENV: "py310"} + RUST: + - stable + name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" +@@ -108,8 +109,8 @@ jobs: + - {IMAGE: "sid", TOXENV: "py39"} + - {IMAGE: "ubuntu-bionic", TOXENV: "py36"} + - {IMAGE: "ubuntu-focal", TOXENV: "py38"} +- - {IMAGE: "ubuntu-rolling", TOXENV: "py38"} +- - {IMAGE: "ubuntu-rolling", TOXENV: "py38-randomorder"} ++ - {IMAGE: "ubuntu-rolling", TOXENV: "py39"} ++ - {IMAGE: "ubuntu-rolling", TOXENV: "py39-randomorder"} + - {IMAGE: "fedora", TOXENV: "py39"} + - {IMAGE: "alpine", TOXENV: "py38"} + name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" +diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py +index f5860590..3bd98d82 100644 +--- a/src/cryptography/exceptions.py ++++ b/src/cryptography/exceptions.py +@@ -3,10 +3,10 @@ + # for complete details. + + +-from enum import Enum ++from cryptography import utils + + +-class _Reasons(Enum): ++class _Reasons(utils.Enum): + BACKEND_MISSING_INTERFACE = 0 + UNSUPPORTED_HASH = 1 + UNSUPPORTED_CIPHER = 2 +diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py +index 96a5ed9b..160a6b89 100644 +--- a/src/cryptography/hazmat/primitives/_serialization.py ++++ b/src/cryptography/hazmat/primitives/_serialization.py +@@ -3,13 +3,14 @@ + # for complete details. + + import abc +-from enum import Enum ++ ++from cryptography import utils + + # This exists to break an import cycle. These classes are normally accessible + # from the serialization module. + + +-class Encoding(Enum): ++class Encoding(utils.Enum): + PEM = "PEM" + DER = "DER" + OpenSSH = "OpenSSH" +@@ -18,14 +19,14 @@ class Encoding(Enum): + SMIME = "S/MIME" + + +-class PrivateFormat(Enum): ++class PrivateFormat(utils.Enum): + PKCS8 = "PKCS8" + TraditionalOpenSSL = "TraditionalOpenSSL" + Raw = "Raw" + OpenSSH = "OpenSSH" + + +-class PublicFormat(Enum): ++class PublicFormat(utils.Enum): + SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1" + PKCS1 = "Raw PKCS#1" + OpenSSH = "OpenSSH" +@@ -34,7 +35,7 @@ class PublicFormat(Enum): + UncompressedPoint = "X9.62 Uncompressed Point" + + +-class ParameterFormat(Enum): ++class ParameterFormat(utils.Enum): + PKCS3 = "PKCS3" + + +diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py +index ac36474f..75fe7d51 100644 +--- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py ++++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py +@@ -4,7 +4,6 @@ + + + import typing +-from enum import Enum + + from cryptography import utils + from cryptography.exceptions import ( +@@ -19,11 +18,11 @@ from cryptography.hazmat.primitives import constant_time, hashes, hmac + from cryptography.hazmat.primitives.kdf import KeyDerivationFunction + + +-class Mode(Enum): ++class Mode(utils.Enum): + CounterMode = "ctr" + + +-class CounterLocation(Enum): ++class CounterLocation(utils.Enum): + BeforeFixed = "before_fixed" + AfterFixed = "after_fixed" + +diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py +index bcd9e330..57aac7e3 100644 +--- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py ++++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py +@@ -3,8 +3,8 @@ + # for complete details. + + import typing +-from enum import Enum + ++from cryptography import utils + from cryptography import x509 + from cryptography.hazmat.backends import _get_backend + from cryptography.hazmat.primitives import hashes, serialization +@@ -35,7 +35,7 @@ _ALLOWED_PRIVATE_KEY_TYPES = typing.Union[ + ] + + +-class PKCS7Options(Enum): ++class PKCS7Options(utils.Enum): + Text = "Add text/plain MIME type" + Binary = "Don't translate input data into canonical MIME format" + DetachedSignature = "Don't embed data in the PKCS7 structure" +diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py +index ef0fc443..9e571cfd 100644 +--- a/src/cryptography/utils.py ++++ b/src/cryptography/utils.py +@@ -4,6 +4,7 @@ + + + import abc ++import enum + import inspect + import sys + import typing +@@ -162,3 +163,13 @@ int_from_bytes = deprecated( + "int_from_bytes is deprecated, use int.from_bytes instead", + DeprecatedIn34, + ) ++ ++ ++# Python 3.10 changed representation of enums. We use well-defined object ++# representation and string representation from Python 3.9. ++class Enum(enum.Enum): ++ def __repr__(self): ++ return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>" ++ ++ def __str__(self): ++ return f"{self.__class__.__name__}.{self._name_}" +diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py +index 5505fa3b..26ec43d5 100644 +--- a/src/cryptography/x509/base.py ++++ b/src/cryptography/x509/base.py +@@ -7,8 +7,8 @@ import abc + import datetime + import os + import typing +-from enum import Enum + ++from cryptography import utils + from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES + from cryptography.hazmat.backends import _get_backend + from cryptography.hazmat.primitives import hashes, serialization +@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime: + return time + + +-class Version(Enum): ++class Version(utils.Enum): + v1 = 0 + v3 = 2 + +diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py +index d51bee92..d80f051a 100644 +--- a/src/cryptography/x509/certificate_transparency.py ++++ b/src/cryptography/x509/certificate_transparency.py +@@ -5,15 +5,16 @@ + + import abc + import datetime +-from enum import Enum + ++from cryptography import utils + +-class LogEntryType(Enum): ++ ++class LogEntryType(utils.Enum): + X509_CERTIFICATE = 0 + PRE_CERTIFICATE = 1 + + +-class Version(Enum): ++class Version(utils.Enum): + v1 = 0 + + +diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py +index 6cae016a..742f1fa2 100644 +--- a/src/cryptography/x509/extensions.py ++++ b/src/cryptography/x509/extensions.py +@@ -8,7 +8,6 @@ import datetime + import hashlib + import ipaddress + import typing +-from enum import Enum + + from cryptography import utils + from cryptography.hazmat._der import ( +@@ -634,7 +633,7 @@ class DistributionPoint(object): + crl_issuer = utils.read_only_property("_crl_issuer") + + +-class ReasonFlags(Enum): ++class ReasonFlags(utils.Enum): + unspecified = "unspecified" + key_compromise = "keyCompromise" + ca_compromise = "cACompromise" +@@ -978,7 +977,7 @@ class TLSFeature(ExtensionType): + return hash(tuple(self._features)) + + +-class TLSFeatureType(Enum): ++class TLSFeatureType(utils.Enum): + # status_request is defined in RFC 6066 and is used for what is commonly + # called OCSP Must-Staple when present in the TLS Feature extension in an + # X.509 certificate. +diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py +index a579aa21..9069a9f4 100644 +--- a/src/cryptography/x509/name.py ++++ b/src/cryptography/x509/name.py +@@ -3,14 +3,13 @@ + # for complete details. + + import typing +-from enum import Enum + + from cryptography import utils + from cryptography.hazmat.backends import _get_backend + from cryptography.x509.oid import NameOID, ObjectIdentifier + + +-class _ASN1Type(Enum): ++class _ASN1Type(utils.Enum): + UTF8String = 12 + NumericString = 18 + PrintableString = 19 +diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py +index 1c5de73e..bcf210c1 100644 +--- a/src/cryptography/x509/ocsp.py ++++ b/src/cryptography/x509/ocsp.py +@@ -6,8 +6,8 @@ + import abc + import datetime + import typing +-from enum import Enum + ++from cryptography import utils + from cryptography import x509 + from cryptography.hazmat.primitives import hashes, serialization + from cryptography.x509.base import ( +@@ -27,12 +27,12 @@ _OIDS_TO_HASH = { + } + + +-class OCSPResponderEncoding(Enum): ++class OCSPResponderEncoding(utils.Enum): + HASH = "By Hash" + NAME = "By Name" + + +-class OCSPResponseStatus(Enum): ++class OCSPResponseStatus(utils.Enum): + SUCCESSFUL = 0 + MALFORMED_REQUEST = 1 + INTERNAL_ERROR = 2 +@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm): + ) + + +-class OCSPCertStatus(Enum): ++class OCSPCertStatus(utils.Enum): + GOOD = 0 + REVOKED = 1 + UNKNOWN = 2 +diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py +index 6b795e0c..803997ac 100644 +--- a/tests/test_cryptography_utils.py ++++ b/tests/test_cryptography_utils.py +@@ -2,6 +2,7 @@ + # 2.0, and the BSD License. See the LICENSE file in the root of this repository + # for complete details. + ++import enum + import typing + + import pytest +@@ -51,3 +52,13 @@ class TestCachedProperty(object): + assert len(accesses) == 1 + assert t.t == 14 + assert len(accesses) == 1 ++ ++ ++def test_enum(): ++ class TestEnum(utils.Enum): ++ value = "something" ++ ++ assert issubclass(TestEnum, enum.Enum) ++ assert isinstance(TestEnum.value, enum.Enum) ++ assert repr(TestEnum.value) == "" ++ assert str(TestEnum.value) == "TestEnum.value" +-- +2.31.1 + diff --git a/python-cryptography.spec b/python-cryptography.spec index f107e9b..8799805 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -18,6 +18,10 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py %endif +Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch +Patch0002: 0002-WIP-3.0.0-support-5250.patch +Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch +Patch0004: 0004-Use-well-defined-enum-representation.patch ExclusiveArch: %{rust_arches} @@ -117,6 +121,11 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue May 11 2021 Christian Heimes - 3.4.7-2 +- Fix compatibility issue with Python 3.10. Enums now use same + representation as on Python 3.9. (#1952522) +- Backport OpenSSL 3.0.0 compatibility patches. + * Wed Apr 21 2021 Christian Heimes - 3.4.7-1 - Update to 3.4.7 - Remove dependency on python-cryptography-vectors package and use vectors From bcc2ec8af9fee01035ca14968029d5c23fa1713d Mon Sep 17 00:00:00 2001 From: Python Maint Date: Thu, 3 Jun 2021 01:05:02 +0200 Subject: [PATCH 046/111] Rebuilt for Python 3.10 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8799805..23fe6d7 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -121,6 +121,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Jun 02 2021 Python Maint - 3.4.7-3 +- Rebuilt for Python 3.10 + * Tue May 11 2021 Christian Heimes - 3.4.7-2 - Fix compatibility issue with Python 3.10. Enums now use same representation as on Python 3.9. (#1952522) From fe349e0ac6bfbc6e3104f3eab38b037e360c20ac Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 10 Jun 2021 14:27:29 -0400 Subject: [PATCH 047/111] Don't conditionalize Source: directives This makes the specfile compatible with Fedora ELN, RHEL and similar Fedora derivatives. Signed-off-by: Stephen Gallagher --- .gitignore | 1 + python-cryptography.spec | 7 ++++--- sources | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cf9ac7e..cfa6910 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /cryptography-3.4.6.tar.gz /cryptography-3.4.6.tar.gz.asc /cryptography-3.4.7.tar.gz +/cryptography-3.4.7-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 23fe6d7..1239266 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,17 +7,15 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz -%if 0%{?rhel} # created by ./vendor_rust.py helper script Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -%endif Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch Patch0002: 0002-WIP-3.0.0-support-5250.patch Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch @@ -121,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 +- Don't conditionalize Source: directives + * Wed Jun 02 2021 Python Maint - 3.4.7-3 - Rebuilt for Python 3.10 diff --git a/sources b/sources index a6bf867..6d1fe84 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 +SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387 From ade913d1ad7fdd4da2f361d8e4ca5bf185200530 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 05:54:42 +0000 Subject: [PATCH 048/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 1239266..ee239ed 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -119,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 - Don't conditionalize Source: directives From 33bbaec862f1ffa590848308ad5f1da097559732 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:12:30 +0200 Subject: [PATCH 049/111] Rebuilt with OpenSSL 3.0.0 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ee239ed..e997636 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -119,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 +- Rebuilt with OpenSSL 3.0.0 + * Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From 6fb44d50f24f58653774e41fa2c0561782d27060 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 30 Sep 2021 08:19:15 +0200 Subject: [PATCH 050/111] Update to 35.0.0 (#2009117) --- .gitignore | 2 + ...cs12-parse-ordering.-fixes-5872-5879.patch | 130 ------ 0002-WIP-3.0.0-support-5250.patch | 415 ------------------ ...EVP_PKEY_derive-instead-of-DH_comput.patch | 151 ------- ...Use-well-defined-enum-representation.patch | 366 --------------- python-cryptography.spec | 11 +- sources | 4 +- 7 files changed, 9 insertions(+), 1070 deletions(-) delete mode 100644 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch delete mode 100644 0002-WIP-3.0.0-support-5250.patch delete mode 100644 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch delete mode 100644 0004-Use-well-defined-enum-representation.patch diff --git a/.gitignore b/.gitignore index cfa6910..e2d569a 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,5 @@ /cryptography-3.4.6.tar.gz.asc /cryptography-3.4.7.tar.gz /cryptography-3.4.7-vendor.tar.bz2 +/cryptography-35.0.0.tar.gz +/cryptography-35.0.0-vendor.tar.bz2 diff --git a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch deleted file mode 100644 index e73331a..0000000 --- a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch +++ /dev/null @@ -1,130 +0,0 @@ -From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Sun, 28 Feb 2021 16:06:11 -0600 -Subject: [PATCH 1/4] fix pkcs12 parse ordering. fixes #5872 (#5879) - -* fix pkcs12 parse ordering. fixes #5872 - -* remove an unneeded print - -* simplify the test a bit more - -* index - -* black - -* Update tests/hazmat/primitives/test_pkcs12.py - -Co-authored-by: Alex Gaynor - -Co-authored-by: Alex Gaynor ---- - .../hazmat/backends/openssl/backend.py | 5 +- - tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- - 2 files changed, 59 insertions(+), 4 deletions(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 271873d9..a96d08d8 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -6,6 +6,7 @@ - import collections - import contextlib - import itertools -+import typing - import warnings - from contextlib import contextmanager - -@@ -2562,9 +2563,7 @@ class Backend(object): - sk_x509 = self._lib.sk_X509_new_null() - sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) - -- # reverse the list when building the stack so that they're encoded -- # in the order they were originally provided. it is a mystery -- for ca in reversed(cas): -+ for ca in cas: - res = self._lib.sk_X509_push(sk_x509, ca._x509) - backend.openssl_assert(res >= 1) - -diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py -index b5de09f9..b1759a1b 100644 ---- a/tests/hazmat/primitives/test_pkcs12.py -+++ b/tests/hazmat/primitives/test_pkcs12.py -@@ -4,13 +4,15 @@ - - - import os -+from datetime import datetime - - import pytest - - from cryptography import x509 - from cryptography.hazmat.backends.interfaces import DERSerializationBackend - from cryptography.hazmat.backends.openssl.backend import _RC2 --from cryptography.hazmat.primitives import serialization -+from cryptography.hazmat.primitives import hashes, serialization -+from cryptography.hazmat.primitives.asymmetric import ec - from cryptography.hazmat.primitives.serialization import load_pem_private_key - from cryptography.hazmat.primitives.serialization.pkcs12 import ( - load_key_and_certificates, -@@ -273,3 +275,57 @@ class TestPKCS12Creation(object): - DummyKeySerializationEncryption(), - ) - assert str(exc.value) == "Unsupported key encryption type" -+ -+ -+def test_pkcs12_ordering(): -+ """ -+ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we -+ accidentally thought it was **encoding** that did it, leading to bug -+ https://github.com/pyca/cryptography/issues/5872 -+ This test ensures our ordering is correct going forward. -+ """ -+ -+ def make_cert(name): -+ key = ec.generate_private_key(ec.SECP256R1()) -+ subject = x509.Name( -+ [ -+ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), -+ ] -+ ) -+ now = datetime.utcnow() -+ cert = ( -+ x509.CertificateBuilder() -+ .subject_name(subject) -+ .issuer_name(subject) -+ .public_key(key.public_key()) -+ .serial_number(x509.random_serial_number()) -+ .not_valid_before(now) -+ .not_valid_after(now) -+ .sign(key, hashes.SHA256()) -+ ) -+ return (key, cert) -+ -+ # Make some certificates with distinct names. -+ a_name = "A" * 20 -+ b_name = "B" * 20 -+ c_name = "C" * 20 -+ a_key, a_cert = make_cert(a_name) -+ _, b_cert = make_cert(b_name) -+ _, c_cert = make_cert(c_name) -+ -+ # Bundle them in a PKCS#12 file in order A, B, C. -+ p12 = serialize_key_and_certificates( -+ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() -+ ) -+ -+ # Parse them out. The API should report them in the same order. -+ (key, cert, certs) = load_key_and_certificates(p12, None) -+ assert cert == a_cert -+ assert certs == [b_cert, c_cert] -+ -+ # The ordering in the PKCS#12 file itself should also match. -+ a_idx = p12.index(a_name.encode("utf-8")) -+ b_idx = p12.index(b_name.encode("utf-8")) -+ c_idx = p12.index(c_name.encode("utf-8")) -+ -+ assert a_idx < b_idx < c_idx --- -2.31.1 - diff --git a/0002-WIP-3.0.0-support-5250.patch b/0002-WIP-3.0.0-support-5250.patch deleted file mode 100644 index c99eea8..0000000 --- a/0002-WIP-3.0.0-support-5250.patch +++ /dev/null @@ -1,415 +0,0 @@ -From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 22 Apr 2021 19:16:38 -0500 -Subject: [PATCH 2/4] [WIP] 3.0.0 support (#5250) - -* 3.0.0 support - -* almost...there... - -* make mypy happy ---- - .github/workflows/ci.yml | 7 ++-- - src/_cffi_src/build_openssl.py | 1 + - src/_cffi_src/openssl/cryptography.py | 3 ++ - src/_cffi_src/openssl/err.py | 6 +++ - src/_cffi_src/openssl/fips.py | 2 +- - src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ - .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- - .../hazmat/backends/openssl/ciphers.py | 15 ++++++- - .../hazmat/bindings/openssl/_conditional.py | 11 +++++ - .../hazmat/bindings/openssl/binding.py | 20 +++++++++ - tests/hazmat/backends/test_openssl_memleak.py | 6 ++- - tests/hazmat/bindings/test_openssl.py | 4 +- - tests/hazmat/primitives/test_dh.py | 24 ++++++++++- - 13 files changed, 167 insertions(+), 14 deletions(-) - create mode 100644 src/_cffi_src/openssl/provider.py - -diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml -index cd967a3a..747f84c1 100644 ---- a/.github/workflows/ci.yml -+++ b/.github/workflows/ci.yml -@@ -18,9 +18,10 @@ jobs: - - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} - - {VERSION: "pypy3", TOXENV: "pypy3"} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} -- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -+ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} -diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py -index 08499d66..557296ed 100644 ---- a/src/_cffi_src/build_openssl.py -+++ b/src/_cffi_src/build_openssl.py -@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding( - "osrandom_engine", - "pem", - "pkcs12", -+ "provider", - "rand", - "rsa", - "ssl", -diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py -index e2b5a132..06d1e778 100644 ---- a/src/_cffi_src/openssl/cryptography.py -+++ b/src/_cffi_src/openssl/cryptography.py -@@ -34,6 +34,8 @@ INCLUDES = """ - - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) -+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ -+ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) - - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ - (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) -@@ -53,6 +55,7 @@ INCLUDES = """ - - TYPES = """ - static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; -+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; - - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; -diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py -index 0634b656..8cfeaf5b 100644 ---- a/src/_cffi_src/openssl/err.py -+++ b/src/_cffi_src/openssl/err.py -@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM; - - static const int ERR_LIB_EVP; - static const int ERR_LIB_PEM; -+static const int ERR_LIB_PROV; - static const int ERR_LIB_ASN1; - static const int ERR_LIB_PKCS12; - -@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long); - """ - - CUSTOMIZATIONS = """ -+/* This define is tied to provider support and is conditionally -+ removed if Cryptography_HAS_PROVIDERS is false */ -+#ifndef ERR_LIB_PROV -+#define ERR_LIB_PROV 0 -+#endif - """ -diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py -index b9d0d64d..23c10af9 100644 ---- a/src/_cffi_src/openssl/fips.py -+++ b/src/_cffi_src/openssl/fips.py -@@ -17,7 +17,7 @@ int FIPS_mode(void); - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL -+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - static const long Cryptography_HAS_FIPS = 0; - int (*FIPS_mode_set)(int) = NULL; - int (*FIPS_mode)(void) = NULL; -diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py -new file mode 100644 -index 00000000..d7d659ea ---- /dev/null -+++ b/src/_cffi_src/openssl/provider.py -@@ -0,0 +1,40 @@ -+# This file is dual licensed under the terms of the Apache License, Version -+# 2.0, and the BSD License. See the LICENSE file in the root of this repository -+# for complete details. -+ -+ -+INCLUDES = """ -+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+#include -+#include -+#endif -+""" -+ -+TYPES = """ -+static const long Cryptography_HAS_PROVIDERS; -+ -+typedef ... OSSL_PROVIDER; -+typedef ... OSSL_LIB_CTX; -+ -+static const long PROV_R_BAD_DECRYPT; -+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; -+""" -+ -+FUNCTIONS = """ -+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); -+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); -+""" -+ -+CUSTOMIZATIONS = """ -+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+static const long Cryptography_HAS_PROVIDERS = 1; -+#else -+static const long Cryptography_HAS_PROVIDERS = 0; -+typedef void OSSL_PROVIDER; -+typedef void OSSL_LIB_CTX; -+static const long PROV_R_BAD_DECRYPT = 0; -+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; -+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; -+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; -+#endif -+""" -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index a96d08d8..86e8f0a8 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -1281,6 +1281,11 @@ class Backend(object): - def _evp_pkey_from_der_traditional_key(self, bio_data, password): - key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) - if key != self._ffi.NULL: -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ - key = self._ffi.gc(key, self._lib.EVP_PKEY_free) - if password is not None: - raise TypeError( -@@ -1448,6 +1453,11 @@ class Backend(object): - else: - self._handle_key_loading_error() - -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - if password is not None and userdata.called == 0: -@@ -1470,11 +1480,22 @@ class Backend(object): - "incorrect format or it may be encrypted with an unsupported " - "algorithm." - ) -- elif errors[0]._lib_reason_match( -- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT -- ) or errors[0]._lib_reason_match( -- self._lib.ERR_LIB_PKCS12, -- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, -+ -+ elif ( -+ errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT -+ ) -+ or errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_PKCS12, -+ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, -+ ) -+ or ( -+ self._lib.Cryptography_HAS_PROVIDERS -+ and errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_PROV, -+ self._lib.PROV_R_BAD_DECRYPT, -+ ) -+ ) - ): - raise ValueError("Bad decrypt. Incorrect password?") - -@@ -2520,7 +2541,16 @@ class Backend(object): - if sk_x509_ptr[0] != self._ffi.NULL: - sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) - num = self._lib.sk_X509_num(sk_x509_ptr[0]) -- for i in range(num): -+ -+ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the -+ # certificates. -+ indices: typing.Iterable[int] -+ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ indices = range(num) -+ else: -+ indices = reversed(range(num)) -+ -+ for i in indices: - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 0f96795f..a2dd6894 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -145,7 +145,13 @@ class _CipherContext(object): - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, outbuf, outlen, inbuf, inlen - ) -- self._backend.openssl_assert(res != 0) -+ if res == 0 and isinstance(self._mode, modes.XTS): -+ raise ValueError( -+ "In XTS mode you must supply at least a full block in the " -+ "first update call. For AES this is 16 bytes." -+ ) -+ else: -+ self._backend.openssl_assert(res != 0) - data_processed += inlen - total_out += outlen[0] - -@@ -174,6 +180,13 @@ class _CipherContext(object): - errors[0]._lib_reason_match( - self._backend._lib.ERR_LIB_EVP, - self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, -+ ) -+ or ( -+ self._backend._lib.Cryptography_HAS_PROVIDERS -+ and errors[0]._lib_reason_match( -+ self._backend._lib.ERR_LIB_PROV, -+ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, -+ ) - ), - errors=errors, - ) -diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py -index 86548357..1f42c7be 100644 ---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py -+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py -@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): - ] - - -+def cryptography_has_providers(): -+ return [ -+ "OSSL_PROVIDER_load", -+ "OSSL_PROVIDER_unload", -+ "ERR_LIB_PROV", -+ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", -+ "PROV_R_BAD_DECRYPT", -+ ] -+ -+ - # This is a mapping of - # {condition: function-returning-names-dependent-on-that-condition} so we can - # loop over them and delete unsupported names at runtime. It will be removed -@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = { - "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, - "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, -+ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, - } -diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py -index a2bc36a8..6dcec26a 100644 ---- a/src/cryptography/hazmat/bindings/openssl/binding.py -+++ b/src/cryptography/hazmat/bindings/openssl/binding.py -@@ -113,6 +113,8 @@ class Binding(object): - ffi = ffi - _lib_loaded = False - _init_lock = threading.Lock() -+ _legacy_provider: typing.Any = None -+ _default_provider: typing.Any = None - - def __init__(self): - self._ensure_ffi_initialized() -@@ -140,6 +142,24 @@ class Binding(object): - # adds all ciphers/digests for EVP - cls.lib.OpenSSL_add_all_algorithms() - cls._register_osrandom_engine() -+ # As of OpenSSL 3.0.0 we must register a legacy cipher provider -+ # to get RC2 (needed for junk asymmetric private key -+ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things -+ # are ugly legacy, but we aren't going to get rid of them -+ # any time soon. -+ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"legacy" -+ ) -+ _openssl_assert( -+ cls.lib, cls._legacy_provider != cls.ffi.NULL -+ ) -+ cls._default_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"default" -+ ) -+ _openssl_assert( -+ cls.lib, cls._default_provider != cls.ffi.NULL -+ ) - - @classmethod - def init_static_locks(cls): -diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py -index 0c96516f..0316b5d9 100644 ---- a/tests/hazmat/backends/test_openssl_memleak.py -+++ b/tests/hazmat/backends/test_openssl_memleak.py -@@ -82,7 +82,7 @@ def main(argv): - assert result == 1 - - # Trigger a bunch of initialization stuff. -- import cryptography.hazmat.backends.openssl -+ from cryptography.hazmat.backends.openssl.backend import backend - - start_heap = set(heap) - -@@ -91,6 +91,10 @@ def main(argv): - gc.collect() - gc.collect() - -+ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) -+ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) -+ - if lib.Cryptography_HAS_OPENSSL_CLEANUP: - lib.OPENSSL_cleanup() - -diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py -index fb9a1e36..4d1e3b55 100644 ---- a/tests/hazmat/bindings/test_openssl.py -+++ b/tests/hazmat/bindings/test_openssl.py -@@ -91,7 +91,9 @@ class TestOpenSSL(object): - _openssl_assert(b.lib, False) - - error = exc_info.value.err_code[0] -- assert error.code == 101183626 -+ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined -+ # code is a different value -+ assert error.code in (101183626, 50331786) - assert error.lib == b.lib.ERR_LIB_EVP - assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX - assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH -diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py -index 131807fc..bb29919f 100644 ---- a/tests/hazmat/primitives/test_dh.py -+++ b/tests/hazmat/primitives/test_dh.py -@@ -180,7 +180,23 @@ class TestDH(object): - params = dh.DHParameterNumbers(p, int(vector["g"])) - param = params.parameters(backend) - key = param.generate_private_key() -- assert key.private_numbers().public_numbers.parameter_numbers == params -+ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in -+ # a scenario where loading a known group with p and g returns a -+ # re-serialized form that has q as well (the Sophie Germain prime of -+ # that group). This makes a naive comparison of the parameter numbers -+ # objects fail, so we have to be a bit smarter -+ serialized_params = ( -+ key.private_numbers().public_numbers.parameter_numbers -+ ) -+ if serialized_params.q is None: -+ # This is the path OpenSSL < 3.0 takes -+ assert serialized_params == params -+ else: -+ assert serialized_params.p == params.p -+ assert serialized_params.g == params.g -+ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute -+ # what we expect OpenSSL to have done here. -+ assert serialized_params.q == (params.p - 1) // 2 - - @pytest.mark.skip_fips(reason="non-FIPS parameters") - @pytest.mark.parametrize( -@@ -382,6 +398,12 @@ class TestDH(object): - assert symkey1 != symkey2 - - @pytest.mark.skip_fips(reason="key_size too small for FIPS") -+ @pytest.mark.supported( -+ only_if=lambda backend: ( -+ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+ ), -+ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", -+ ) - def test_load_256bit_key_from_pkcs8(self, backend): - data = load_vectors_from_file( - os.path.join("asymmetric", "DH", "dh_key_256.pem"), --- -2.31.1 - diff --git a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch deleted file mode 100644 index 078950e..0000000 --- a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Wed, 14 Apr 2021 13:15:57 -0500 -Subject: [PATCH 3/4] switch to using EVP_PKEY_derive instead of DH_compute_key - in DH (#5972) - -* switch to using EVP_PKEY_derive instead of DH_compute_key in DH - -Where checks are occurring is changing in OpenSSL 3.0 and this makes it -easier to be consistent (and is the API we should be using anyway). The -tests change because EVP_PKEY_derive now verifies that we have shared -parameters, which the test previously only verified by asserting that -the derived keys didn't match - -* review feedback - -* type ignores required for typeerror tests. some day i will remember this ---- - src/_cffi_src/openssl/dh.py | 1 - - .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- - tests/hazmat/primitives/test_dh.py | 19 ++++--- - 3 files changed, 45 insertions(+), 32 deletions(-) - -diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py -index 979dafa9..50989e45 100644 ---- a/src/_cffi_src/openssl/dh.py -+++ b/src/_cffi_src/openssl/dh.py -@@ -18,7 +18,6 @@ DH *DH_new(void); - void DH_free(DH *); - int DH_size(const DH *); - int DH_generate_key(DH *); --int DH_compute_key(unsigned char *, const BIGNUM *, DH *); - DH *DHparams_dup(DH *); - - /* added in 1.1.0 when the DH struct was opaqued */ -diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py -index 65ddaeec..b928f024 100644 ---- a/src/cryptography/hazmat/backends/openssl/dh.py -+++ b/src/cryptography/hazmat/backends/openssl/dh.py -@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey): - ) - - def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: -- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) -- pub_key = self._backend._ffi.new("BIGNUM **") -- self._backend._lib.DH_get0_key( -- peer_public_key._dh_cdata, # type: ignore[attr-defined] -- pub_key, -- self._backend._ffi.NULL, -+ if not isinstance(peer_public_key, _DHPublicKey): -+ raise TypeError("peer_public_key must be a DHPublicKey") -+ -+ ctx = self._backend._lib.EVP_PKEY_CTX_new( -+ self._evp_pkey, self._backend._ffi.NULL - ) -- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) -- res = self._backend._lib.DH_compute_key( -- buf, pub_key[0], self._dh_cdata -+ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) -+ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) -+ res = self._backend._lib.EVP_PKEY_derive_init(ctx) -+ self._backend.openssl_assert(res == 1) -+ res = self._backend._lib.EVP_PKEY_derive_set_peer( -+ ctx, peer_public_key._evp_pkey -+ ) -+ # Invalid kex errors here in OpenSSL 3.0 because checks were moved -+ # to EVP_PKEY_derive_set_peer -+ self._exchange_assert(res == 1) -+ keylen = self._backend._ffi.new("size_t *") -+ res = self._backend._lib.EVP_PKEY_derive( -+ ctx, self._backend._ffi.NULL, keylen - ) -+ # Invalid kex errors here in OpenSSL < 3 -+ self._exchange_assert(res == 1) -+ self._backend.openssl_assert(keylen[0] > 0) -+ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) -+ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) -+ self._backend.openssl_assert(res == 1) - -- if res == -1: -+ key = self._backend._ffi.buffer(buf, keylen[0])[:] -+ pad = self._key_size_bytes - len(key) -+ -+ if pad > 0: -+ key = (b"\x00" * pad) + key -+ -+ return key -+ -+ def _exchange_assert(self, ok): -+ if not ok: - errors_with_text = self._backend._consume_errors_with_text() - raise ValueError( -- "Error computing shared key. Public key is likely invalid " -- "for this exchange.", -+ "Error computing shared key.", - errors_with_text, - ) -- else: -- self._backend.openssl_assert(res >= 1) -- -- key = self._backend._ffi.buffer(buf)[:res] -- pad = self._key_size_bytes - len(key) -- -- if pad > 0: -- key = (b"\x00" * pad) + key -- -- return key - - def public_key(self) -> dh.DHPublicKey: - dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) -diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py -index bb29919f..2914f7e7 100644 ---- a/tests/hazmat/primitives/test_dh.py -+++ b/tests/hazmat/primitives/test_dh.py -@@ -296,6 +296,12 @@ class TestDH(object): - assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) - assert isinstance(key.parameters(), dh.DHParameters) - -+ def test_exchange_wrong_type(self, backend): -+ parameters = FFDH3072_P.parameters(backend) -+ key1 = parameters.generate_private_key() -+ with pytest.raises(TypeError): -+ key1.exchange(b"invalidtype") # type: ignore[arg-type] -+ - def test_exchange(self, backend): - parameters = FFDH3072_P.parameters(backend) - assert isinstance(parameters, dh.DHParameters) -@@ -386,16 +392,11 @@ class TestDH(object): - key2 = private2.private_key(backend) - pub_key2 = key2.public_key() - -- if pub_key2.public_numbers().y >= parameters1.p: -- with pytest.raises(ValueError): -- key1.exchange(pub_key2) -- else: -- symkey1 = key1.exchange(pub_key2) -- assert symkey1 -- -- symkey2 = key2.exchange(pub_key1) -+ with pytest.raises(ValueError): -+ key1.exchange(pub_key2) - -- assert symkey1 != symkey2 -+ with pytest.raises(ValueError): -+ key2.exchange(pub_key1) - - @pytest.mark.skip_fips(reason="key_size too small for FIPS") - @pytest.mark.supported( --- -2.31.1 - diff --git a/0004-Use-well-defined-enum-representation.patch b/0004-Use-well-defined-enum-representation.patch deleted file mode 100644 index c006543..0000000 --- a/0004-Use-well-defined-enum-representation.patch +++ /dev/null @@ -1,366 +0,0 @@ -From 0a164d2c985b4655929591b191824ed361890b8d Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 10 May 2021 13:27:54 +0200 -Subject: [PATCH 4/4] Use well-defined enum representation - -Python 3.10 changed enum's object and string representation. PyCA -cryptography now uses a custom subclass of enum.Enum() will well-defined -__repr__ and __str__ from Python 3.9. - -Related: https://bugs.python.org/issue40066 -Fixes: https://github.com/pyca/cryptography/issues/5995 -Signed-off-by: Christian Heimes ---- - .github/workflows/ci.yml | 13 +++++++------ - src/cryptography/exceptions.py | 4 ++-- - .../hazmat/primitives/_serialization.py | 11 ++++++----- - src/cryptography/hazmat/primitives/kdf/kbkdf.py | 5 ++--- - .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- - src/cryptography/utils.py | 11 +++++++++++ - src/cryptography/x509/base.py | 4 ++-- - src/cryptography/x509/certificate_transparency.py | 7 ++++--- - src/cryptography/x509/extensions.py | 5 ++--- - src/cryptography/x509/name.py | 3 +-- - src/cryptography/x509/ocsp.py | 8 ++++---- - tests/test_cryptography_utils.py | 11 +++++++++++ - 12 files changed, 54 insertions(+), 32 deletions(-) - -diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml -index 747f84c1..ca298f96 100644 ---- a/.github/workflows/ci.yml -+++ b/.github/workflows/ci.yml -@@ -18,15 +18,16 @@ jobs: - - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} - - {VERSION: "pypy3", TOXENV: "pypy3"} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} -+ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha16"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.3"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.1"}} -+ - {VERSION: "3.10-dev", TOXENV: "py310"} - RUST: - - stable - name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" -@@ -108,8 +109,8 @@ jobs: - - {IMAGE: "sid", TOXENV: "py39"} - - {IMAGE: "ubuntu-bionic", TOXENV: "py36"} - - {IMAGE: "ubuntu-focal", TOXENV: "py38"} -- - {IMAGE: "ubuntu-rolling", TOXENV: "py38"} -- - {IMAGE: "ubuntu-rolling", TOXENV: "py38-randomorder"} -+ - {IMAGE: "ubuntu-rolling", TOXENV: "py39"} -+ - {IMAGE: "ubuntu-rolling", TOXENV: "py39-randomorder"} - - {IMAGE: "fedora", TOXENV: "py39"} - - {IMAGE: "alpine", TOXENV: "py38"} - name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" -diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py -index f5860590..3bd98d82 100644 ---- a/src/cryptography/exceptions.py -+++ b/src/cryptography/exceptions.py -@@ -3,10 +3,10 @@ - # for complete details. - - --from enum import Enum -+from cryptography import utils - - --class _Reasons(Enum): -+class _Reasons(utils.Enum): - BACKEND_MISSING_INTERFACE = 0 - UNSUPPORTED_HASH = 1 - UNSUPPORTED_CIPHER = 2 -diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py -index 96a5ed9b..160a6b89 100644 ---- a/src/cryptography/hazmat/primitives/_serialization.py -+++ b/src/cryptography/hazmat/primitives/_serialization.py -@@ -3,13 +3,14 @@ - # for complete details. - - import abc --from enum import Enum -+ -+from cryptography import utils - - # This exists to break an import cycle. These classes are normally accessible - # from the serialization module. - - --class Encoding(Enum): -+class Encoding(utils.Enum): - PEM = "PEM" - DER = "DER" - OpenSSH = "OpenSSH" -@@ -18,14 +19,14 @@ class Encoding(Enum): - SMIME = "S/MIME" - - --class PrivateFormat(Enum): -+class PrivateFormat(utils.Enum): - PKCS8 = "PKCS8" - TraditionalOpenSSL = "TraditionalOpenSSL" - Raw = "Raw" - OpenSSH = "OpenSSH" - - --class PublicFormat(Enum): -+class PublicFormat(utils.Enum): - SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1" - PKCS1 = "Raw PKCS#1" - OpenSSH = "OpenSSH" -@@ -34,7 +35,7 @@ class PublicFormat(Enum): - UncompressedPoint = "X9.62 Uncompressed Point" - - --class ParameterFormat(Enum): -+class ParameterFormat(utils.Enum): - PKCS3 = "PKCS3" - - -diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py -index ac36474f..75fe7d51 100644 ---- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py -+++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py -@@ -4,7 +4,6 @@ - - - import typing --from enum import Enum - - from cryptography import utils - from cryptography.exceptions import ( -@@ -19,11 +18,11 @@ from cryptography.hazmat.primitives import constant_time, hashes, hmac - from cryptography.hazmat.primitives.kdf import KeyDerivationFunction - - --class Mode(Enum): -+class Mode(utils.Enum): - CounterMode = "ctr" - - --class CounterLocation(Enum): -+class CounterLocation(utils.Enum): - BeforeFixed = "before_fixed" - AfterFixed = "after_fixed" - -diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py -index bcd9e330..57aac7e3 100644 ---- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py -+++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py -@@ -3,8 +3,8 @@ - # for complete details. - - import typing --from enum import Enum - -+from cryptography import utils - from cryptography import x509 - from cryptography.hazmat.backends import _get_backend - from cryptography.hazmat.primitives import hashes, serialization -@@ -35,7 +35,7 @@ _ALLOWED_PRIVATE_KEY_TYPES = typing.Union[ - ] - - --class PKCS7Options(Enum): -+class PKCS7Options(utils.Enum): - Text = "Add text/plain MIME type" - Binary = "Don't translate input data into canonical MIME format" - DetachedSignature = "Don't embed data in the PKCS7 structure" -diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py -index ef0fc443..9e571cfd 100644 ---- a/src/cryptography/utils.py -+++ b/src/cryptography/utils.py -@@ -4,6 +4,7 @@ - - - import abc -+import enum - import inspect - import sys - import typing -@@ -162,3 +163,13 @@ int_from_bytes = deprecated( - "int_from_bytes is deprecated, use int.from_bytes instead", - DeprecatedIn34, - ) -+ -+ -+# Python 3.10 changed representation of enums. We use well-defined object -+# representation and string representation from Python 3.9. -+class Enum(enum.Enum): -+ def __repr__(self): -+ return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>" -+ -+ def __str__(self): -+ return f"{self.__class__.__name__}.{self._name_}" -diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py -index 5505fa3b..26ec43d5 100644 ---- a/src/cryptography/x509/base.py -+++ b/src/cryptography/x509/base.py -@@ -7,8 +7,8 @@ import abc - import datetime - import os - import typing --from enum import Enum - -+from cryptography import utils - from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES - from cryptography.hazmat.backends import _get_backend - from cryptography.hazmat.primitives import hashes, serialization -@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime: - return time - - --class Version(Enum): -+class Version(utils.Enum): - v1 = 0 - v3 = 2 - -diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py -index d51bee92..d80f051a 100644 ---- a/src/cryptography/x509/certificate_transparency.py -+++ b/src/cryptography/x509/certificate_transparency.py -@@ -5,15 +5,16 @@ - - import abc - import datetime --from enum import Enum - -+from cryptography import utils - --class LogEntryType(Enum): -+ -+class LogEntryType(utils.Enum): - X509_CERTIFICATE = 0 - PRE_CERTIFICATE = 1 - - --class Version(Enum): -+class Version(utils.Enum): - v1 = 0 - - -diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py -index 6cae016a..742f1fa2 100644 ---- a/src/cryptography/x509/extensions.py -+++ b/src/cryptography/x509/extensions.py -@@ -8,7 +8,6 @@ import datetime - import hashlib - import ipaddress - import typing --from enum import Enum - - from cryptography import utils - from cryptography.hazmat._der import ( -@@ -634,7 +633,7 @@ class DistributionPoint(object): - crl_issuer = utils.read_only_property("_crl_issuer") - - --class ReasonFlags(Enum): -+class ReasonFlags(utils.Enum): - unspecified = "unspecified" - key_compromise = "keyCompromise" - ca_compromise = "cACompromise" -@@ -978,7 +977,7 @@ class TLSFeature(ExtensionType): - return hash(tuple(self._features)) - - --class TLSFeatureType(Enum): -+class TLSFeatureType(utils.Enum): - # status_request is defined in RFC 6066 and is used for what is commonly - # called OCSP Must-Staple when present in the TLS Feature extension in an - # X.509 certificate. -diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py -index a579aa21..9069a9f4 100644 ---- a/src/cryptography/x509/name.py -+++ b/src/cryptography/x509/name.py -@@ -3,14 +3,13 @@ - # for complete details. - - import typing --from enum import Enum - - from cryptography import utils - from cryptography.hazmat.backends import _get_backend - from cryptography.x509.oid import NameOID, ObjectIdentifier - - --class _ASN1Type(Enum): -+class _ASN1Type(utils.Enum): - UTF8String = 12 - NumericString = 18 - PrintableString = 19 -diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py -index 1c5de73e..bcf210c1 100644 ---- a/src/cryptography/x509/ocsp.py -+++ b/src/cryptography/x509/ocsp.py -@@ -6,8 +6,8 @@ - import abc - import datetime - import typing --from enum import Enum - -+from cryptography import utils - from cryptography import x509 - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.x509.base import ( -@@ -27,12 +27,12 @@ _OIDS_TO_HASH = { - } - - --class OCSPResponderEncoding(Enum): -+class OCSPResponderEncoding(utils.Enum): - HASH = "By Hash" - NAME = "By Name" - - --class OCSPResponseStatus(Enum): -+class OCSPResponseStatus(utils.Enum): - SUCCESSFUL = 0 - MALFORMED_REQUEST = 1 - INTERNAL_ERROR = 2 -@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm): - ) - - --class OCSPCertStatus(Enum): -+class OCSPCertStatus(utils.Enum): - GOOD = 0 - REVOKED = 1 - UNKNOWN = 2 -diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py -index 6b795e0c..803997ac 100644 ---- a/tests/test_cryptography_utils.py -+++ b/tests/test_cryptography_utils.py -@@ -2,6 +2,7 @@ - # 2.0, and the BSD License. See the LICENSE file in the root of this repository - # for complete details. - -+import enum - import typing - - import pytest -@@ -51,3 +52,13 @@ class TestCachedProperty(object): - assert len(accesses) == 1 - assert t.t == 14 - assert len(accesses) == 1 -+ -+ -+def test_enum(): -+ class TestEnum(utils.Enum): -+ value = "something" -+ -+ assert issubclass(TestEnum, enum.Enum) -+ assert isinstance(TestEnum.value, enum.Enum) -+ assert repr(TestEnum.value) == "" -+ assert str(TestEnum.value) == "TestEnum.value" --- -2.31.1 - diff --git a/python-cryptography.spec b/python-cryptography.spec index e997636..41eef9c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.7 -Release: 6%{?dist} +Version: 35.0.0 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -16,10 +16,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam # created by ./vendor_rust.py helper script Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch -Patch0002: 0002-WIP-3.0.0-support-5250.patch -Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch -Patch0004: 0004-Use-well-defined-enum-representation.patch ExclusiveArch: %{rust_arches} @@ -119,6 +115,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Sep 30 2021 Christian Heimes - 35.0-1 +- Update to 35.0.0 (#2009117) + * Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 - Rebuilt with OpenSSL 3.0.0 diff --git a/sources b/sources index 6d1fe84..e8c9874 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 -SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387 +SHA512 (cryptography-35.0.0.tar.gz) = b52b71ced261263e5a9e5856e3fb76b284bba4924160f6e8ad585f6148f79846a3e15d05fc8585020ec00b1e35114fbb0129bdc3acdabf1c60bb4d935767eb30 +SHA512 (cryptography-35.0.0-vendor.tar.bz2) = 2ee028dd6227b83f799bb3f177aefe08c030161a6e50682812b9cc518cd8df1abb65ff87e6c8cc93ecf83313de22af73394a4d4a8941bf54029b002b607fb28f From 0d7db7d607e9d7ef038055d75b8d55f0f4fba625 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 30 Sep 2021 09:55:19 +0200 Subject: [PATCH 051/111] Require rust-asn1 >= 0.6.4 --- python-cryptography.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 41eef9c..811c380 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 35.0.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -33,6 +33,8 @@ BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 +# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 +BuildRequires: rust-asn1-devel >= 0.6.4 %if %{with tests} %if 0%{?fedora} @@ -115,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 +- Require rust-asn1 >= 0.6.4 + * Thu Sep 30 2021 Christian Heimes - 35.0-1 - Update to 35.0.0 (#2009117) From 726f08f3c20224edc2e9297a24e3d8312a474e38 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 22 Nov 2021 23:05:16 +0100 Subject: [PATCH 052/111] Update to 36.0.0, fixes RHBZ#2025347 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e2d569a..dfa9f3e 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,5 @@ /cryptography-3.4.7-vendor.tar.bz2 /cryptography-35.0.0.tar.gz /cryptography-35.0.0-vendor.tar.bz2 +/cryptography-36.0.0.tar.gz +/cryptography-36.0.0-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 811c380..80e09b3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 35.0.0 -Release: 2%{?dist} +Version: 36.0.0 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -117,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 +- Update to 36.0.0, fixes RHBZ#2025347 + * Thu Sep 30 2021 Christian Heimes - 35.0.0-2 - Require rust-asn1 >= 0.6.4 diff --git a/sources b/sources index e8c9874..c1a984e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-35.0.0.tar.gz) = b52b71ced261263e5a9e5856e3fb76b284bba4924160f6e8ad585f6148f79846a3e15d05fc8585020ec00b1e35114fbb0129bdc3acdabf1c60bb4d935767eb30 -SHA512 (cryptography-35.0.0-vendor.tar.bz2) = 2ee028dd6227b83f799bb3f177aefe08c030161a6e50682812b9cc518cd8df1abb65ff87e6c8cc93ecf83313de22af73394a4d4a8941bf54029b002b607fb28f +SHA512 (cryptography-36.0.0.tar.gz) = ed000877a205312733d1a03de7fada0847fd66ec26dce8e7f1bdc51f96b90ddd423c630ff949120b3c775ad3445b41fb3b74e38b0f673b0484c3ea9e38423453 +SHA512 (cryptography-36.0.0-vendor.tar.bz2) = b381c850f6ab346cdf6c0764e88ee3fc3cae132f83742059993574de540e40322892f28ae3c813b34cb5648995e9f4fa0eeb7991aa84ced155fe3e1a1d236cd0 From 78e9ac8bb309016cfa7426d4d6b9a5f9d5133aba Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 21 Jan 2022 11:26:23 +0000 Subject: [PATCH 053/111] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 80e09b3..3419082 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 36.0.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -117,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Mon Nov 22 2021 Christian Heimes - 36.0.0-1 - Update to 36.0.0, fixes RHBZ#2025347 From f5e60ad52019bb1ffa29fae75add78d50b9399c7 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 27 Jan 2022 14:43:41 +0100 Subject: [PATCH 054/111] Skip unstable memleak tests, resolves: RHBZ#2042413 --- python-cryptography.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3419082..07ac471 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 36.0.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -105,9 +105,11 @@ cat < %{SOURCE2} >> tests/conftest.py # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes +# not much sense for downstream testing. PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -117,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 +- Skip unstable memleak tests, resolves: RHBZ#2042413 + * Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 58e882836491f7a0fed29484545b49960ef6671c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 5 May 2022 08:15:05 +0200 Subject: [PATCH 055/111] Update to 37.0.2, resolves rhbz#2078968 --- .gitignore | 2 ++ python-cryptography.spec | 8 ++++++-- sources | 4 ++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index dfa9f3e..a426298 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,5 @@ /cryptography-35.0.0-vendor.tar.bz2 /cryptography-36.0.0.tar.gz /cryptography-36.0.0-vendor.tar.bz2 +/cryptography-37.0.2.tar.gz +/cryptography-37.0.2-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 07ac471..5594ecc 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 36.0.0 -Release: 3%{?dist} +Version: 37.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -44,6 +44,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz %endif @@ -119,6 +120,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu May 05 2022 Christian Heimes - 37.0.2-1 +- Update to 37.0.2, resolves rhbz#2078968 + * Thu Jan 27 2022 Christian Heimes - 36.0.0-3 - Skip unstable memleak tests, resolves: RHBZ#2042413 diff --git a/sources b/sources index c1a984e..536e11b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-36.0.0.tar.gz) = ed000877a205312733d1a03de7fada0847fd66ec26dce8e7f1bdc51f96b90ddd423c630ff949120b3c775ad3445b41fb3b74e38b0f673b0484c3ea9e38423453 -SHA512 (cryptography-36.0.0-vendor.tar.bz2) = b381c850f6ab346cdf6c0764e88ee3fc3cae132f83742059993574de540e40322892f28ae3c813b34cb5648995e9f4fa0eeb7991aa84ced155fe3e1a1d236cd0 +SHA512 (cryptography-37.0.2.tar.gz) = ca6b1e983e79a130b47b1f7cdabeb6041a6102f57483f0820f7bcc6a67e0112b7691f09caa7f391de5aed0a2fee26f394688823da2cd4c8beab553732ac6a305 +SHA512 (cryptography-37.0.2-vendor.tar.bz2) = d100fff9406063c7eb1d0caf7f389c15e49715928ae6c9ec7fd60e97f363ea3590d145e8e7f74958ce4857f60e9e4cd28ac69ef44f9e0dc0730e5d08b073bd9b From 697f9bc002963f9d7a6a83a1a5a9f9c385e37369 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 14 Jun 2022 08:41:16 +0200 Subject: [PATCH 056/111] Bootstrap for Python 3.11 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5594ecc..a844bfb 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +8,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -120,6 +121,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 14 2022 Python Maint - 37.0.2-2 +- Bootstrap for Python 3.11 + * Thu May 05 2022 Christian Heimes - 37.0.2-1 - Update to 37.0.2, resolves rhbz#2078968 From 62733ee588f5d42469d4220d2d79fe969a683d21 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 14 Jun 2022 12:08:28 +0200 Subject: [PATCH 057/111] Rebuilt for Python 3.11 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index a844bfb..eaecf52 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -8,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -121,6 +120,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 14 2022 Python Maint - 37.0.2-3 +- Rebuilt for Python 3.11 + * Tue Jun 14 2022 Python Maint - 37.0.2-2 - Bootstrap for Python 3.11 From f11c50a6f7123165639dbdd0259eac99c86c2891 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 22 Jul 2022 17:38:51 +0000 Subject: [PATCH 058/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index eaecf52..7faf137 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -120,6 +120,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue Jun 14 2022 Python Maint - 37.0.2-3 - Rebuilt for Python 3.11 From 29c1c4ffe0307c119ad59cd1eeea5b335ed3d7d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 17 Aug 2022 12:04:42 +0200 Subject: [PATCH 059/111] Drop unused manual requirement on six, drop duplicated manual requirement on cffi The Python-related Requires already were: python(abi) = 3.11 python3-cffi >= 1.7 python3-six >= 1.4.1 python3.11dist(cffi) >= 1.12 Now they are: python(abi) = 3.11 python3.11dist(cffi) >= 1.12 --- python-cryptography.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 7faf137..8224d85 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -32,7 +32,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 # Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 BuildRequires: rust-asn1-devel >= 0.6.4 @@ -58,8 +57,6 @@ Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 # Can be safely removed in Fedora 37 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 @@ -120,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + * Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 19e9b9733277e509e42c9ee0b9cad941077ff424 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 9 Dec 2022 12:09:43 +0100 Subject: [PATCH 060/111] Enable SHA1 signatures in test suite (ELN-only) --- python-cryptography.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8224d85..5288712 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -101,6 +101,12 @@ rm -rf tests/hypothesis cat < %{SOURCE2} >> tests/conftest.py %endif +%if 0%{?eln} +# enable SHA-1 signatures for RSA tests +# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 +export OPENSSL_ENABLE_SHA1_SIGNATURES=yes +%endif + # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes @@ -117,6 +123,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + * Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 - Drop unused requirement of python3-six From ebf415a04ba645888dcb6351ab91aa0336e23044 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Dec 2022 18:30:42 +0100 Subject: [PATCH 061/111] Convert the license tag to SPDX and add missing PSF license --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5288712..e8e0731 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,7 +10,10 @@ Version: 37.0.2 Release: 6%{?dist} Summary: PyCA's cryptography library -License: ASL 2.0 or BSD +# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, +# as well as the Python Software Foundation license for the OS random +# engine derived by CPython. +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script From 4c529569ef2c8a0fca3f52c4c0a831f037a62b18 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Dec 2022 21:03:13 +0100 Subject: [PATCH 062/111] Remove no longer used macro --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e8e0731..8c3583c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -3,7 +3,6 @@ %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography -%global pyo3_version 0.13.1 Name: python-%{srcname} Version: 37.0.2 From 25a80244fef287446e6096a67fd913f56cf9199c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 20 Jan 2023 12:25:02 +0000 Subject: [PATCH 063/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8c3583c..a0c880e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -125,6 +125,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Fri Dec 09 2022 Christian Heimes - 37.0.2-6 - Enable SHA1 signatures in test suite (ELN-only) From 9e3c824a6b1f1acac3f7c97111e0705287d96133 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 22 Feb 2023 09:57:34 +0100 Subject: [PATCH 064/111] Fix CVE-2023-23931 and FTBFS Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 --- CVE-2023-23931.patch | 42 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 12 ++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-23931.patch diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch new file mode 100644 index 0000000..085947c --- /dev/null +++ b/CVE-2023-23931.patch @@ -0,0 +1,42 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index a0c880e..76ea9b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 7%{?dist} +Release: 8%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,9 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# https://github.com/pyca/cryptography/pull/8230 +Patch1: CVE-2023-23931.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -113,9 +116,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES=yes # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes # not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -125,6 +129,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + * Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From cf6e4c6ecf1d73549a6568cef4b43f3dcca19786 Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 26 Jan 2023 21:53:08 +0100 Subject: [PATCH 065/111] ensure correct compiler flags are used for Rust code --- python-cryptography.spec | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 76ea9b9..c40d3a3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 8%{?dist} +Release: 9%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -37,8 +37,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 -BuildRequires: rust-asn1-devel >= 0.6.4 %if %{with tests} %if 0%{?fedora} @@ -73,22 +71,24 @@ recipes to Python developers. %prep %autosetup -p1 -n %{srcname}-%{version} - -%generate_buildrequires - %if 0%{?fedora} -# Fedora: use cargo macros to make use of RPMified crates %cargo_prep -cd src/rust -rm -f Cargo.lock -%cargo_generate_buildrequires -cd ../.. +rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 %endif +%if 0%{?fedora} +%generate_buildrequires +# Fedora: use RPMified crates +cd src/rust +%cargo_generate_buildrequires +cd ../.. +%endif + %build +export RUSTFLAGS="%build_rustflags" %py3_build %install @@ -129,6 +129,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + * Wed Feb 22 2023 Christian Heimes - 37.0.2-8 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 - Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 From 5c59e50b4e4ab60ccbd34707441c304966aa5719 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 9 Mar 2023 08:19:18 +0100 Subject: [PATCH 066/111] Update to 39.0.2 Resolves: rhbz#2124729 --- .gitignore | 2 ++ CVE-2023-23931.patch | 42 ---------------------------------------- python-cryptography.spec | 16 +++++++-------- sources | 4 ++-- 4 files changed, 12 insertions(+), 52 deletions(-) delete mode 100644 CVE-2023-23931.patch diff --git a/.gitignore b/.gitignore index a426298..4a92541 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,5 @@ /cryptography-36.0.0-vendor.tar.bz2 /cryptography-37.0.2.tar.gz /cryptography-37.0.2-vendor.tar.bz2 +/cryptography-39.0.2.tar.gz +/cryptography-39.0.2-vendor.tar.bz2 diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch deleted file mode 100644 index 085947c..0000000 --- a/CVE-2023-23931.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 31 Jan 2023 08:33:54 -0500 -Subject: [PATCH] Don't allow update_into to mutate immutable objects - ---- - src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- - tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 286583f9325..075d68fb905 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") -- baseoutbuf = self._backend._ffi.from_buffer(buf) -+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: -diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py -index 02127dd9cab..bf3b047dec2 100644 ---- a/tests/hazmat/primitives/test_ciphers.py -+++ b/tests/hazmat/primitives/test_ciphers.py -@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): - with pytest.raises(ValueError): - encryptor.update_into(b"testing", buf) - -+ def test_update_into_immutable(self, backend): -+ key = b"\x00" * 16 -+ c = ciphers.Cipher(AES(key), modes.ECB(), backend) -+ encryptor = c.encryptor() -+ buf = b"\x00" * 32 -+ with pytest.raises((TypeError, BufferError)): -+ encryptor.update_into(b"testing", buf) -+ - @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index c40d3a3..40b2f7f 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 37.0.2 -Release: 9%{?dist} +Version: 39.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# https://github.com/pyca/cryptography/pull/8230 -Patch1: CVE-2023-23931.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -33,10 +30,10 @@ BuildRequires: rust-packaging BuildRequires: rust-toolset %endif -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} @@ -45,7 +42,7 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist %endif -BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz @@ -129,6 +126,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + * Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 - Ensure correct compiler flags are used for Rust code. diff --git a/sources b/sources index 536e11b..3ce6c7a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-37.0.2.tar.gz) = ca6b1e983e79a130b47b1f7cdabeb6041a6102f57483f0820f7bcc6a67e0112b7691f09caa7f391de5aed0a2fee26f394688823da2cd4c8beab553732ac6a305 -SHA512 (cryptography-37.0.2-vendor.tar.bz2) = d100fff9406063c7eb1d0caf7f389c15e49715928ae6c9ec7fd60e97f363ea3590d145e8e7f74958ce4857f60e9e4cd28ac69ef44f9e0dc0730e5d08b073bd9b +SHA512 (cryptography-39.0.2.tar.gz) = 06ae3e2c0c2a5fa9e80dab7181a7c8b64aa9359bfd149837f179e65372a90acc905aae7476516ba8da4c4137bd25ba115d911728858551d2862280352b09b95e +SHA512 (cryptography-39.0.2-vendor.tar.bz2) = 4e92ec50e01f99e160ab6c5e12fbd7e1297aaa2dfb5f0f35019308a44661e938a082c9a4ce0d9b5fbe1ed94cde49ae6b193c3f3f7035e9f5f5a97f2108595667 From 231f32cf9664dc30d86af4aaa6a16626509e2231 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 9 Mar 2023 12:55:39 +0100 Subject: [PATCH 067/111] Don't run tests requiring pytz on RHEL pytz is unwanted on RHEL 10+. --- python-cryptography.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 40b2f7f..9877601 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 39.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -41,11 +41,11 @@ BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist +BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 -BuildRequires: python%{python3_pkgversion}-pytz %endif %description @@ -97,8 +97,8 @@ find . -name .keep -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis tests on RHEL -rm -rf tests/hypothesis +# skip hypothesis and pytz tests on RHEL +rm -rf tests/hypothesis tests/x509 # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif @@ -126,6 +126,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL + * Sat Mar 04 2023 Christian Heimes - 39.0.2-1 - Update to 39.0.2, resolves rhbz#2124729 From 0dbc0e5e1df4aa27e22eb637ae15136b8397643d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 9 Mar 2023 13:28:58 +0100 Subject: [PATCH 068/111] Don't try to run tests of vendored dependencies in %check --- python-cryptography.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 9877601..07d9285 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -116,6 +116,7 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES=yes # see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ + --ignore vendor \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif @@ -128,6 +129,7 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog * Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 - Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check * Sat Mar 04 2023 Christian Heimes - 39.0.2-1 - Update to 39.0.2, resolves rhbz#2124729 From 55eaa10d2d97f19c966ba4c3e039f420b4f779bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 13 Mar 2023 21:09:36 +0100 Subject: [PATCH 069/111] Remove an undesired %{?eln} conditional Fixes https://github.com/fedora-eln/eln/issues/120 --- python-cryptography.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 07d9285..38888b0 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -103,11 +103,9 @@ rm -rf tests/hypothesis tests/x509 cat < %{SOURCE2} >> tests/conftest.py %endif -%if 0%{?eln} # enable SHA-1 signatures for RSA tests # also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 export OPENSSL_ENABLE_SHA1_SIGNATURES=yes -%endif # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests From 2894c08790a4b4a9e0bdc0ba6a03e513264f5dd6 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 28 Mar 2023 08:45:39 +0200 Subject: [PATCH 070/111] Update to 40.0.2 Resolves: rhbz#2181430 --- .gitignore | 8 ++++++++ python-cryptography.spec | 15 ++++++++++++--- sources | 4 ++-- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 4a92541..77cad2f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/results_python-cryptography +/*.src.rpm /cryptography-1.3.1.tar.gz /cryptography-1.5.3.tar.gz /cryptography-1.7.1.tar.gz @@ -47,3 +49,9 @@ /cryptography-37.0.2-vendor.tar.bz2 /cryptography-39.0.2.tar.gz /cryptography-39.0.2-vendor.tar.bz2 +/cryptography-40.0.0.tar.gz +/cryptography-40.0.0-vendor.tar.bz2 +/cryptography-40.0.1.tar.gz +/cryptography-40.0.1-vendor.tar.bz2 +/cryptography-40.0.2.tar.gz +/cryptography-40.0.2-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 38888b0..6dc34f5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 39.0.2 -Release: 2%{?dist} +Version: 40.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -34,6 +34,8 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %if %{with tests} %if 0%{?fedora} @@ -45,7 +47,7 @@ BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description @@ -84,8 +86,12 @@ cd src/rust cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + %build export RUSTFLAGS="%build_rustflags" +export OPENSSL_NO_VENDOR=1 %py3_build %install @@ -125,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + * Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 - Don't run tests requiring pytz on RHEL - Don't try to run tests of vendored dependencies in %%check diff --git a/sources b/sources index 3ce6c7a..3532c84 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-39.0.2.tar.gz) = 06ae3e2c0c2a5fa9e80dab7181a7c8b64aa9359bfd149837f179e65372a90acc905aae7476516ba8da4c4137bd25ba115d911728858551d2862280352b09b95e -SHA512 (cryptography-39.0.2-vendor.tar.bz2) = 4e92ec50e01f99e160ab6c5e12fbd7e1297aaa2dfb5f0f35019308a44661e938a082c9a4ce0d9b5fbe1ed94cde49ae6b193c3f3f7035e9f5f5a97f2108595667 +SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e +SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d From a64728bbef7bb73a1718152c04ff53aa3225b951 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 12 Jun 2023 22:50:52 -0400 Subject: [PATCH 071/111] Use vendored rust-pem in RHEL builds --- python-cryptography.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6dc34f5..402389d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -26,6 +26,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -34,8 +36,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %if %{with tests} %if 0%{?fedora} @@ -131,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + * Tue Apr 18 2023 Christian Heimes - 40.0.2-1 - Update to 40.0.2, resolves rhbz#2181430 From bd226dd0d02b7f96f2602496b1ee87b9e27bb582 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 14 Jun 2023 16:13:50 +0200 Subject: [PATCH 072/111] Bootstrap for Python 3.12 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 402389d..336b8fc 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +7,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -131,6 +132,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + * Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 - Use vendored rust-pem in RHEL builds From f32ed18be7458c0152a5b26a5fc4d72db38bdcb7 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 10 Jul 2023 14:05:42 +0200 Subject: [PATCH 073/111] Rebuilt for Python 3.12 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 336b8fc..5c8b8a7 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -132,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + * Wed Jun 14 2023 Python Maint - 40.0.2-3 - Bootstrap for Python 3.12 From 9421b4a468a2e9b0f2719e09e426d94f912101a0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 21 Jul 2023 08:43:20 +0000 Subject: [PATCH 074/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5c8b8a7..0323ca3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -131,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Mon Jul 10 2023 Python Maint - 40.0.2-4 - Rebuilt for Python 3.12 From 7b18e1445dd861fc9515a51991ebd2eb12a5580f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 9 Aug 2023 14:07:18 +0200 Subject: [PATCH 075/111] Update to 41.0.3 - Update to upstream version 41.0.3 - Use pyo3 0.19 Resolves: rhbz#2211237 --- .gitignore | 2 ++ pyo3-0.19.patch | 52 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 14 ++++++++--- sources | 4 ++-- 4 files changed, 67 insertions(+), 5 deletions(-) create mode 100644 pyo3-0.19.patch diff --git a/.gitignore b/.gitignore index 77cad2f..e69e967 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,5 @@ /cryptography-40.0.1-vendor.tar.bz2 /cryptography-40.0.2.tar.gz /cryptography-40.0.2-vendor.tar.bz2 +/cryptography-41.0.3.tar.gz +/cryptography-41.0.3-vendor.tar.bz2 diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0323ca3..0365a9a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 40.0.2 -Release: 5%{?dist} +Version: 41.0.3 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +Patch1: pyo3-0.19.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -69,8 +71,10 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} +# patch pyo3 depedency +%autopatch -p1 1 %cargo_prep rm src/rust/Cargo.lock %else @@ -131,6 +135,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + * Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index 3532c84..f529925 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e -SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d +SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd +SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From c8cc5d4cdc2023b87412484beb7b46cb4d94322f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 14 Aug 2023 07:24:10 +0200 Subject: [PATCH 076/111] Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 --- ouroboros-0.17.patch | 13 +++++++++++++ python-cryptography.spec | 9 +++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ouroboros-0.17.patch diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/python-cryptography.spec b/python-cryptography.spec index 0365a9a..567841d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -73,8 +74,9 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} -# patch pyo3 depedency +# patch pyo3 and ouroboros depedency %autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -135,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + * Wed Aug 09 2023 Christian Heimes - 41.0.3-1 - Update to 41.0.3, resolves rhbz#2211237 - Use pyo3 0.19 From bee6bfddb5dfa6a012d396b73a9ca7b76c336ed4 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 26 Oct 2023 17:20:09 +0200 Subject: [PATCH 077/111] Update to 41.0.5, resolves RHBZ#2239707 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e69e967..51aeae3 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,5 @@ /cryptography-40.0.2-vendor.tar.bz2 /cryptography-41.0.3.tar.gz /cryptography-41.0.3-vendor.tar.bz2 +/cryptography-41.0.5-vendor.tar.bz2 +/cryptography-41.0.5.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 567841d..311aa65 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.3 -Release: 2%{?dist} +Version: 41.0.5 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + * Mon Aug 14 2023 Christian Heimes - 41.0.3-2 - Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 diff --git a/sources b/sources index f529925..7c4beae 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd -SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 +SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From 3f8bd894bea444ebc52aeb2924024a0ac13afd30 Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Fri, 1 Dec 2023 16:14:04 +0100 Subject: [PATCH 078/111] Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 311aa65..a1c787e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + * Thu Oct 26 2023 Christian Heimes - 41.0.5-1 - Update to 41.0.5, resolves RHBZ#2239707 From 1c91adf0cdbc7fa52ae7c5e8d67160a91dce666c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 22 Jan 2024 00:29:41 +0000 Subject: [PATCH 079/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index a1c787e..3f3be64 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 - Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) From cee9a5770df87232d5d199a4e4a1966231745fdf Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 26 Jan 2024 02:54:42 +0000 Subject: [PATCH 080/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3f3be64..5849991 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From fdff266e83b3bbee278465a3c0652d733283b682 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Thu, 1 Feb 2024 10:48:14 -0500 Subject: [PATCH 081/111] Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 51aeae3..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ /cryptography-41.0.3-vendor.tar.bz2 /cryptography-41.0.5-vendor.tar.bz2 /cryptography-41.0.5.tar.gz +/cryptography-41.0.7.tar.gz +/cryptography-41.0.7-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 5849991..0f4f843 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.5 -Release: 4%{?dist} +Version: 41.0.7 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + * Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 7c4beae..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 -SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e From 2b20ce4281d9888f5ab5931b8a2d4ddaeb1b5977 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Jan 2024 12:09:52 +0100 Subject: [PATCH 082/111] Update to 42.0.5, resolves RHBZ#2251816 --- .gitignore | 2 + ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 38 +++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 100 insertions(+), 84 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..578df22 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0f4f843..8a592eb 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 +Version: 42.0.5 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,8 +19,7 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} @@ -29,8 +28,6 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +45,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +71,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +80,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,13 +132,17 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog +* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 +- Update to 42.0.5, resolves RHBZ#2251816 +- Modernize spec file to use pyproject RPM macros + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..0e97b72 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 +SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 2220bc3f080af3e3a474ad8ffcd8ae79bf020ee6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 28 May 2024 13:29:39 +0200 Subject: [PATCH 083/111] Revert "Update to 42.0.5, resolves RHBZ#2251816" This reverts commit 2b20ce4281d9888f5ab5931b8a2d4ddaeb1b5977. --- .gitignore | 2 - ouroboros-0.17.patch | 13 ++++++ pyo3-0.19.patch | 52 +++++++++++++++++++++++ python-cryptography.spec | 38 ++++++++--------- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 84 insertions(+), 100 deletions(-) create mode 100644 ouroboros-0.17.patch create mode 100644 pyo3-0.19.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 578df22..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -61,5 +61,3 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 -/cryptography-42.0.5.tar.gz -/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 8a592eb..0f4f843 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.5 +Version: 41.0.7 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,7 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -28,6 +29,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -45,7 +48,6 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -71,8 +73,10 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 %if 0%{?fedora} +# patch pyo3 and ouroboros depedency +%autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -80,33 +84,27 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml - - -%generate_buildrequires -%pyproject_buildrequires -t %if 0%{?fedora} +%generate_buildrequires # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%pyproject_wheel - +%py3_build %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%pyproject_install -%pyproject_save_files %{srcname} - +%py3_install %check %if %{with tests} @@ -132,17 +130,13 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif - -%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} +%files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD - +%{python3_sitearch}/%{srcname} +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog -* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 -- Update to 42.0.5, resolves RHBZ#2251816 -- Modernize spec file to use pyproject RPM macros - * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 0e97b72..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 -SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e diff --git a/vendor_rust.py b/vendor_rust.py index eb53abd..cd8355e 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile(r"Version:\s*(.*)") +RE_VERSION = re.compile("Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 1eecfff494b2e21e4fd11706b1259a8fce0b762e Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 22:03:00 +0200 Subject: [PATCH 084/111] Bootstrap for Python 3.13 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 0f4f843..6d4be22 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +7,7 @@ Name: python-%{srcname} Version: 41.0.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +138,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 From a7c29b32fa3b30a50a63ef143725235bcabc7930 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Sat, 8 Jun 2024 08:13:50 +0200 Subject: [PATCH 085/111] Rebuilt for Python 3.13 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6d4be22..52208e8 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -138,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + * Fri Jun 07 2024 Python Maint - 41.0.7-2 - Bootstrap for Python 3.13 From cb16ef22f994a7232a1c9825f4cb99473cfae70d Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 2 Jul 2024 11:50:53 -0400 Subject: [PATCH 086/111] Update to 42.0.8, resolves RHBZ#2251816" This reverts commit 2220bc3f080af3e3a474ad8ffcd8ae79bf020ee6 and bumps the version up from 42.0.5 to 42.0.8. Additionally, a dependency on the openssl-devel-engine is necessary. Longer-term this should be dropped[0]. [0] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Co-authored-by: Christian Heimes --- .gitignore | 4 ++ ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 37 +++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 100 insertions(+), 85 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..79738f6 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,7 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 +/cryptography-42.0.8.tar.gz +/cryptography-42.0.8-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 52208e8..e0a00e6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 -Release: 3%{?dist} +Version: 42.0.8 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,18 +19,16 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel +BuildRequires: openssl-devel-engine BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +46,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +72,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +81,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,11 +133,11 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog * Sat Jun 08 2024 Python Maint - 41.0.7-3 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..e9ffcca 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568 +SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 3d1bdaeb4555273c696fb56a33e19b5e0b28e927 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 3 Jul 2024 10:26:37 -0400 Subject: [PATCH 087/111] Switch to autorelease and autochangelog macros I forgot to bump manually add a changelog entry for the 42.0.8 update. Let's make that impossible in the future. [skip changelog] --- changelog | 248 +++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 248 +-------------------------------------- 2 files changed, 250 insertions(+), 246 deletions(-) create mode 100644 changelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..fa06f3e --- /dev/null +++ b/changelog @@ -0,0 +1,248 @@ +* Tue Jul 02 2024 Jeremy Cline - 42.0.8-1 +- Update to 42.0.8, fixes rhbz#2251816 + +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check + +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + +* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jun 14 2022 Python Maint - 37.0.2-3 +- Rebuilt for Python 3.11 + +* Tue Jun 14 2022 Python Maint - 37.0.2-2 +- Bootstrap for Python 3.11 + +* Thu May 05 2022 Christian Heimes - 37.0.2-1 +- Update to 37.0.2, resolves rhbz#2078968 + +* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 +- Skip unstable memleak tests, resolves: RHBZ#2042413 + +* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 +- Update to 36.0.0, fixes RHBZ#2025347 + +* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 +- Require rust-asn1 >= 0.6.4 + +* Thu Sep 30 2021 Christian Heimes - 35.0-1 +- Update to 35.0.0 (#2009117) + +* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 +- Don't conditionalize Source: directives + +* Wed Jun 02 2021 Python Maint - 3.4.7-3 +- Rebuilt for Python 3.10 + +* Tue May 11 2021 Christian Heimes - 3.4.7-2 +- Fix compatibility issue with Python 3.10. Enums now use same + representation as on Python 3.9. (#1952522) +- Backport OpenSSL 3.0.0 compatibility patches. + +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. (#1952024) + +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + +* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 21 2020 Christian Heimes - 3.0-1 +- Update to 3.0 (#185897) + +* Sat May 23 2020 Miro Hrončok - 2.9-3 +- Rebuilt for Python 3.9 + +* Tue May 12 2020 Felix Schwarz - 2.9-2 +- add source file verification + +* Fri Apr 03 2020 Christian Heimes - 2.9-1 +- Update to 2.9 (#1820348) + +* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Christian Heimes - 2.8-2 +- cryptography 2.8+ no longer depends on python-asn1crypto + +* Thu Oct 17 2019 Christian Heimes - 2.8-1 +- Update to 2.8 +- Resolves: rhbz#1762779 + +* Sun Oct 13 2019 Christian Heimes - 2.7-3 +- Skip unit tests that fail with OpenSSL 1.1.1.d +- Resolves: rhbz#1761194 +- Fix and simplify Python 3 packaging + +* Sat Oct 12 2019 Christian Heimes - 2.7-2 +- Drop Python 2 package +- Resolves: rhbz#1761081 + +* Tue Sep 03 2019 Randy Barlow - 2.7-1 +- Update to 2.7 (#1715680). + +* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 +- New upstream release 2.6.1, resolves RHBZ#1683691 + +* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 +- Updated to 2.5. + +* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + +* Wed Jul 18 2018 Christian Heimes - 2.3-1 +- New upstream release 2.3 +- Fix AEAD tag truncation bug, RHBZ#1602752 + +* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 +- Rebuilt for Python 3.7 + +* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 +- New upstream release 2.2.1 + +* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 +- New upstream release 2.1.4 + +* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 +- Build requires gcc + +* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/python-cryptography.spec b/python-cryptography.spec index e0a00e6..ba3d651 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 42.0.8 -Release: 1%{?dist} +Release: %autorelease Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -140,248 +140,4 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog -* Sat Jun 08 2024 Python Maint - 41.0.7-3 -- Rebuilt for Python 3.13 - -* Fri Jun 07 2024 Python Maint - 41.0.7-2 -- Bootstrap for Python 3.13 - -* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 -- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 - -* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 -- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) - -* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 -- Update to 41.0.5, resolves RHBZ#2239707 - -* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 -- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 - -* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 -- Update to 41.0.3, resolves rhbz#2211237 -- Use pyo3 0.19 - -* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Mon Jul 10 2023 Python Maint - 40.0.2-4 -- Rebuilt for Python 3.12 - -* Wed Jun 14 2023 Python Maint - 40.0.2-3 -- Bootstrap for Python 3.12 - -* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 -- Use vendored rust-pem in RHEL builds - -* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 -- Update to 40.0.2, resolves rhbz#2181430 - -* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 -- Don't run tests requiring pytz on RHEL -- Don't try to run tests of vendored dependencies in %%check - -* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 -- Update to 39.0.2, resolves rhbz#2124729 - -* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 -- Ensure correct compiler flags are used for Rust code. - -* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 -- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 -- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 - -* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 -- Enable SHA1 signatures in test suite (ELN-only) - -* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 -- Drop unused requirement of python3-six - -* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Tue Jun 14 2022 Python Maint - 37.0.2-3 -- Rebuilt for Python 3.11 - -* Tue Jun 14 2022 Python Maint - 37.0.2-2 -- Bootstrap for Python 3.11 - -* Thu May 05 2022 Christian Heimes - 37.0.2-1 -- Update to 37.0.2, resolves rhbz#2078968 - -* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 -- Skip unstable memleak tests, resolves: RHBZ#2042413 - -* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 -- Update to 36.0.0, fixes RHBZ#2025347 - -* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 -- Require rust-asn1 >= 0.6.4 - -* Thu Sep 30 2021 Christian Heimes - 35.0-1 -- Update to 35.0.0 (#2009117) - -* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 -- Rebuilt with OpenSSL 3.0.0 - -* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 -- Don't conditionalize Source: directives - -* Wed Jun 02 2021 Python Maint - 3.4.7-3 -- Rebuilt for Python 3.10 - -* Tue May 11 2021 Christian Heimes - 3.4.7-2 -- Fix compatibility issue with Python 3.10. Enums now use same - representation as on Python 3.9. (#1952522) -- Backport OpenSSL 3.0.0 compatibility patches. - -* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 -- Update to 3.4.7 -- Remove dependency on python-cryptography-vectors package and use vectors - directly from Github source tar ball. (#1952024) - -* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 -- Update to 3.4.6 (#1927044) - -* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 -- Update to 3.4.5 (#1927044) - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 -- Skip iso8601 and pretend tests on RHEL - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 -- Provide RHEL build infrastructure - -* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 -- Update to 3.4.4 (#1927044) - -* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 -- Update to 3.4.2 (#1926339) -- Package no longer depends on Rust (#1926181) - -* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 -- Use dynamically generated BuildRequires for PyO3 Rust module. -- Drop unnecessary CARGO_NET_OFFLINE environment variable. - -* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 -- Update to 3.4.1 (#1925953) - -* Sun Feb 07 2021 Christian Heimes - 3.4-2 -- Add missing abi3 and pytest dependencies - -* Sun Feb 07 2021 Christian Heimes - 3.4-1 -- Update to 3.4 (#1925953) -- Remove Python 2 support -- Remove unused python-idna dependency -- Add Rust support - -* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 -- Update to 3.3.1 (#1905756) - -* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 -- Update to 3.2.1 (#1892153) - -* Mon Oct 26 2020 Christian Heimes - 3.2-1 -- Update to 3.2 (#1891378) - -* Mon Sep 07 2020 Christian Heimes - 3.1-1 -- Update to 3.1 (#1872978) - -* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 21 2020 Christian Heimes - 3.0-1 -- Update to 3.0 (#185897) - -* Sat May 23 2020 Miro Hrončok - 2.9-3 -- Rebuilt for Python 3.9 - -* Tue May 12 2020 Felix Schwarz - 2.9-2 -- add source file verification - -* Fri Apr 03 2020 Christian Heimes - 2.9-1 -- Update to 2.9 (#1820348) - -* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Jan 13 2020 Christian Heimes - 2.8-2 -- cryptography 2.8+ no longer depends on python-asn1crypto - -* Thu Oct 17 2019 Christian Heimes - 2.8-1 -- Update to 2.8 -- Resolves: rhbz#1762779 - -* Sun Oct 13 2019 Christian Heimes - 2.7-3 -- Skip unit tests that fail with OpenSSL 1.1.1.d -- Resolves: rhbz#1761194 -- Fix and simplify Python 3 packaging - -* Sat Oct 12 2019 Christian Heimes - 2.7-2 -- Drop Python 2 package -- Resolves: rhbz#1761081 - -* Tue Sep 03 2019 Randy Barlow - 2.7-1 -- Update to 2.7 (#1715680). - -* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 -- Rebuilt for Python 3.8 - -* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 -- New upstream release 2.6.1, resolves RHBZ#1683691 - -* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 -- Updated to 2.5. - -* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Aug 13 2018 Christian Heimes - 2.3-2 -- Use TLSv1.2 in test as workaround for RHBZ#1615143 - -* Wed Jul 18 2018 Christian Heimes - 2.3-1 -- New upstream release 2.3 -- Fix AEAD tag truncation bug, RHBZ#1602752 - -* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 -- Rebuilt for Python 3.7 - -* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 -- New upstream release 2.2.1 - -* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 -- New upstream release 2.1.4 - -* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 -- Build requires gcc - -* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 -- Update Python 2 dependency declarations to new packaging standards - (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) - -* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +%autochangelog From 4dcec288f2a9f08c49015ea485357a3a636a337d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 3 Jul 2024 18:45:24 +0200 Subject: [PATCH 088/111] Drop unneeded dependency on tox There is no additional dependency generated by it, other than tox and tox-current-env. There is no tox configuration in the source tarball. If desired, there is a [test] extra, so we could use -x test instead, but that would break the %if 0%{?fedora} tests dependencies separation. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ba3d651..3670a2a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -86,7 +86,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml %generate_buildrequires -%pyproject_buildrequires -t +%pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates cd src/rust From 143d2e3463f824c20b62b8c73688bdf950b2893d Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 3 Jul 2024 14:39:39 -0400 Subject: [PATCH 089/111] Fix the build for ELN PyO3 doesn't support Python 3.13 until 0.22, but cryptography 0.42 is using 0.20 at the moment. Use ABI3 forward compatibility for ELN builds until cryptography updates. The Rawhide build is using crates from the distro which must be setting this in some way, but I'm not familiar enough with PyO3 or Fedora's Rust packaging to find it quickly. Fixes rhbz#2295602 --- python-cryptography.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3670a2a..e6fe8cd 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -98,6 +98,11 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 +# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can +# be dropped when a cryptography release bumps to pyo3 >= 0.22 +%if 0%{?rhel} +export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 +%endif %pyproject_wheel From 1483ac22f765c6e01502dfe2114d5d2c6e2a3aab Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 12 Jul 2024 10:47:14 -0400 Subject: [PATCH 090/111] Skip benchmark tests on RHEL This avoids dependencies on the otherwise unnecessary certifi and pytest-benchmark. --- python-cryptography.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e6fe8cd..edb70ca 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -40,15 +40,15 @@ BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 -BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif @@ -83,6 +83,9 @@ rm src/rust/Cargo.lock # Remove cosmetical pytest-subtests 0.10.0 option sed -i 's,--no-subtests-shortletter,,' pyproject.toml +%if ! 0%{?fedora} +sed -i 's,--benchmark-disable,,' pyproject.toml +%endif %generate_buildrequires @@ -117,8 +120,8 @@ find . -name .keep -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis and pytz tests on RHEL -rm -rf tests/hypothesis tests/x509 +# skip benchmark, hypothesis, and pytz tests on RHEL +rm -rf tests/bench tests/hypothesis tests/x509 # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From cf26149d18b4b220d2b2193340372799a1674a71 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 12 Jul 2024 10:51:44 -0400 Subject: [PATCH 091/111] Remove unused pytest-subtests dependency This dependency was switched out for a built-in miniature replacement as of version 41.0.0: https://github.com/pyca/cryptography/commit/22759dbab0bc85da995febcc3e82680fe6b2804a --- python-cryptography.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index edb70ca..722047a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description @@ -81,8 +80,6 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %if ! 0%{?fedora} sed -i 's,--benchmark-disable,,' pyproject.toml %endif From bc9adfb4dea6d5c3b23e79acd64686488d8a03d2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jul 2024 10:44:42 +0000 Subject: [PATCH 092/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 4dc6d7b0babe0baa4d3a68a40ed31ff52057218a Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 24 Jul 2024 16:43:12 -0400 Subject: [PATCH 093/111] Automatically apply all patches during autosetup Commit 7b18e1445dd8 ("Update to 41.0.3") introduces a patch that was applied behind a conditional. This is no longer the case, so revert back to letting autosetup apply all patches. [skip changelog] --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 722047a..e376447 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -70,8 +70,7 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 +%autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock From 696a6afd84d72791fbf0c87e48802128e90db565 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 24 Jul 2024 16:23:21 -0400 Subject: [PATCH 094/111] Update to v43.0.0 Additionally, this builds the package with OPENSSL_NO_ENGINE=1 This drops the skip-overflow-tests-32bit.patch as its included in v43.0.0. It picks up the patch in https://github.com/pyca/cryptography/pull/11328 to allow building with OPENSSL_NO_ENGINE=1. --- .gitignore | 2 + 11328.patch | 36 ++++++++++++++++ python-cryptography.spec | 11 ++--- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- 5 files changed, 43 insertions(+), 83 deletions(-) create mode 100644 11328.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 79738f6..fca5c45 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ /cryptography-42.0.5-vendor.tar.bz2 /cryptography-42.0.8.tar.gz /cryptography-42.0.8-vendor.tar.bz2 +/cryptography-43.0.0.tar.gz +/cryptography-43.0.0-vendor.tar.bz2 diff --git a/11328.patch b/11328.patch new file mode 100644 index 0000000..3dd1aee --- /dev/null +++ b/11328.patch @@ -0,0 +1,36 @@ +From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 22 Jul 2024 09:09:05 +0200 +Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined + +Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE +support. Downstream has moved `openssl/engine.h` into a separate RPM +package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The +compiler flag disables PyCA cryptography's ENGINE support successfully. +We also like to build the downstream package without the `engine.h` +header file present. + +This commit makes the include conditional. The `ENGINE` type is +defined in `openssl/types.h`. + +See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide +See: https://issues.redhat.com/browse/RHEL-33747 +Signed-off-by: Christian Heimes +--- + src/_cffi_src/openssl/engine.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py +index 9629a2c8f929..f47e20327003 100644 +--- a/src/_cffi_src/openssl/engine.py ++++ b/src/_cffi_src/openssl/engine.py +@@ -5,7 +5,9 @@ + from __future__ import annotations + + INCLUDES = """ ++#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL + #include ++#endif + """ + + TYPES = """ diff --git a/python-cryptography.spec b/python-cryptography.spec index e376447..e7a1b1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.8 +Version: 43.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,12 +19,11 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch: 11328.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel -BuildRequires: openssl-devel-engine BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} @@ -97,11 +96,7 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can -# be dropped when a cryptography release bumps to pyo3 >= 0.22 -%if 0%{?rhel} -export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 -%endif +export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index e9ffcca..fe39107 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568 -SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c +SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 +SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 From fdf62093b4dec4102ef193c5fb08b8dd25e721a4 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 30 Jul 2024 11:15:34 -0400 Subject: [PATCH 095/111] Flip off lock = true maturin config Upstream switched to maturin in v43[0]. Since we fiddle with the lockfile maturin wants to update it since upstream configures `lock = true`. Turn that off. This fixes the v43 build in rawhide. [0] https://github.com/pyca/cryptography/pull/8815 [skip changelog] --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index e7a1b1c..d83d2b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -72,6 +72,7 @@ recipes to Python developers. %autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep +sed -i 's/locked = true//g' pyproject.toml rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates From ed6d65f51610e2b85a297376b32a0c032b3ea98f Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Wed, 4 Sep 2024 11:41:44 +0200 Subject: [PATCH 096/111] allow sha1 in OAEP In FIPS mode, RSA OAEP padding is refused with an error message: "This combination of padding and hash algorithm is not supported by this backend." It picks up the patch in https://github.com/pyca/cryptography/pull/11536 to allow sha1 in OAEP. Fixes: https://github.com/pyca/cryptography/issues/11512 Related: https://issues.redhat.com/browse/RHEL-40210 Signed-off-by: Francisco Trivino --- 11536.patch | 26 ++++++++++++++++++++++++++ python-cryptography.spec | 1 + 2 files changed, 27 insertions(+) create mode 100644 11536.patch diff --git a/11536.patch b/11536.patch new file mode 100644 index 0000000..b18f149 --- /dev/null +++ b/11536.patch @@ -0,0 +1,26 @@ +From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 3 Sep 2024 20:19:02 -0400 +Subject: [PATCH] allow sha1 in OAEP (#11536) + +fixes #11512 +--- + src/rust/src/backend/rsa.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index 3c01e7421..066b1412a 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu + } + + fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { +- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) ++ md == &openssl::hash::MessageDigest::sha1() + || md == &openssl::hash::MessageDigest::sha224() + || md == &openssl::hash::MessageDigest::sha256() + || md == &openssl::hash::MessageDigest::sha384() +-- +2.46.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index d83d2b1..eff8c1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch: 11328.patch +Patch: 11536.patch ExclusiveArch: %{rust_arches} From bc4d913fc3b2fb5b81083731af0a64abdb72509e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 18 Jan 2025 13:19:11 +0000 Subject: [PATCH 097/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 83987f70ef712cc0b5935dc5e8f2354f74476c30 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 15:51:57 +0000 Subject: [PATCH 098/111] Update to v44.0.0 This release is largely adding new features. One behavioral which might cause issues is: - Enforce the RFC 5280 requirement that extended key usage extensions must not be empty. Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst --- .gitignore | 2 ++ python-cryptography.spec | 6 +----- sources | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index fca5c45..ea7f662 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,5 @@ /cryptography-42.0.8-vendor.tar.bz2 /cryptography-43.0.0.tar.gz /cryptography-43.0.0-vendor.tar.bz2 +/cryptography-44.0.0.tar.gz +/cryptography-44.0.0-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index eff8c1c..c4c0e69 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 43.0.0 +Version: 44.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch: 11328.patch -Patch: 11536.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -74,7 +71,6 @@ recipes to Python developers. %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml -rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 diff --git a/sources b/sources index fe39107..d10f2cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 -SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 +SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad +SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b From 78a177912460d18470df2783ed7ef86bdbf84ab5 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 18:39:23 +0000 Subject: [PATCH 099/111] Include fix to exclude Cargo.toml from wheels Merged upstream at https://github.com/pyca/cryptography/pull/12091 [skip changelog] --- 11328.patch | 36 ------------------------------------ 11536.patch | 26 -------------------------- 12091.patch | 34 ++++++++++++++++++++++++++++++++++ python-cryptography.spec | 5 +++++ 4 files changed, 39 insertions(+), 62 deletions(-) delete mode 100644 11328.patch delete mode 100644 11536.patch create mode 100644 12091.patch diff --git a/11328.patch b/11328.patch deleted file mode 100644 index 3dd1aee..0000000 --- a/11328.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 22 Jul 2024 09:09:05 +0200 -Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined - -Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE -support. Downstream has moved `openssl/engine.h` into a separate RPM -package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The -compiler flag disables PyCA cryptography's ENGINE support successfully. -We also like to build the downstream package without the `engine.h` -header file present. - -This commit makes the include conditional. The `ENGINE` type is -defined in `openssl/types.h`. - -See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide -See: https://issues.redhat.com/browse/RHEL-33747 -Signed-off-by: Christian Heimes ---- - src/_cffi_src/openssl/engine.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py -index 9629a2c8f929..f47e20327003 100644 ---- a/src/_cffi_src/openssl/engine.py -+++ b/src/_cffi_src/openssl/engine.py -@@ -5,7 +5,9 @@ - from __future__ import annotations - - INCLUDES = """ -+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL - #include -+#endif - """ - - TYPES = """ diff --git a/11536.patch b/11536.patch deleted file mode 100644 index b18f149..0000000 --- a/11536.patch +++ /dev/null @@ -1,26 +0,0 @@ -From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 3 Sep 2024 20:19:02 -0400 -Subject: [PATCH] allow sha1 in OAEP (#11536) - -fixes #11512 ---- - src/rust/src/backend/rsa.rs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs -index 3c01e7421..066b1412a 100644 ---- a/src/rust/src/backend/rsa.rs -+++ b/src/rust/src/backend/rsa.rs -@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu - } - - fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { -- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) -+ md == &openssl::hash::MessageDigest::sha1() - || md == &openssl::hash::MessageDigest::sha224() - || md == &openssl::hash::MessageDigest::sha256() - || md == &openssl::hash::MessageDigest::sha384() --- -2.46.0 - diff --git a/12091.patch b/12091.patch new file mode 100644 index 0000000..96ef95a --- /dev/null +++ b/12091.patch @@ -0,0 +1,34 @@ +From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 +From: Johan Andersson +Date: Tue, 3 Dec 2024 00:43:31 +0100 +Subject: [PATCH] build: remove cargo.toml files from wheels + +--- + pyproject.toml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/pyproject.toml b/pyproject.toml +index 4266e3bd5ba4..0378e78815e3 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -101,15 +101,17 @@ include = [ + "src/_cffi_src/**/*.c", + "src/_cffi_src/**/*.h", + +- "**/Cargo.toml", +- "**/Cargo.lock", ++ "Cargo.toml", ++ "Cargo.lock", ++ "src/rust/**/Cargo.toml", ++ "src/rust/**/Cargo.lock", + "src/rust/**/*.rs", + + "tests/**/*.py", + ] + exclude = [ + "vectors/**/*", +- "src/rust/target/**/*", ++ "target/**/*", + "docs/_build/**/*", + ".github/**/*", + ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index c4c0e69..110249d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,6 +19,10 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# Merged for 45.0.0+ +# https://github.com/pyca/cryptography/pull/12091 +Patch: 12091.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -102,6 +106,7 @@ export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete +find . -name Cargo.toml -print -delete %pyproject_install %pyproject_save_files %{srcname} From 606ff1ca7ed14791fb66c3029c65397436b2902f Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 6 Feb 2025 13:47:30 +0100 Subject: [PATCH 100/111] Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004) From 25b75b110cb4173e173476cd88ded741b37c3a98 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 3 Mar 2025 23:22:02 -0500 Subject: [PATCH 101/111] Do not delete tests/x509 on RHEL tests/x509 now provides imports used by tests in other directories, and no longer require pytz. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 110249d..e10429e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -115,7 +115,7 @@ find . -name Cargo.toml -print -delete %if %{with tests} %if 0%{?rhel} # skip benchmark, hypothesis, and pytz tests on RHEL -rm -rf tests/bench tests/hypothesis tests/x509 +rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From 683f73c2b86b3035a407c58d8da331232bc68cc1 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 6 Mar 2025 11:43:48 -0500 Subject: [PATCH 102/111] Modernize Rust macro usage This adds automatically generated licensing data, and bundled provides for vendored dependencies in the RHEL builds. --- python-cryptography.spec | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e10429e..91b85b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -12,7 +12,13 @@ Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, # as well as the Python Software Foundation license for the OS random # engine derived by CPython. -License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +# Rust crate dependency licenses: +# Apache-2.0 +# Apache-2.0 OR MIT +# BSD-3-Clause +# MIT +# MIT OR Apache-2.0 +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0) URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script @@ -71,13 +77,13 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +%cargo_prep -v vendor %endif %if ! 0%{?fedora} @@ -89,9 +95,7 @@ sed -i 's,--benchmark-disable,,' pyproject.toml %pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates -cd src/rust %cargo_generate_buildrequires -cd ../.. %endif @@ -101,6 +105,12 @@ export OPENSSL_NO_VENDOR=1 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if ! 0%{?fedora} +%cargo_vendor_manifest +%endif + %install # Actually other *.c and *.h are appropriate @@ -139,6 +149,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD +%license LICENSE.dependencies +%if ! 0%{?fedora} +%license cargo-vendor.txt +%endif %changelog From f06f4c280408a86ae39f4a942bc6b2d46038b84f Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 19 May 2025 10:49:48 -0400 Subject: [PATCH 103/111] Update to v45.0.2 This update includes two backwards-incompatible changes with v44: - Made SSH private key loading more consistent with other private key loading: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised). - The :meth:`VerifiedClient.subject ` property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension. Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst --- .gitignore | 2 ++ 12091.patch | 34 ---------------------------------- python-cryptography.spec | 6 +----- sources | 4 ++-- 4 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 12091.patch diff --git a/.gitignore b/.gitignore index ea7f662..6778d54 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ /cryptography-43.0.0-vendor.tar.bz2 /cryptography-44.0.0.tar.gz /cryptography-44.0.0-vendor.tar.bz2 +/cryptography-45.0.2.tar.gz +/cryptography-45.0.2-vendor.tar.bz2 diff --git a/12091.patch b/12091.patch deleted file mode 100644 index 96ef95a..0000000 --- a/12091.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 -From: Johan Andersson -Date: Tue, 3 Dec 2024 00:43:31 +0100 -Subject: [PATCH] build: remove cargo.toml files from wheels - ---- - pyproject.toml | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/pyproject.toml b/pyproject.toml -index 4266e3bd5ba4..0378e78815e3 100644 ---- a/pyproject.toml -+++ b/pyproject.toml -@@ -101,15 +101,17 @@ include = [ - "src/_cffi_src/**/*.c", - "src/_cffi_src/**/*.h", - -- "**/Cargo.toml", -- "**/Cargo.lock", -+ "Cargo.toml", -+ "Cargo.lock", -+ "src/rust/**/Cargo.toml", -+ "src/rust/**/Cargo.lock", - "src/rust/**/*.rs", - - "tests/**/*.py", - ] - exclude = [ - "vectors/**/*", -- "src/rust/target/**/*", -+ "target/**/*", - "docs/_build/**/*", - ".github/**/*", - ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index 91b85b9..3907b6b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 44.0.0 +Version: 45.0.2 Release: %autorelease Summary: PyCA's cryptography library @@ -25,10 +25,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# Merged for 45.0.0+ -# https://github.com/pyca/cryptography/pull/12091 -Patch: 12091.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel diff --git a/sources b/sources index d10f2cb..c6a4acc 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad -SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b +SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 +SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From adc63ac786ecfec84079d5ecb2ee7d8f6a41b5bd Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Sun, 25 May 2025 12:49:30 -0400 Subject: [PATCH 104/111] Update to v45.0.3 This fixes two issues from v45: - Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). - Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6778d54..4a18b60 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ /cryptography-44.0.0-vendor.tar.bz2 /cryptography-45.0.2.tar.gz /cryptography-45.0.2-vendor.tar.bz2 +/cryptography-45.0.3.tar.gz +/cryptography-45.0.3-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 3907b6b..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.2 +Version: 45.0.3 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index c6a4acc..9fb264e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 -SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 +SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 2fadd7bb9ab0a159e6d5f845cd1d6b922c6d6dab Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 13:37:55 +0200 Subject: [PATCH 105/111] Bootstrap for Python 3.14 --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..27fad32 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 65da927d85a980fe32d693d7f3ae2a5c1703740c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 4 Jun 2025 18:30:16 +0200 Subject: [PATCH 106/111] Rebuilt for Python 3.14 --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 27fad32..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 8034f94f7793712d41c2a2b2b3c55ea6a1c85da1 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 11 Jun 2025 09:31:07 -0400 Subject: [PATCH 107/111] Update to v45.0.4 The upstream release fixes a single issue: - Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) Fixes rhbz #2371350 --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4a18b60..4ad8197 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ /cryptography-45.0.2-vendor.tar.bz2 /cryptography-45.0.3.tar.gz /cryptography-45.0.3-vendor.tar.bz2 +/cryptography-45.0.4.tar.gz +/cryptography-45.0.4-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..ae9b0b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.3 +Version: 45.0.4 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index 9fb264e..e79ea50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 -SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df +SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 22e34bf15083c5690415b1cf16fbbafae1ac0c1e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 07:25:06 +0000 Subject: [PATCH 108/111] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 5e511855936600aa1b4f9108e740cf9ec0265588 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 13:32:38 +0200 Subject: [PATCH 109/111] Rebuilt for Python 3.14.0rc2 bytecode From 5e1fd8e20da2a7587e12bd6ef621c6ac6a6af07b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 13:05:04 +0200 Subject: [PATCH 110/111] Rebuilt for Python 3.14.0rc3 bytecode From 1a3a50b8d38e467b5a9b4422d073bf0b915ba94b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 22 Oct 2025 13:03:41 +0100 Subject: [PATCH 111/111] Drop pytz test req, only needed for py < 3.9 The pytz requirement now is only used for CI for py < 3.9: pytz==2025.2 ; python_full_version < '3.9' Also drop no longer valid comment snippet --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ae9b0b1..16b4d7e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist -BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 %endif @@ -120,7 +119,7 @@ find . -name Cargo.toml -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip benchmark, hypothesis, and pytz tests on RHEL +# skip benchmark and hypothesis tests on RHEL rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py