From 1811890378778136f7d6624238110588a38f4963 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 7 Sep 2020 08:57:53 +0200 Subject: [PATCH 01/90] Update to 3.1 (#1872978) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index b35eadf..31354d0 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ /cryptography-2.9.tar.gz.asc /cryptography-3.0.tar.gz /cryptography-3.0.tar.gz.asc +/cryptography-3.1.tar.gz +/cryptography-3.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index c81c700..820b880 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,8 +19,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.0 -Release: 2%{?dist} +Version: 3.1 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + * Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index aa13c06..9db3a37 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15 -SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8 +SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e +SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e From 2abb980d58db7196a389c7bb2b7b3162681640fb Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 26 Oct 2020 09:13:36 +0100 Subject: [PATCH 02/90] Update to 3.2 (#1891378) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 31354d0..cda710e 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ /cryptography-3.0.tar.gz.asc /cryptography-3.1.tar.gz /cryptography-3.1.tar.gz.asc +/cryptography-3.2.tar.gz +/cryptography-3.2.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 820b880..89ff850 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.1 +Version: 3.2 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + * Mon Sep 07 2020 Christian Heimes - 3.1-1 - Update to 3.1 (#1872978) diff --git a/sources b/sources index 9db3a37..e6e0771 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e -SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e +SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e +SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2 From 6417bbcc758cd6f07d051bcd5435061b8fc741ec Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 28 Oct 2020 07:28:58 +0100 Subject: [PATCH 03/90] Update to 3.2.1 (#1892153) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cda710e..607872b 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,5 @@ /cryptography-3.1.tar.gz.asc /cryptography-3.2.tar.gz /cryptography-3.2.tar.gz.asc +/cryptography-3.2.1.tar.gz +/cryptography-3.2.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 89ff850..4d748d5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.2 +Version: 3.2.1 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + * Mon Oct 26 2020 Christian Heimes - 3.2-1 - Update to 3.2 (#1891378) diff --git a/sources b/sources index e6e0771..b2f4b8f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e -SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2 +SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175 +SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b From 2d60d5642f5887f38105723882bef3e8ba9e6b8c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 10 Dec 2020 09:51:20 +0100 Subject: [PATCH 04/90] Update to 3.3.1 (#1905756) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 607872b..258afbe 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,5 @@ /cryptography-3.2.tar.gz.asc /cryptography-3.2.1.tar.gz /cryptography-3.2.1.tar.gz.asc +/cryptography-3.3.1.tar.gz +/cryptography-3.3.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 4d748d5..6723f65 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.2.1 +Version: 3.3.1 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + * Wed Oct 28 2020 Christian Heimes - 3.2.1-1 - Update to 3.2.1 (#1892153) diff --git a/sources b/sources index b2f4b8f..67acd25 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175 -SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b +SHA512 (cryptography-3.3.1.tar.gz) = 62192fe0fd3bb8844ccc0056ab72a42b038db2a4ecb0928543c520b85e1de93066dab0d604acf23d37395d68172b9618f81c6022a59ec49725bc1862096d15d1 +SHA512 (cryptography-3.3.1.tar.gz.asc) = 5ec77aa93142cafc7b8c4d2ba355da477ac403e73b30740bf4ef42ab8065efb7cc1efa6c007ae67a13b44cf43f715f1cc7fee005bfa89b5a490c0f968a7373ff From 8c79979ad2765606d417e3157fae0dcff95cf64c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 7 Sep 2020 08:57:53 +0200 Subject: [PATCH 05/90] Update to 3.1 (#1872978) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index b35eadf..31354d0 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ /cryptography-2.9.tar.gz.asc /cryptography-3.0.tar.gz /cryptography-3.0.tar.gz.asc +/cryptography-3.1.tar.gz +/cryptography-3.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index c81c700..820b880 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,8 +19,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.0 -Release: 2%{?dist} +Version: 3.1 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + * Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild diff --git a/sources b/sources index aa13c06..9db3a37 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.0.tar.gz) = 4fca5d0e59f02f23c7e2d5c80f86e4cf36eeeb9a128e7b3332a91aa0b9dcdd3282a882a88ea34ffba1e91687eb6d1fc1042774f1e30970e9bf56ee701c32ac15 -SHA512 (cryptography-3.0.tar.gz.asc) = fd8320837b5c1e00b84682621402d5f1de56ceb4691b677caa4a2340544531f2025e374aaa38459ce0387f3050176f4845e1070658d81094c4160f1dd8c3cad8 +SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e +SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e From 9bd39f6d6a28bdec8d2f458084f3b351d7090f5a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 26 Oct 2020 09:13:36 +0100 Subject: [PATCH 06/90] Update to 3.2 (#1891378) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 31354d0..cda710e 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,5 @@ /cryptography-3.0.tar.gz.asc /cryptography-3.1.tar.gz /cryptography-3.1.tar.gz.asc +/cryptography-3.2.tar.gz +/cryptography-3.2.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 820b880..89ff850 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.1 +Version: 3.2 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + * Mon Sep 07 2020 Christian Heimes - 3.1-1 - Update to 3.1 (#1872978) diff --git a/sources b/sources index 9db3a37..e6e0771 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.1.tar.gz) = c015df3a71e4c274b2fb8fd954d264c8b56443644048139113f548c69cf83798b73c9f0993609f338044df92b609723b0281ce61ed2751309a122de22060037e -SHA512 (cryptography-3.1.tar.gz.asc) = ceb5ec3c13f85f76f7085a7c72a898097afd7cdef1386c99f8b5090949a4b0a380b5b91c66a8a77033e432619a8bfb5edc9bf3f50008e3cb4cb162a4ef4f3d1e +SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e +SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2 From 0839b656a67084efd5a0f040b77838d49e2a0d3e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 28 Oct 2020 07:28:58 +0100 Subject: [PATCH 07/90] Update to 3.2.1 (#1892153) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cda710e..607872b 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,5 @@ /cryptography-3.1.tar.gz.asc /cryptography-3.2.tar.gz /cryptography-3.2.tar.gz.asc +/cryptography-3.2.1.tar.gz +/cryptography-3.2.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 89ff850..4d748d5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,7 +19,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 3.2 +Version: 3.2.1 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + * Mon Oct 26 2020 Christian Heimes - 3.2-1 - Update to 3.2 (#1891378) diff --git a/sources b/sources index e6e0771..b2f4b8f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.2.tar.gz) = 0096e6408b5868cc0b5e6f67945e4200bb943a00ac803546048fa4d332f81af4a224b2d67b911ee8da1ad086120935d7d557fc70a739ecffb22f408ee9b8d09e -SHA512 (cryptography-3.2.tar.gz.asc) = 969e09e100bc76b08690e90cfa1551d64597ea65e5c13a65d4396ea7be5a19cd80438371a957bc4b2e362a1a01c30e29cc56bee44c586e5de83512f8af5d97e2 +SHA512 (cryptography-3.2.1.tar.gz) = e3f1806693c24aadc3ef0df374ce1845760e87ad7c243226b75e80820b50bdc0760e4bb5f6ce26d62a6d23736b3109f72cd30b52ae2a36b26ec5656ec96c6175 +SHA512 (cryptography-3.2.1.tar.gz.asc) = f73d34e39d63fcc965d326a11a96d90fb7e704f29e9e4c6473e390c0b64628b89d26f56f227516f462804047a8c085973bf14689accc9b3dc21e8fdcde68719b From 660907b847900513b8770540b8347b89aabc10b6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Wed, 27 Jan 2021 10:04:48 +0000 Subject: [PATCH 08/90] - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6723f65..dab9ad2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 3.3.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -170,6 +170,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + * Thu Dec 10 2020 Christian Heimes - 3.3.1-1 - Update to 3.3.1 (#1905756) From bf3babc383437e5411e1c6ce5a5c31b6163e4a1e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 7 Feb 2021 20:36:07 +0100 Subject: [PATCH 09/90] Update to 3.4 (#1925953) Remove Python 2 support Remove unused python-idna dependency Add Rust support --- .gitignore | 2 + README.md | 98 +++++++++++++++++++++++++++++++++++ python-cryptography.spec | 108 ++++++--------------------------------- sources | 4 +- 4 files changed, 118 insertions(+), 94 deletions(-) create mode 100644 README.md diff --git a/.gitignore b/.gitignore index 258afbe..f66525f 100644 --- a/.gitignore +++ b/.gitignore @@ -25,3 +25,5 @@ /cryptography-3.2.1.tar.gz.asc /cryptography-3.3.1.tar.gz /cryptography-3.3.1.tar.gz.asc +/cryptography-3.4.tar.gz +/cryptography-3.4.tar.gz.asc diff --git a/README.md b/README.md new file mode 100644 index 0000000..c100762 --- /dev/null +++ b/README.md @@ -0,0 +1,98 @@ +# PyCA cryptography + +https://cryptography.io/en/latest/ + +## Packaging python-cryptography + +The example assumes + +* Fedora Rawhide (f34) +* PyCA cryptography release ``3.4`` +* Update Bugzilla issues are ``RHBZ#00000001`` and ``RHBZ#00000002`` +* Build side tag is ``f34-build-side-12345`` + +### Request a side tag for building + +python-cryptography builds depend on python-cryptography-vectors +package. Both packages must be build in a side tag. + +```shell +fedpkg request-side-tag --base-tag f34-build +``` + +### Build new python-cryptography-vectors first + +```shell +pushd ../python-cryptography-vectors +``` + +Switch and update branch + +```shell +fedpkg switch-branch rawhide +fedpkg pull +``` + +Bump version and get sources + +```shell +rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography-vectors.spec +spectool -gf python-cryptography-vectors.spec +``` + +Upload sources + +```shell +fedpkg new-sources cryptography_vectors-3.4.tar.gz +``` + +Commit changes + +```shell +git add sources .gitignore python-cryptography-vectors.spec +fedpkg commit --clog +fedpkg push +``` + +Build and wait for repo to regenerate + +```shell +fedpkg build --target=f34-build-side-12345 +koji wait-repo --build python-cryptography-vectors-3.4-1 f34-build-side-12345 +``` + +### Build new python-cryptography + +Switch and update branch + +```shell +fedpkg switch-branch rawhide +fedpkg pull +``` + +Bump version and get sources + +```shell +rpmdev-bumpspec -c "Update to 3.4 (#00000002)" -n 3.4 python-cryptography.spec +spectool -gf python-cryptography.spec +``` + +Upload new sources (**two files!**) + +```shell +fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc +``` + +Commit changes + +```shell +git add sources .gitignore python-cryptography.spec +fedpkg commit --clog +fedpkg push +``` + +Build + +```shell +fedpkg build --target=f34-build-side-12345 +``` diff --git a/python-cryptography.spec b/python-cryptography.spec index dab9ad2..4ff1761 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,26 +1,13 @@ -%if 0%{?fedora} || 0%{?rhel} > 7 -# Enable python3 build by default -%bcond_without python3 -%else -%bcond_with python3 -%endif - -%if 0%{?fedora} > 31 || 0%{?rhel} > 7 -# Disable python2 build by default -%bcond_with python2 -%else -%bcond_without python2 -%endif - %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography +%global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.3.1 -Release: 2%{?dist} +Version: 3.4 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -36,31 +23,14 @@ Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 +BuildRequires: rust-packaging +BuildRequires: rust-pyo3+default-devel >= %{pyo3_version} +BuildRequires: rust-pyo3+extension-module-devel >= %{pyo3_version} -%if 0%{?with_python2} -BuildRequires: python2-cffi >= 1.7 -BuildRequires: python2-cryptography-vectors = %{version} -BuildRequires: python2-devel -BuildRequires: python2-enum34 -BuildRequires: python2-idna >= 2.1 -BuildRequires: python2-ipaddress -BuildRequires: python2-setuptools -BuildRequires: python2-six >= 1.4.1 - -%if %{with tests} -BuildRequires: python2-hypothesis >= 1.11.4 -BuildRequires: python2-iso8601 -BuildRequires: python2-pretend -BuildRequires: python2-pytest >= 3.2.1 -BuildRequires: python2-pytz -%endif -%endif - -%if 0%{?with_python3} BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-idna >= 2.1 BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 %if %{with tests} @@ -71,105 +41,59 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 BuildRequires: python%{python3_pkgversion}-pytz %endif -%endif %description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%if 0%{?with_python2} -%package -n python2-%{srcname} -Summary: PyCA's cryptography library - -%if 0%{?with_python3} -%{?python_provide:%python_provide python2-%{srcname}} -%else -Provides: python-%{srcname} -%endif - -Requires: openssl-libs -Requires: python2-idna >= 2.1 -Requires: python2-six >= 1.4.1 -Requires: python2-cffi >= 1.7 -Requires: python2-enum34 -Requires: python2-ipaddress - -%description -n python2-%{srcname} -cryptography is a package designed to expose cryptographic primitives and -recipes to Python developers. -%endif - -%if 0%{?with_python3} %package -n python%{python3_pkgversion}-%{srcname} Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-idna >= 2.1 Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 %description -n python%{python3_pkgversion}-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%endif %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} +%cargo_prep +rm -f src/rust/Cargo.lock %build -%if 0%{?with_python2} -%py2_build -%endif -%if 0%{?with_python3} +export CARGO_NET_OFFLINE=true %py3_build -%endif %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete - -%if 0%{?with_python2} -%py2_install -%endif -%if 0%{?with_python3} %py3_install -%endif %check %if %{with tests} -%if 0%{?with_python2} # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests -PYTHONPATH=%{buildroot}%{python2_sitearch} %{__python2} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" -%endif - -%if 0%{?with_python3} PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif -%endif - -%if 0%{?with_python2} -%files -n python2-%{srcname} -%doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs -%{python2_sitearch}/%{srcname} -%{python2_sitearch}/%{srcname}-%{version}-py*.egg-info -%endif - - -%if 0%{?with_python3} %files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{srcname} %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info -%endif - %changelog +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + * Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild diff --git a/sources b/sources index 67acd25..0b150c5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.3.1.tar.gz) = 62192fe0fd3bb8844ccc0056ab72a42b038db2a4ecb0928543c520b85e1de93066dab0d604acf23d37395d68172b9618f81c6022a59ec49725bc1862096d15d1 -SHA512 (cryptography-3.3.1.tar.gz.asc) = 5ec77aa93142cafc7b8c4d2ba355da477ac403e73b30740bf4ef42ab8065efb7cc1efa6c007ae67a13b44cf43f715f1cc7fee005bfa89b5a490c0f968a7373ff +SHA512 (cryptography-3.4.tar.gz) = 5d0d1b62d67e1722f19810738dcae7a9d9ca8b228c06b334486c37d836f20a37332aa59b975d0e4154e4ae91e18546280faf6e18bef8230da42948bc02920c9f +SHA512 (cryptography-3.4.tar.gz.asc) = c26828fffa3db224d24dc1e4937bdd6061548e53d51a772743570e3896e9f1d0810fcafc8b6ad45c75ac8ebca6e97bf7a86c2de5133438856e6b8a3cafbc22e0 From 5a77f343f815d1fb25163e41087fffb6dd80de61 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 7 Feb 2021 20:48:39 +0100 Subject: [PATCH 10/90] Add missing abi3 and pytest dependencies --- python-cryptography.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 4ff1761..ae1259d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -26,6 +26,7 @@ BuildRequires: gnupg2 BuildRequires: rust-packaging BuildRequires: rust-pyo3+default-devel >= %{pyo3_version} BuildRequires: rust-pyo3+extension-module-devel >= %{pyo3_version} +BuildRequires: rust-pyo3+abi3-py36-devel >= %{pyo3_version} BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel @@ -38,7 +39,9 @@ BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend -BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 +BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif @@ -88,6 +91,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + * Sun Feb 07 2021 Christian Heimes - 3.4-1 - Update to 3.4 (#1925953) - Remove Python 2 support From b5705ea4832990b4e551bb56d2662ad88a59e91a Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Sun, 7 Feb 2021 23:00:22 +0100 Subject: [PATCH 11/90] Update to 3.4.1 (#1925953) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index f66525f..e6495aa 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,5 @@ /cryptography-3.3.1.tar.gz.asc /cryptography-3.4.tar.gz /cryptography-3.4.tar.gz.asc +/cryptography-3.4.1.tar.gz +/cryptography-3.4.1.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index ae1259d..2014eb6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4 -Release: 2%{?dist} +Version: 3.4.1 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -91,6 +91,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + * Sun Feb 07 2021 Christian Heimes - 3.4-2 - Add missing abi3 and pytest dependencies diff --git a/sources b/sources index 0b150c5..31d2ccd 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.tar.gz) = 5d0d1b62d67e1722f19810738dcae7a9d9ca8b228c06b334486c37d836f20a37332aa59b975d0e4154e4ae91e18546280faf6e18bef8230da42948bc02920c9f -SHA512 (cryptography-3.4.tar.gz.asc) = c26828fffa3db224d24dc1e4937bdd6061548e53d51a772743570e3896e9f1d0810fcafc8b6ad45c75ac8ebca6e97bf7a86c2de5133438856e6b8a3cafbc22e0 +SHA512 (cryptography-3.4.1.tar.gz) = 929cfceeb9ebfd4f14236678235f10c9de42b8c12750f03f8c52d6ff77d43784dd17acfa2145bce27fd59e346191b05840c7d4f68efcf8648d375c1e6b70ab48 +SHA512 (cryptography-3.4.1.tar.gz.asc) = 804603f18468ba21155974b43ac117bad9d33913b78336326387c29a4074a0e3dc848a4b2f9ebfe0c3ea561b806ee2172668076f60ef4a5d00ba9354c4c37139 From be860bdcae953dd9b03217cee1682c4a0c0767bf Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Mon, 8 Feb 2021 13:51:48 +0100 Subject: [PATCH 12/90] small improvements for building the PyO3 Rust module Signed-off-by: Fabio Valentini --- python-cryptography.spec | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 2014eb6..affdc2d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -24,9 +24,6 @@ BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 BuildRequires: rust-packaging -BuildRequires: rust-pyo3+default-devel >= %{pyo3_version} -BuildRequires: rust-pyo3+extension-module-devel >= %{pyo3_version} -BuildRequires: rust-pyo3+abi3-py36-devel >= %{pyo3_version} BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel @@ -67,8 +64,12 @@ recipes to Python developers. %cargo_prep rm -f src/rust/Cargo.lock +%generate_buildrequires +cd src/rust +%cargo_generate_buildrequires +cd ../.. + %build -export CARGO_NET_OFFLINE=true %py3_build %install @@ -91,6 +92,10 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + * Sun Feb 07 2021 Christian Heimes - 3.4.1-1 - Update to 3.4.1 (#1925953) From b0108c0719662886f013762492bed2e943a97d8e Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 8 Feb 2021 15:30:51 +0100 Subject: [PATCH 13/90] CVE-2020-36242 Fixed a bug where certain sequences of update() calls when symmetrically encrypting very large payloads (>2GB) could result in an integer overflow, leading to buffer overflows. Resolves: rhbz#1926227 --- CVE-2020-36242.patch | 18 ++++++++++++++++++ python-cryptography.spec | 10 +++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-36242.patch diff --git a/CVE-2020-36242.patch b/CVE-2020-36242.patch new file mode 100644 index 0000000..1f2f9c5 --- /dev/null +++ b/CVE-2020-36242.patch @@ -0,0 +1,18 @@ +From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 7 Feb 2021 11:04:43 -0600 +Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242 + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 2b10681b31..0f96795fdc 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -16,7 +16,7 @@ + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend diff --git a/python-cryptography.spec b/python-cryptography.spec index 4d748d5..43775a4 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,7 +20,7 @@ Name: python-%{srcname} Version: 3.2.1 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -33,6 +33,8 @@ Source1: %{pypi_source}.asc # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +Patch0001: CVE-2020-36242.patch + BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 @@ -170,6 +172,12 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %changelog +* Mon Feb 08 2021 Christian Heimes - 3.2.1-2 +- CVE-2020-36242: Fixed a bug where certain sequences of update() calls + when symmetrically encrypting very large payloads (>2GB) could result + in an integer overflow, leading to buffer overflows. +- Resolves: rhbz#1926227 + * Wed Oct 28 2020 Christian Heimes - 3.2.1-1 - Update to 3.2.1 (#1892153) From 8fd31561e0c8e57fab71e32c7ec88e8f530c4274 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 8 Feb 2021 17:51:03 +0100 Subject: [PATCH 14/90] Update to 3.4.2 (#1926339) Package no longer depends on Rust (#1926181) --- .gitignore | 2 ++ python-cryptography.spec | 8 ++++++-- sources | 4 ++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e6495aa..5f81814 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,5 @@ /cryptography-3.4.tar.gz.asc /cryptography-3.4.1.tar.gz /cryptography-3.4.1.tar.gz.asc +/cryptography-3.4.2.tar.gz +/cryptography-3.4.2.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index affdc2d..51d1de8 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.1 -Release: 2%{?dist} +Version: 3.4.2 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -92,6 +92,10 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + * Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 - Use dynamically generated BuildRequires for PyO3 Rust module. - Drop unnecessary CARGO_NET_OFFLINE environment variable. diff --git a/sources b/sources index 31d2ccd..00d5b88 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.1.tar.gz) = 929cfceeb9ebfd4f14236678235f10c9de42b8c12750f03f8c52d6ff77d43784dd17acfa2145bce27fd59e346191b05840c7d4f68efcf8648d375c1e6b70ab48 -SHA512 (cryptography-3.4.1.tar.gz.asc) = 804603f18468ba21155974b43ac117bad9d33913b78336326387c29a4074a0e3dc848a4b2f9ebfe0c3ea561b806ee2172668076f60ef4a5d00ba9354c4c37139 +SHA512 (cryptography-3.4.2.tar.gz) = 8fa9fad24d55d3ff129d4ebf0837cd267bbd180429cda09e60730e67fb18e6af7ff4630989b18ab31ffc85046259eba546ad63388fd6e252bfbc850e7cbc62fc +SHA512 (cryptography-3.4.2.tar.gz.asc) = ae8ef10065db06d58879a3eb553f0d0c430f28da9a48789f09410cee694409c715972a3506c5bd3c8519125df412805b547e1109d9d3867d79858578e3082098 From e3b20e8f2628b1bfea819f71e5ded8bd039711fc Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 10 Feb 2021 10:59:27 +0100 Subject: [PATCH 15/90] Update to 3.4.4 (#1927044) --- .gitignore | 2 ++ python-cryptography.spec | 5 ++++- sources | 4 ++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 5f81814..87f501d 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,5 @@ /cryptography-3.4.1.tar.gz.asc /cryptography-3.4.2.tar.gz /cryptography-3.4.2.tar.gz.asc +/cryptography-3.4.4.tar.gz +/cryptography-3.4.4.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 51d1de8..5b080f1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.2 +Version: 3.4.4 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -92,6 +92,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + * Mon Feb 08 2021 Christian Heimes - 3.4.2-1 - Update to 3.4.2 (#1926339) - Package no longer depends on Rust (#1926181) diff --git a/sources b/sources index 00d5b88..20b61a3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.2.tar.gz) = 8fa9fad24d55d3ff129d4ebf0837cd267bbd180429cda09e60730e67fb18e6af7ff4630989b18ab31ffc85046259eba546ad63388fd6e252bfbc850e7cbc62fc -SHA512 (cryptography-3.4.2.tar.gz.asc) = ae8ef10065db06d58879a3eb553f0d0c430f28da9a48789f09410cee694409c715972a3506c5bd3c8519125df412805b547e1109d9d3867d79858578e3082098 +SHA512 (cryptography-3.4.4.tar.gz) = 3c94cb3eccc67cd1d7be9d16353f94a08019534517bbe9cd97ee75f05631418d1688fa7efc7284a62482d22b731de524f45268cf357d47a37a2fb033f1b9b3fc +SHA512 (cryptography-3.4.4.tar.gz.asc) = 395c8af891a2ae9c2a5954291e58d223fb5a9157794f22cf83bb798dd13534277d44846edca723b44dcbcb609e5db55e3fca7416fd452f23c5bb6e126c4c5284 From cb7384560068a5cf6866717cad6364b76cd0856f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 12 Feb 2021 10:53:26 +0100 Subject: [PATCH 16/90] Provide RHEL build infrastructure --- python-cryptography.spec | 33 ++++++++++++++-- vendor_rust.py | 82 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+), 4 deletions(-) create mode 100755 vendor_rust.py diff --git a/python-cryptography.spec b/python-cryptography.spec index 5b080f1..527d6ae 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.4 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -19,11 +19,19 @@ Source1: %{pypi_source}.asc # gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" # gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +%if 0%{?rhel} + # created by ./vendor_rust.py helper script +Source3: cryptography-%{version}-vendor.tar.bz2 +%endif BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 +%if 0%{?fedora} BuildRequires: rust-packaging +%else +BuildRequires: rust-toolset +%endif BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel @@ -33,12 +41,14 @@ BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 %if %{with tests} BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} +%if 0%{?fedora} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 +BuildRequires: python%{python3_pkgversion}-pytest-xdist +%endif BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 -BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif @@ -61,13 +71,20 @@ recipes to Python developers. %prep %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} -%cargo_prep -rm -f src/rust/Cargo.lock %generate_buildrequires + +%if 0%{?fedora} +# Fedora: use cargo macros to make use of RPMified crates +%cargo_prep cd src/rust +rm -f Cargo.lock %cargo_generate_buildrequires cd ../.. +%else +# RHEL: use vendored Rust crates +%cargo_prep -V 3 +%endif %build %py3_build @@ -80,6 +97,11 @@ find . -name .keep -print -delete %check %if %{with tests} +%if 0%{?rhel} +# skip hypothesis tests on RHEL +rm -rf tests/hypothesis +%endif + # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" @@ -92,6 +114,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + * Wed Feb 10 2021 Christian Heimes - 3.4.4-1 - Update to 3.4.4 (#1927044) diff --git a/vendor_rust.py b/vendor_rust.py new file mode 100755 index 0000000..4e25214 --- /dev/null +++ b/vendor_rust.py @@ -0,0 +1,82 @@ +#!/usr/bin/python3 +"""Vendor PyCA cryptography's Rust crates +""" +import argparse +import glob +import os +import re +import tarfile +import tempfile +import shutil +import subprocess +import sys + +VENDOR_DIR = "vendor" +CARGO_TOML = "src/rust/Cargo.toml" +RE_VERSION = re.compile("Version:\s*(.*)") + +parser = argparse.ArgumentParser(description="Vendor Rust packages") +parser.add_argument( + "--spec", default="python-cryptography.spec", help="cryptography source tar bundle" +) + + +def cargo(cmd, manifest): + args = ["cargo", cmd, f"--manifest-path={manifest}"] + return subprocess.check_call( + args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={} + ) + + +def main(): + args = parser.parse_args() + spec = args.spec + + # change cwd to work in bundle directory + here = os.path.dirname(os.path.abspath(spec)) + os.chdir(here) + + # extract version number from bundle name + with open(spec) as f: + for line in f: + mo = RE_VERSION.search(line) + if mo is not None: + version = mo.group(1) + break + else: + raise ValueError(f"Cannot find version in {spec}") + + bundle_file = f"cryptography-{version}.tar.gz" + vendor_file = f"cryptography-{version}-vendor.tar.bz2" + + # remove existing vendor directory and file + if os.path.isdir(VENDOR_DIR): + shutil.rmtree(VENDOR_DIR) + try: + os.unlink(vendor_file) + except FileNotFoundError: + pass + + print(f"Getting crates for {bundle_file}", file=sys.stderr) + + # extract tar file in tempdir + # fetch and vendor Rust crates + with tempfile.TemporaryDirectory(dir=here) as tmp: + with tarfile.open(bundle_file) as tar: + tar.extractall(path=tmp) + manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML) + cargo("fetch", manifest) + cargo("vendor", manifest) + + print("\nCreating tar ball...", file=sys.stderr) + with tarfile.open(vendor_file, "x:bz2") as tar: + tar.add(VENDOR_DIR) + + # remove vendor dir + shutil.rmtree(VENDOR_DIR) + + parser.exit(0, f"Created {vendor_file}\n") + + +if __name__ == "__main__": + main() From cf06cdcb9415cffdbff0f698a15f71b3f6d077fe Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 12 Feb 2021 16:47:08 +0100 Subject: [PATCH 17/90] Skip iso8601 and pretend tests on RHEL --- conftest-skipper.py | 22 ++++++++++++++++++++++ python-cryptography.spec | 12 +++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) create mode 100644 conftest-skipper.py diff --git a/conftest-skipper.py b/conftest-skipper.py new file mode 100644 index 0000000..5a1de83 --- /dev/null +++ b/conftest-skipper.py @@ -0,0 +1,22 @@ + +class Skipper: + """Skip iso8601 and pretend tests + + RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip + all tests that use the excluded modules. + """ + + def parse_date(self, datestring): + pytest.skip(f"iso8601 module is not available.") + + def stub(self, **kwargs): + pytest.skip(f"pretend module is not available.") + + def raiser(self, exc): + pytest.skip(f"pretend module is not available.") + + +import sys + +sys.modules["iso8601"] = sys.modules["pretend"] = Skipper() + diff --git a/python-cryptography.spec b/python-cryptography.spec index 527d6ae..2c40030 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.4 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -22,6 +22,7 @@ Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg %if 0%{?rhel} # created by ./vendor_rust.py helper script Source3: cryptography-%{version}-vendor.tar.bz2 +Source4: conftest-skipper.py %endif BuildRequires: openssl-devel @@ -43,10 +44,10 @@ BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} %if 0%{?fedora} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 -BuildRequires: python%{python3_pkgversion}-pytest-xdist -%endif BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-xdist +%endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz @@ -100,6 +101,8 @@ find . -name .keep -print -delete %if 0%{?rhel} # skip hypothesis tests on RHEL rm -rf tests/hypothesis +# append skipper to skip iso8601 and pretend tests +cat < %{SOURCE4} >> tests/conftest.py %endif # see https://github.com/pyca/cryptography/issues/4885 and @@ -114,6 +117,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + * Fri Feb 12 2021 Christian Heimes - 3.4.4-2 - Provide RHEL build infrastructure From f8b1daa766bc824103a28e784098e769d665c428 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 15 Feb 2021 08:22:18 +0100 Subject: [PATCH 18/90] Update to 3.4.5 (#1927044) --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 87f501d..6f739f1 100644 --- a/.gitignore +++ b/.gitignore @@ -33,3 +33,5 @@ /cryptography-3.4.2.tar.gz.asc /cryptography-3.4.4.tar.gz /cryptography-3.4.4.tar.gz.asc +/cryptography-3.4.5.tar.gz +/cryptography-3.4.5.tar.gz.asc diff --git a/python-cryptography.spec b/python-cryptography.spec index 2c40030..d4ca3f3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.4 -Release: 3%{?dist} +Version: 3.4.5 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -117,6 +117,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + * Fri Feb 12 2021 Christian Heimes - 3.4.4-3 - Skip iso8601 and pretend tests on RHEL diff --git a/sources b/sources index 20b61a3..3d2089b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.4.tar.gz) = 3c94cb3eccc67cd1d7be9d16353f94a08019534517bbe9cd97ee75f05631418d1688fa7efc7284a62482d22b731de524f45268cf357d47a37a2fb033f1b9b3fc -SHA512 (cryptography-3.4.4.tar.gz.asc) = 395c8af891a2ae9c2a5954291e58d223fb5a9157794f22cf83bb798dd13534277d44846edca723b44dcbcb609e5db55e3fca7416fd452f23c5bb6e126c4c5284 +SHA512 (cryptography-3.4.5.tar.gz) = a8cf49193cbc11eb36fbcdd6987e7333a29af849607f63ea2bb6faad9caf4b3d7d8f09b9c30bee0e5ccda115bb64b3665d5be3f143759c7d6e3772ebf652642c +SHA512 (cryptography-3.4.5.tar.gz.asc) = 38763a62ab15370819f9aaac7464f5ea2613ceff9caecdca5a7d073ae65f1ec3366f1f32e8b8922d7c6f397ff0c138b3a4ae460648daa93f8847a3f7b01f0e22 From fd227175fd8e3425efeede8063ae47861bccfcca Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 16 Feb 2021 14:33:41 +0100 Subject: [PATCH 19/90] Create reproducible tar file --- vendor_rust.py | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/vendor_rust.py b/vendor_rust.py index 4e25214..cd8355e 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -2,7 +2,6 @@ """Vendor PyCA cryptography's Rust crates """ import argparse -import glob import os import re import tarfile @@ -28,6 +27,37 @@ def cargo(cmd, manifest): ) +def tar_reset(tarinfo): + """Reset user, group, mtime, and mode to create reproducible tar""" + tarinfo.uid = 0 + tarinfo.gid = 0 + tarinfo.uname = "root" + tarinfo.gname = "root" + tarinfo.mtime = 0 + if tarinfo.type == tarfile.DIRTYPE: + tarinfo.mode = 0o755 + else: + tarinfo.mode = 0o644 + if tarinfo.pax_headers: + raise ValueError(tarinfo.name, tarinfo.pax_headers) + return tarinfo + + +def tar_reproducible(tar, basedir): + """Create reproducible tar file""" + + content = [basedir] + for root, dirs, files in os.walk(basedir): + for directory in dirs: + content.append(os.path.join(root, directory)) + for filename in files: + content.append(os.path.join(root, filename)) + content.sort() + + for fn in content: + tar.add(fn, filter=tar_reset, recursive=False, arcname=fn) + + def main(): args = parser.parse_args() spec = args.spec @@ -70,7 +100,7 @@ def main(): print("\nCreating tar ball...", file=sys.stderr) with tarfile.open(vendor_file, "x:bz2") as tar: - tar.add(VENDOR_DIR) + tar_reproducible(tar, VENDOR_DIR) # remove vendor dir shutil.rmtree(VENDOR_DIR) From 7898d952a8384ad1481b6d451d55a1ac4f8a6594 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 3 Mar 2021 13:20:21 +0100 Subject: [PATCH 20/90] Update to 3.4.6 (#1927044) --- .gitignore | 2 ++ README.md | 2 -- python-cryptography.spec | 5 ++++- sources | 4 ++-- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 6f739f1..bd7832a 100644 --- a/.gitignore +++ b/.gitignore @@ -35,3 +35,5 @@ /cryptography-3.4.4.tar.gz.asc /cryptography-3.4.5.tar.gz /cryptography-3.4.5.tar.gz.asc +/cryptography-3.4.6.tar.gz +/cryptography-3.4.6.tar.gz.asc diff --git a/README.md b/README.md index c100762..d673048 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,6 @@ fedpkg new-sources cryptography_vectors-3.4.tar.gz Commit changes ```shell -git add sources .gitignore python-cryptography-vectors.spec fedpkg commit --clog fedpkg push ``` @@ -86,7 +85,6 @@ fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc Commit changes ```shell -git add sources .gitignore python-cryptography.spec fedpkg commit --clog fedpkg push ``` diff --git a/python-cryptography.spec b/python-cryptography.spec index d4ca3f3..e4f3235 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.5 +Version: 3.4.6 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -117,6 +117,9 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + * Mon Feb 15 2021 Christian Heimes - 3.4.5-1 - Update to 3.4.5 (#1927044) diff --git a/sources b/sources index 3d2089b..da81927 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.5.tar.gz) = a8cf49193cbc11eb36fbcdd6987e7333a29af849607f63ea2bb6faad9caf4b3d7d8f09b9c30bee0e5ccda115bb64b3665d5be3f143759c7d6e3772ebf652642c -SHA512 (cryptography-3.4.5.tar.gz.asc) = 38763a62ab15370819f9aaac7464f5ea2613ceff9caecdca5a7d073ae65f1ec3366f1f32e8b8922d7c6f397ff0c138b3a4ae460648daa93f8847a3f7b01f0e22 +SHA512 (cryptography-3.4.6.tar.gz) = 30b712adc5cc114faeb7bfef0b9de88c6daefa5a8b99e53bd6d37b8ed560bd1d396cbb202902c307b90f40d695bde151164436bf233fb726dc836c8b70126653 +SHA512 (cryptography-3.4.6.tar.gz.asc) = 91e8c5f5e9e0d440d0882f0bf2f5f039b299c88f03f52d4060f0ee2a18d46ca6503d77444196db91b8d29c7b302b238461795d252777f9bc2953c52789df9fad From 7e4d2cc3e898c5e2eabb91dc75e23f62e0cd950c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 10 Mar 2021 13:18:44 +0100 Subject: [PATCH 21/90] This is now a Rust package, hence it only builds on %{rust_arches} No real difference for Fedora or modern RHEL, but the guidelines say so: https://docs.fedoraproject.org/en-US/packaging-guidelines/Rust/#_exclusivearch --- python-cryptography.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index e4f3235..f157ee4 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -25,6 +25,8 @@ Source3: cryptography-%{version}-vendor.tar.bz2 Source4: conftest-skipper.py %endif +ExclusiveArch: %{rust_arches} + BuildRequires: openssl-devel BuildRequires: gcc BuildRequires: gnupg2 From 19b6996e722be8ce4912a40e5c7b307d207ea965 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 13 Apr 2021 08:44:13 +0200 Subject: [PATCH 22/90] Mention vendoring for RHEL/CentOS packaging --- README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/README.md b/README.md index d673048..ee71b2b 100644 --- a/README.md +++ b/README.md @@ -94,3 +94,16 @@ Build ```shell fedpkg build --target=f34-build-side-12345 ``` + +## RHEL/CentOS builds + +RHEL and CentOS use a different approach for Rust crates packaging than +Fedora. On Fedora Rust dependencies are packaged as RPMs, e.g. +``rust-pyo3+default-devel`` RPM. These packages don't exist on RHEL and +CentOS. Instead python-cryptography uses a tar ball with vendored crates. +The tar ball is created by a script: + +```shell +./vendor_rust.py +rhpkg upload cryptography-3.4-vendor.tar.bz2 +``` From 5fdccbab1d77ad7362acbb66c4694e4d86e30f6c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 21 Apr 2021 13:39:53 +0200 Subject: [PATCH 23/90] Update to 3.4.7, use vectors from sources (#1952024) python-cryptography now uses source bundle from Github, which contains sources of vectors, too. Tests are no longer depending on python3-cryptography-vectors. Instead tests are using the bundles vectors package. Resolves RHBZ#1952024 --- .gitignore | 1 + README.md | 60 ++---------------- ...CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg | Bin 1188 -> 0 bytes python-cryptography.spec | 33 +++++----- sources | 3 +- 5 files changed, 25 insertions(+), 72 deletions(-) delete mode 100644 gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg diff --git a/.gitignore b/.gitignore index bd7832a..cf9ac7e 100644 --- a/.gitignore +++ b/.gitignore @@ -37,3 +37,4 @@ /cryptography-3.4.5.tar.gz.asc /cryptography-3.4.6.tar.gz /cryptography-3.4.6.tar.gz.asc +/cryptography-3.4.7.tar.gz diff --git a/README.md b/README.md index ee71b2b..33554c0 100644 --- a/README.md +++ b/README.md @@ -8,57 +8,7 @@ The example assumes * Fedora Rawhide (f34) * PyCA cryptography release ``3.4`` -* Update Bugzilla issues are ``RHBZ#00000001`` and ``RHBZ#00000002`` -* Build side tag is ``f34-build-side-12345`` - -### Request a side tag for building - -python-cryptography builds depend on python-cryptography-vectors -package. Both packages must be build in a side tag. - -```shell -fedpkg request-side-tag --base-tag f34-build -``` - -### Build new python-cryptography-vectors first - -```shell -pushd ../python-cryptography-vectors -``` - -Switch and update branch - -```shell -fedpkg switch-branch rawhide -fedpkg pull -``` - -Bump version and get sources - -```shell -rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography-vectors.spec -spectool -gf python-cryptography-vectors.spec -``` - -Upload sources - -```shell -fedpkg new-sources cryptography_vectors-3.4.tar.gz -``` - -Commit changes - -```shell -fedpkg commit --clog -fedpkg push -``` - -Build and wait for repo to regenerate - -```shell -fedpkg build --target=f34-build-side-12345 -koji wait-repo --build python-cryptography-vectors-3.4-1 f34-build-side-12345 -``` +* Update Bugzilla issue is ``RHBZ#00000001`` ### Build new python-cryptography @@ -72,14 +22,14 @@ fedpkg pull Bump version and get sources ```shell -rpmdev-bumpspec -c "Update to 3.4 (#00000002)" -n 3.4 python-cryptography.spec +rpmdev-bumpspec -c "Update to 3.4 (#00000001)" -n 3.4 python-cryptography.spec spectool -gf python-cryptography.spec ``` -Upload new sources (**two files!**) +Upload new source ```shell -fedpkg new-sources cryptography-3.4.tar.gz cryptography-3.4.tar.gz.asc +fedpkg new-sources cryptography-3.4.tar.gz ``` Commit changes @@ -92,7 +42,7 @@ fedpkg push Build ```shell -fedpkg build --target=f34-build-side-12345 +fedpkg build ``` ## RHEL/CentOS builds diff --git a/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg b/gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg deleted file mode 100644 index dcae2d294ee960fa1eef388915659a59fa32b11d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1188 zcmV;V1Y7%=0SyFFBCR_C2mru&73El&3H2t5nI68Q9hzL>cT6mwg4zkC{+7HPTeg8I z5C7)pzdb1LWju5%BxHBsP5O}OCXjdQEW2i$Lc+)O4ZOLxR^_+WviC;x)2|n`7borH zlrmsn)=F-Ho)o7%uUf!Q>Yx>9Vp)dWmAs3e|O^!kSv_QwU>+~kgjV=sbx zG_MY5!uxRNARqsoa}NL!0RRECB~W2?Y#>WzXmVw8AUtqkb!;wdE^B3Ia%FNrXKi6= zY%XJOZ9a(sI0O>`0stZf0#YKaI|3U61`7!Y2Ll2I6$k?hwshfU)IXoeRR;O;Hl&0joy8{$+b?307y>Hw#e2 zJ#MXXZ+O6C6Q)@WYf}5PDzBN=KS&W0skd_(ad2fj5zp%~A!(0Y%SW02Q;Supcd40($4vJ{JY9kGNjS!)Rk#yu* z(&X#V9BFp}Bi`3arWBhy=N-TgidssU_h-GqkF788NsqUMSeT8tM<8SNRbflj3C@z46XJ_GltsY7hNpD#p3*0NR;IX(;tNxIUZAsp zvjrv5&pWLPa@OxSbk4_AoNwSVa%`p-QSMMy>LXK~o2aan76TNt+ zDck+9&Z^K!qC4oS0_0JBrP){@>SfU>%js_t{o{pPu7AV6cf~{?y9$Y|9Gf}%7gY>) zoy7Gp;9k9dgut!<8{2(s#E}#$7tV%J|8DBf(OWWwZ^Lk}7`vl1UWL{52xxj7!X z7ih~}%ROYB{F_#F;5kf8x~D$-2>AEWPu4N-OhF`_8Y#xZ9_QbJcFF|>A91rmEwi$; z*Hici!kJ_R)x!~a=Tr;EdY;ia^|!vO#PUj~E7UXPt!hCPJ@@WHq@+{FNG1$0Ubbi@ CEhzZ_ diff --git a/python-cryptography.spec b/python-cryptography.spec index f157ee4..f107e9b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,23 +6,17 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.6 +Version: 3.4.7 Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ -Source0: %{pypi_source} -Source1: %{pypi_source}.asc -# key ids of upstream authors are published in the AUTHORS file: -# https://github.com/pyca/cryptography/blob/master/AUTHORS.rst -# gpg2 --recv-keys "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" -# gpg2 --export --export-options export-minimal "05FD 9FA1 6CF7 5735 0D91 A560 235A E5F1 29F9 ED98" > gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg -Source2: gpgkey-05FD_9FA1_6CF7_5735_0D91_A560_235A_E5F1_29F9_ED98.gpg +Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz %if 0%{?rhel} # created by ./vendor_rust.py helper script -Source3: cryptography-%{version}-vendor.tar.bz2 -Source4: conftest-skipper.py +Source1: cryptography-%{version}-vendor.tar.bz2 +Source2: conftest-skipper.py %endif ExclusiveArch: %{rust_arches} @@ -43,7 +37,6 @@ BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 %if %{with tests} -BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} %if 0%{?fedora} BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 @@ -66,13 +59,16 @@ Summary: PyCA's cryptography library Requires: openssl-libs Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 +%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 +# Can be safely removed in Fedora 37 +Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 +%endif %description -n python%{python3_pkgversion}-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %autosetup -p1 -n %{srcname}-%{version} %generate_buildrequires @@ -86,7 +82,7 @@ rm -f Cargo.lock cd ../.. %else # RHEL: use vendored Rust crates -%cargo_prep -V 3 +%cargo_prep -V 1 %endif %build @@ -104,12 +100,14 @@ find . -name .keep -print -delete # skip hypothesis tests on RHEL rm -rf tests/hypothesis # append skipper to skip iso8601 and pretend tests -cat < %{SOURCE4} >> tests/conftest.py +cat < %{SOURCE2} >> tests/conftest.py %endif # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests -PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" +PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ + %{__python3} -m pytest \ + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -119,6 +117,11 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. (#1952024) + * Wed Mar 03 2021 Christian Heimes - 3.4.6-1 - Update to 3.4.6 (#1927044) diff --git a/sources b/sources index da81927..a6bf867 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -SHA512 (cryptography-3.4.6.tar.gz) = 30b712adc5cc114faeb7bfef0b9de88c6daefa5a8b99e53bd6d37b8ed560bd1d396cbb202902c307b90f40d695bde151164436bf233fb726dc836c8b70126653 -SHA512 (cryptography-3.4.6.tar.gz.asc) = 91e8c5f5e9e0d440d0882f0bf2f5f039b299c88f03f52d4060f0ee2a18d46ca6503d77444196db91b8d29c7b302b238461795d252777f9bc2953c52789df9fad +SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 From b166e77e86d756b18cd79aeced13f5f3b6341a50 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 11 May 2021 10:19:55 +0200 Subject: [PATCH 24/90] Python 3.10 and OpenSSL 3.0.0 fixes (#1952522) Fix compatibility issue with Python 3.10. Enums now use same representation as on Python 3.9. Backport OpenSSL 3.0.0 compatibility patches. Resolves: RHBZ#1952522 --- ...cs12-parse-ordering.-fixes-5872-5879.patch | 130 ++++++ 0002-WIP-3.0.0-support-5250.patch | 415 ++++++++++++++++++ ...EVP_PKEY_derive-instead-of-DH_comput.patch | 151 +++++++ ...Use-well-defined-enum-representation.patch | 366 +++++++++++++++ python-cryptography.spec | 11 +- 5 files changed, 1072 insertions(+), 1 deletion(-) create mode 100644 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch create mode 100644 0002-WIP-3.0.0-support-5250.patch create mode 100644 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch create mode 100644 0004-Use-well-defined-enum-representation.patch diff --git a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch new file mode 100644 index 0000000..e73331a --- /dev/null +++ b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch @@ -0,0 +1,130 @@ +From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 28 Feb 2021 16:06:11 -0600 +Subject: [PATCH 1/4] fix pkcs12 parse ordering. fixes #5872 (#5879) + +* fix pkcs12 parse ordering. fixes #5872 + +* remove an unneeded print + +* simplify the test a bit more + +* index + +* black + +* Update tests/hazmat/primitives/test_pkcs12.py + +Co-authored-by: Alex Gaynor + +Co-authored-by: Alex Gaynor +--- + .../hazmat/backends/openssl/backend.py | 5 +- + tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- + 2 files changed, 59 insertions(+), 4 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 271873d9..a96d08d8 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -6,6 +6,7 @@ + import collections + import contextlib + import itertools ++import typing + import warnings + from contextlib import contextmanager + +@@ -2562,9 +2563,7 @@ class Backend(object): + sk_x509 = self._lib.sk_X509_new_null() + sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) + +- # reverse the list when building the stack so that they're encoded +- # in the order they were originally provided. it is a mystery +- for ca in reversed(cas): ++ for ca in cas: + res = self._lib.sk_X509_push(sk_x509, ca._x509) + backend.openssl_assert(res >= 1) + +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index b5de09f9..b1759a1b 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -4,13 +4,15 @@ + + + import os ++from datetime import datetime + + import pytest + + from cryptography import x509 + from cryptography.hazmat.backends.interfaces import DERSerializationBackend + from cryptography.hazmat.backends.openssl.backend import _RC2 +-from cryptography.hazmat.primitives import serialization ++from cryptography.hazmat.primitives import hashes, serialization ++from cryptography.hazmat.primitives.asymmetric import ec + from cryptography.hazmat.primitives.serialization import load_pem_private_key + from cryptography.hazmat.primitives.serialization.pkcs12 import ( + load_key_and_certificates, +@@ -273,3 +275,57 @@ class TestPKCS12Creation(object): + DummyKeySerializationEncryption(), + ) + assert str(exc.value) == "Unsupported key encryption type" ++ ++ ++def test_pkcs12_ordering(): ++ """ ++ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we ++ accidentally thought it was **encoding** that did it, leading to bug ++ https://github.com/pyca/cryptography/issues/5872 ++ This test ensures our ordering is correct going forward. ++ """ ++ ++ def make_cert(name): ++ key = ec.generate_private_key(ec.SECP256R1()) ++ subject = x509.Name( ++ [ ++ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), ++ ] ++ ) ++ now = datetime.utcnow() ++ cert = ( ++ x509.CertificateBuilder() ++ .subject_name(subject) ++ .issuer_name(subject) ++ .public_key(key.public_key()) ++ .serial_number(x509.random_serial_number()) ++ .not_valid_before(now) ++ .not_valid_after(now) ++ .sign(key, hashes.SHA256()) ++ ) ++ return (key, cert) ++ ++ # Make some certificates with distinct names. ++ a_name = "A" * 20 ++ b_name = "B" * 20 ++ c_name = "C" * 20 ++ a_key, a_cert = make_cert(a_name) ++ _, b_cert = make_cert(b_name) ++ _, c_cert = make_cert(c_name) ++ ++ # Bundle them in a PKCS#12 file in order A, B, C. ++ p12 = serialize_key_and_certificates( ++ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() ++ ) ++ ++ # Parse them out. The API should report them in the same order. ++ (key, cert, certs) = load_key_and_certificates(p12, None) ++ assert cert == a_cert ++ assert certs == [b_cert, c_cert] ++ ++ # The ordering in the PKCS#12 file itself should also match. ++ a_idx = p12.index(a_name.encode("utf-8")) ++ b_idx = p12.index(b_name.encode("utf-8")) ++ c_idx = p12.index(c_name.encode("utf-8")) ++ ++ assert a_idx < b_idx < c_idx +-- +2.31.1 + diff --git a/0002-WIP-3.0.0-support-5250.patch b/0002-WIP-3.0.0-support-5250.patch new file mode 100644 index 0000000..c99eea8 --- /dev/null +++ b/0002-WIP-3.0.0-support-5250.patch @@ -0,0 +1,415 @@ +From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 22 Apr 2021 19:16:38 -0500 +Subject: [PATCH 2/4] [WIP] 3.0.0 support (#5250) + +* 3.0.0 support + +* almost...there... + +* make mypy happy +--- + .github/workflows/ci.yml | 7 ++-- + src/_cffi_src/build_openssl.py | 1 + + src/_cffi_src/openssl/cryptography.py | 3 ++ + src/_cffi_src/openssl/err.py | 6 +++ + src/_cffi_src/openssl/fips.py | 2 +- + src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ + .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- + .../hazmat/backends/openssl/ciphers.py | 15 ++++++- + .../hazmat/bindings/openssl/_conditional.py | 11 +++++ + .../hazmat/bindings/openssl/binding.py | 20 +++++++++ + tests/hazmat/backends/test_openssl_memleak.py | 6 ++- + tests/hazmat/bindings/test_openssl.py | 4 +- + tests/hazmat/primitives/test_dh.py | 24 ++++++++++- + 13 files changed, 167 insertions(+), 14 deletions(-) + create mode 100644 src/_cffi_src/openssl/provider.py + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index cd967a3a..747f84c1 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -18,9 +18,10 @@ jobs: + - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} + - {VERSION: "pypy3", TOXENV: "pypy3"} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} +- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} ++ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} +diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py +index 08499d66..557296ed 100644 +--- a/src/_cffi_src/build_openssl.py ++++ b/src/_cffi_src/build_openssl.py +@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding( + "osrandom_engine", + "pem", + "pkcs12", ++ "provider", + "rand", + "rsa", + "ssl", +diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py +index e2b5a132..06d1e778 100644 +--- a/src/_cffi_src/openssl/cryptography.py ++++ b/src/_cffi_src/openssl/cryptography.py +@@ -34,6 +34,8 @@ INCLUDES = """ + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ ++ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) +@@ -53,6 +55,7 @@ INCLUDES = """ + + TYPES = """ + static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; ++static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; + + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; +diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py +index 0634b656..8cfeaf5b 100644 +--- a/src/_cffi_src/openssl/err.py ++++ b/src/_cffi_src/openssl/err.py +@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM; + + static const int ERR_LIB_EVP; + static const int ERR_LIB_PEM; ++static const int ERR_LIB_PROV; + static const int ERR_LIB_ASN1; + static const int ERR_LIB_PKCS12; + +@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long); + """ + + CUSTOMIZATIONS = """ ++/* This define is tied to provider support and is conditionally ++ removed if Cryptography_HAS_PROVIDERS is false */ ++#ifndef ERR_LIB_PROV ++#define ERR_LIB_PROV 0 ++#endif + """ +diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py +index b9d0d64d..23c10af9 100644 +--- a/src/_cffi_src/openssl/fips.py ++++ b/src/_cffi_src/openssl/fips.py +@@ -17,7 +17,7 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL ++#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + static const long Cryptography_HAS_FIPS = 0; + int (*FIPS_mode_set)(int) = NULL; + int (*FIPS_mode)(void) = NULL; +diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py +new file mode 100644 +index 00000000..d7d659ea +--- /dev/null ++++ b/src/_cffi_src/openssl/provider.py +@@ -0,0 +1,40 @@ ++# This file is dual licensed under the terms of the Apache License, Version ++# 2.0, and the BSD License. See the LICENSE file in the root of this repository ++# for complete details. ++ ++ ++INCLUDES = """ ++#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++#include ++#include ++#endif ++""" ++ ++TYPES = """ ++static const long Cryptography_HAS_PROVIDERS; ++ ++typedef ... OSSL_PROVIDER; ++typedef ... OSSL_LIB_CTX; ++ ++static const long PROV_R_BAD_DECRYPT; ++static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; ++""" ++ ++FUNCTIONS = """ ++OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); ++int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); ++""" ++ ++CUSTOMIZATIONS = """ ++#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++static const long Cryptography_HAS_PROVIDERS = 1; ++#else ++static const long Cryptography_HAS_PROVIDERS = 0; ++typedef void OSSL_PROVIDER; ++typedef void OSSL_LIB_CTX; ++static const long PROV_R_BAD_DECRYPT = 0; ++static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; ++OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; ++int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; ++#endif ++""" +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index a96d08d8..86e8f0a8 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1281,6 +1281,11 @@ class Backend(object): + def _evp_pkey_from_der_traditional_key(self, bio_data, password): + key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) + if key != self._ffi.NULL: ++ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will ++ # successfully load but errors are still put on the stack. Tracked ++ # as https://github.com/openssl/openssl/issues/14996 ++ self._consume_errors() ++ + key = self._ffi.gc(key, self._lib.EVP_PKEY_free) + if password is not None: + raise TypeError( +@@ -1448,6 +1453,11 @@ class Backend(object): + else: + self._handle_key_loading_error() + ++ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will ++ # successfully load but errors are still put on the stack. Tracked ++ # as https://github.com/openssl/openssl/issues/14996 ++ self._consume_errors() ++ + evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) + + if password is not None and userdata.called == 0: +@@ -1470,11 +1480,22 @@ class Backend(object): + "incorrect format or it may be encrypted with an unsupported " + "algorithm." + ) +- elif errors[0]._lib_reason_match( +- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT +- ) or errors[0]._lib_reason_match( +- self._lib.ERR_LIB_PKCS12, +- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, ++ ++ elif ( ++ errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT ++ ) ++ or errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_PKCS12, ++ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, ++ ) ++ or ( ++ self._lib.Cryptography_HAS_PROVIDERS ++ and errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_PROV, ++ self._lib.PROV_R_BAD_DECRYPT, ++ ) ++ ) + ): + raise ValueError("Bad decrypt. Incorrect password?") + +@@ -2520,7 +2541,16 @@ class Backend(object): + if sk_x509_ptr[0] != self._ffi.NULL: + sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) + num = self._lib.sk_X509_num(sk_x509_ptr[0]) +- for i in range(num): ++ ++ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the ++ # certificates. ++ indices: typing.Iterable[int] ++ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ indices = range(num) ++ else: ++ indices = reversed(range(num)) ++ ++ for i in indices: + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) + x509 = self._ffi.gc(x509, self._lib.X509_free) +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 0f96795f..a2dd6894 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -145,7 +145,13 @@ class _CipherContext(object): + res = self._backend._lib.EVP_CipherUpdate( + self._ctx, outbuf, outlen, inbuf, inlen + ) +- self._backend.openssl_assert(res != 0) ++ if res == 0 and isinstance(self._mode, modes.XTS): ++ raise ValueError( ++ "In XTS mode you must supply at least a full block in the " ++ "first update call. For AES this is 16 bytes." ++ ) ++ else: ++ self._backend.openssl_assert(res != 0) + data_processed += inlen + total_out += outlen[0] + +@@ -174,6 +180,13 @@ class _CipherContext(object): + errors[0]._lib_reason_match( + self._backend._lib.ERR_LIB_EVP, + self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, ++ ) ++ or ( ++ self._backend._lib.Cryptography_HAS_PROVIDERS ++ and errors[0]._lib_reason_match( ++ self._backend._lib.ERR_LIB_PROV, ++ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, ++ ) + ), + errors=errors, + ) +diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py +index 86548357..1f42c7be 100644 +--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py ++++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py +@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): + ] + + ++def cryptography_has_providers(): ++ return [ ++ "OSSL_PROVIDER_load", ++ "OSSL_PROVIDER_unload", ++ "ERR_LIB_PROV", ++ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", ++ "PROV_R_BAD_DECRYPT", ++ ] ++ ++ + # This is a mapping of + # {condition: function-returning-names-dependent-on-that-condition} so we can + # loop over them and delete unsupported names at runtime. It will be removed +@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = { + "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, + "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, ++ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, + } +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index a2bc36a8..6dcec26a 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -113,6 +113,8 @@ class Binding(object): + ffi = ffi + _lib_loaded = False + _init_lock = threading.Lock() ++ _legacy_provider: typing.Any = None ++ _default_provider: typing.Any = None + + def __init__(self): + self._ensure_ffi_initialized() +@@ -140,6 +142,24 @@ class Binding(object): + # adds all ciphers/digests for EVP + cls.lib.OpenSSL_add_all_algorithms() + cls._register_osrandom_engine() ++ # As of OpenSSL 3.0.0 we must register a legacy cipher provider ++ # to get RC2 (needed for junk asymmetric private key ++ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things ++ # are ugly legacy, but we aren't going to get rid of them ++ # any time soon. ++ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"legacy" ++ ) ++ _openssl_assert( ++ cls.lib, cls._legacy_provider != cls.ffi.NULL ++ ) ++ cls._default_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"default" ++ ) ++ _openssl_assert( ++ cls.lib, cls._default_provider != cls.ffi.NULL ++ ) + + @classmethod + def init_static_locks(cls): +diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py +index 0c96516f..0316b5d9 100644 +--- a/tests/hazmat/backends/test_openssl_memleak.py ++++ b/tests/hazmat/backends/test_openssl_memleak.py +@@ -82,7 +82,7 @@ def main(argv): + assert result == 1 + + # Trigger a bunch of initialization stuff. +- import cryptography.hazmat.backends.openssl ++ from cryptography.hazmat.backends.openssl.backend import backend + + start_heap = set(heap) + +@@ -91,6 +91,10 @@ def main(argv): + gc.collect() + gc.collect() + ++ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) ++ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) ++ + if lib.Cryptography_HAS_OPENSSL_CLEANUP: + lib.OPENSSL_cleanup() + +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index fb9a1e36..4d1e3b55 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -91,7 +91,9 @@ class TestOpenSSL(object): + _openssl_assert(b.lib, False) + + error = exc_info.value.err_code[0] +- assert error.code == 101183626 ++ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined ++ # code is a different value ++ assert error.code in (101183626, 50331786) + assert error.lib == b.lib.ERR_LIB_EVP + assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX + assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH +diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py +index 131807fc..bb29919f 100644 +--- a/tests/hazmat/primitives/test_dh.py ++++ b/tests/hazmat/primitives/test_dh.py +@@ -180,7 +180,23 @@ class TestDH(object): + params = dh.DHParameterNumbers(p, int(vector["g"])) + param = params.parameters(backend) + key = param.generate_private_key() +- assert key.private_numbers().public_numbers.parameter_numbers == params ++ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in ++ # a scenario where loading a known group with p and g returns a ++ # re-serialized form that has q as well (the Sophie Germain prime of ++ # that group). This makes a naive comparison of the parameter numbers ++ # objects fail, so we have to be a bit smarter ++ serialized_params = ( ++ key.private_numbers().public_numbers.parameter_numbers ++ ) ++ if serialized_params.q is None: ++ # This is the path OpenSSL < 3.0 takes ++ assert serialized_params == params ++ else: ++ assert serialized_params.p == params.p ++ assert serialized_params.g == params.g ++ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute ++ # what we expect OpenSSL to have done here. ++ assert serialized_params.q == (params.p - 1) // 2 + + @pytest.mark.skip_fips(reason="non-FIPS parameters") + @pytest.mark.parametrize( +@@ -382,6 +398,12 @@ class TestDH(object): + assert symkey1 != symkey2 + + @pytest.mark.skip_fips(reason="key_size too small for FIPS") ++ @pytest.mark.supported( ++ only_if=lambda backend: ( ++ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++ ), ++ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", ++ ) + def test_load_256bit_key_from_pkcs8(self, backend): + data = load_vectors_from_file( + os.path.join("asymmetric", "DH", "dh_key_256.pem"), +-- +2.31.1 + diff --git a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch new file mode 100644 index 0000000..078950e --- /dev/null +++ b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch @@ -0,0 +1,151 @@ +From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 14 Apr 2021 13:15:57 -0500 +Subject: [PATCH 3/4] switch to using EVP_PKEY_derive instead of DH_compute_key + in DH (#5972) + +* switch to using EVP_PKEY_derive instead of DH_compute_key in DH + +Where checks are occurring is changing in OpenSSL 3.0 and this makes it +easier to be consistent (and is the API we should be using anyway). The +tests change because EVP_PKEY_derive now verifies that we have shared +parameters, which the test previously only verified by asserting that +the derived keys didn't match + +* review feedback + +* type ignores required for typeerror tests. some day i will remember this +--- + src/_cffi_src/openssl/dh.py | 1 - + .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- + tests/hazmat/primitives/test_dh.py | 19 ++++--- + 3 files changed, 45 insertions(+), 32 deletions(-) + +diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py +index 979dafa9..50989e45 100644 +--- a/src/_cffi_src/openssl/dh.py ++++ b/src/_cffi_src/openssl/dh.py +@@ -18,7 +18,6 @@ DH *DH_new(void); + void DH_free(DH *); + int DH_size(const DH *); + int DH_generate_key(DH *); +-int DH_compute_key(unsigned char *, const BIGNUM *, DH *); + DH *DHparams_dup(DH *); + + /* added in 1.1.0 when the DH struct was opaqued */ +diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py +index 65ddaeec..b928f024 100644 +--- a/src/cryptography/hazmat/backends/openssl/dh.py ++++ b/src/cryptography/hazmat/backends/openssl/dh.py +@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey): + ) + + def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: +- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) +- pub_key = self._backend._ffi.new("BIGNUM **") +- self._backend._lib.DH_get0_key( +- peer_public_key._dh_cdata, # type: ignore[attr-defined] +- pub_key, +- self._backend._ffi.NULL, ++ if not isinstance(peer_public_key, _DHPublicKey): ++ raise TypeError("peer_public_key must be a DHPublicKey") ++ ++ ctx = self._backend._lib.EVP_PKEY_CTX_new( ++ self._evp_pkey, self._backend._ffi.NULL + ) +- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) +- res = self._backend._lib.DH_compute_key( +- buf, pub_key[0], self._dh_cdata ++ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) ++ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) ++ res = self._backend._lib.EVP_PKEY_derive_init(ctx) ++ self._backend.openssl_assert(res == 1) ++ res = self._backend._lib.EVP_PKEY_derive_set_peer( ++ ctx, peer_public_key._evp_pkey ++ ) ++ # Invalid kex errors here in OpenSSL 3.0 because checks were moved ++ # to EVP_PKEY_derive_set_peer ++ self._exchange_assert(res == 1) ++ keylen = self._backend._ffi.new("size_t *") ++ res = self._backend._lib.EVP_PKEY_derive( ++ ctx, self._backend._ffi.NULL, keylen + ) ++ # Invalid kex errors here in OpenSSL < 3 ++ self._exchange_assert(res == 1) ++ self._backend.openssl_assert(keylen[0] > 0) ++ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) ++ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) ++ self._backend.openssl_assert(res == 1) + +- if res == -1: ++ key = self._backend._ffi.buffer(buf, keylen[0])[:] ++ pad = self._key_size_bytes - len(key) ++ ++ if pad > 0: ++ key = (b"\x00" * pad) + key ++ ++ return key ++ ++ def _exchange_assert(self, ok): ++ if not ok: + errors_with_text = self._backend._consume_errors_with_text() + raise ValueError( +- "Error computing shared key. Public key is likely invalid " +- "for this exchange.", ++ "Error computing shared key.", + errors_with_text, + ) +- else: +- self._backend.openssl_assert(res >= 1) +- +- key = self._backend._ffi.buffer(buf)[:res] +- pad = self._key_size_bytes - len(key) +- +- if pad > 0: +- key = (b"\x00" * pad) + key +- +- return key + + def public_key(self) -> dh.DHPublicKey: + dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) +diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py +index bb29919f..2914f7e7 100644 +--- a/tests/hazmat/primitives/test_dh.py ++++ b/tests/hazmat/primitives/test_dh.py +@@ -296,6 +296,12 @@ class TestDH(object): + assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) + assert isinstance(key.parameters(), dh.DHParameters) + ++ def test_exchange_wrong_type(self, backend): ++ parameters = FFDH3072_P.parameters(backend) ++ key1 = parameters.generate_private_key() ++ with pytest.raises(TypeError): ++ key1.exchange(b"invalidtype") # type: ignore[arg-type] ++ + def test_exchange(self, backend): + parameters = FFDH3072_P.parameters(backend) + assert isinstance(parameters, dh.DHParameters) +@@ -386,16 +392,11 @@ class TestDH(object): + key2 = private2.private_key(backend) + pub_key2 = key2.public_key() + +- if pub_key2.public_numbers().y >= parameters1.p: +- with pytest.raises(ValueError): +- key1.exchange(pub_key2) +- else: +- symkey1 = key1.exchange(pub_key2) +- assert symkey1 +- +- symkey2 = key2.exchange(pub_key1) ++ with pytest.raises(ValueError): ++ key1.exchange(pub_key2) + +- assert symkey1 != symkey2 ++ with pytest.raises(ValueError): ++ key2.exchange(pub_key1) + + @pytest.mark.skip_fips(reason="key_size too small for FIPS") + @pytest.mark.supported( +-- +2.31.1 + diff --git a/0004-Use-well-defined-enum-representation.patch b/0004-Use-well-defined-enum-representation.patch new file mode 100644 index 0000000..c006543 --- /dev/null +++ b/0004-Use-well-defined-enum-representation.patch @@ -0,0 +1,366 @@ +From 0a164d2c985b4655929591b191824ed361890b8d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 10 May 2021 13:27:54 +0200 +Subject: [PATCH 4/4] Use well-defined enum representation + +Python 3.10 changed enum's object and string representation. PyCA +cryptography now uses a custom subclass of enum.Enum() will well-defined +__repr__ and __str__ from Python 3.9. + +Related: https://bugs.python.org/issue40066 +Fixes: https://github.com/pyca/cryptography/issues/5995 +Signed-off-by: Christian Heimes +--- + .github/workflows/ci.yml | 13 +++++++------ + src/cryptography/exceptions.py | 4 ++-- + .../hazmat/primitives/_serialization.py | 11 ++++++----- + src/cryptography/hazmat/primitives/kdf/kbkdf.py | 5 ++--- + .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- + src/cryptography/utils.py | 11 +++++++++++ + src/cryptography/x509/base.py | 4 ++-- + src/cryptography/x509/certificate_transparency.py | 7 ++++--- + src/cryptography/x509/extensions.py | 5 ++--- + src/cryptography/x509/name.py | 3 +-- + src/cryptography/x509/ocsp.py | 8 ++++---- + tests/test_cryptography_utils.py | 11 +++++++++++ + 12 files changed, 54 insertions(+), 32 deletions(-) + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index 747f84c1..ca298f96 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -18,15 +18,16 @@ jobs: + - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} + - {VERSION: "pypy3", TOXENV: "pypy3"} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} +- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} ++ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha16"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.3"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.1"}} ++ - {VERSION: "3.10-dev", TOXENV: "py310"} + RUST: + - stable + name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" +@@ -108,8 +109,8 @@ jobs: + - {IMAGE: "sid", TOXENV: "py39"} + - {IMAGE: "ubuntu-bionic", TOXENV: "py36"} + - {IMAGE: "ubuntu-focal", TOXENV: "py38"} +- - {IMAGE: "ubuntu-rolling", TOXENV: "py38"} +- - {IMAGE: "ubuntu-rolling", TOXENV: "py38-randomorder"} ++ - {IMAGE: "ubuntu-rolling", TOXENV: "py39"} ++ - {IMAGE: "ubuntu-rolling", TOXENV: "py39-randomorder"} + - {IMAGE: "fedora", TOXENV: "py39"} + - {IMAGE: "alpine", TOXENV: "py38"} + name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" +diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py +index f5860590..3bd98d82 100644 +--- a/src/cryptography/exceptions.py ++++ b/src/cryptography/exceptions.py +@@ -3,10 +3,10 @@ + # for complete details. + + +-from enum import Enum ++from cryptography import utils + + +-class _Reasons(Enum): ++class _Reasons(utils.Enum): + BACKEND_MISSING_INTERFACE = 0 + UNSUPPORTED_HASH = 1 + UNSUPPORTED_CIPHER = 2 +diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py +index 96a5ed9b..160a6b89 100644 +--- a/src/cryptography/hazmat/primitives/_serialization.py ++++ b/src/cryptography/hazmat/primitives/_serialization.py +@@ -3,13 +3,14 @@ + # for complete details. + + import abc +-from enum import Enum ++ ++from cryptography import utils + + # This exists to break an import cycle. These classes are normally accessible + # from the serialization module. + + +-class Encoding(Enum): ++class Encoding(utils.Enum): + PEM = "PEM" + DER = "DER" + OpenSSH = "OpenSSH" +@@ -18,14 +19,14 @@ class Encoding(Enum): + SMIME = "S/MIME" + + +-class PrivateFormat(Enum): ++class PrivateFormat(utils.Enum): + PKCS8 = "PKCS8" + TraditionalOpenSSL = "TraditionalOpenSSL" + Raw = "Raw" + OpenSSH = "OpenSSH" + + +-class PublicFormat(Enum): ++class PublicFormat(utils.Enum): + SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1" + PKCS1 = "Raw PKCS#1" + OpenSSH = "OpenSSH" +@@ -34,7 +35,7 @@ class PublicFormat(Enum): + UncompressedPoint = "X9.62 Uncompressed Point" + + +-class ParameterFormat(Enum): ++class ParameterFormat(utils.Enum): + PKCS3 = "PKCS3" + + +diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py +index ac36474f..75fe7d51 100644 +--- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py ++++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py +@@ -4,7 +4,6 @@ + + + import typing +-from enum import Enum + + from cryptography import utils + from cryptography.exceptions import ( +@@ -19,11 +18,11 @@ from cryptography.hazmat.primitives import constant_time, hashes, hmac + from cryptography.hazmat.primitives.kdf import KeyDerivationFunction + + +-class Mode(Enum): ++class Mode(utils.Enum): + CounterMode = "ctr" + + +-class CounterLocation(Enum): ++class CounterLocation(utils.Enum): + BeforeFixed = "before_fixed" + AfterFixed = "after_fixed" + +diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py +index bcd9e330..57aac7e3 100644 +--- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py ++++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py +@@ -3,8 +3,8 @@ + # for complete details. + + import typing +-from enum import Enum + ++from cryptography import utils + from cryptography import x509 + from cryptography.hazmat.backends import _get_backend + from cryptography.hazmat.primitives import hashes, serialization +@@ -35,7 +35,7 @@ _ALLOWED_PRIVATE_KEY_TYPES = typing.Union[ + ] + + +-class PKCS7Options(Enum): ++class PKCS7Options(utils.Enum): + Text = "Add text/plain MIME type" + Binary = "Don't translate input data into canonical MIME format" + DetachedSignature = "Don't embed data in the PKCS7 structure" +diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py +index ef0fc443..9e571cfd 100644 +--- a/src/cryptography/utils.py ++++ b/src/cryptography/utils.py +@@ -4,6 +4,7 @@ + + + import abc ++import enum + import inspect + import sys + import typing +@@ -162,3 +163,13 @@ int_from_bytes = deprecated( + "int_from_bytes is deprecated, use int.from_bytes instead", + DeprecatedIn34, + ) ++ ++ ++# Python 3.10 changed representation of enums. We use well-defined object ++# representation and string representation from Python 3.9. ++class Enum(enum.Enum): ++ def __repr__(self): ++ return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>" ++ ++ def __str__(self): ++ return f"{self.__class__.__name__}.{self._name_}" +diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py +index 5505fa3b..26ec43d5 100644 +--- a/src/cryptography/x509/base.py ++++ b/src/cryptography/x509/base.py +@@ -7,8 +7,8 @@ import abc + import datetime + import os + import typing +-from enum import Enum + ++from cryptography import utils + from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES + from cryptography.hazmat.backends import _get_backend + from cryptography.hazmat.primitives import hashes, serialization +@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime: + return time + + +-class Version(Enum): ++class Version(utils.Enum): + v1 = 0 + v3 = 2 + +diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py +index d51bee92..d80f051a 100644 +--- a/src/cryptography/x509/certificate_transparency.py ++++ b/src/cryptography/x509/certificate_transparency.py +@@ -5,15 +5,16 @@ + + import abc + import datetime +-from enum import Enum + ++from cryptography import utils + +-class LogEntryType(Enum): ++ ++class LogEntryType(utils.Enum): + X509_CERTIFICATE = 0 + PRE_CERTIFICATE = 1 + + +-class Version(Enum): ++class Version(utils.Enum): + v1 = 0 + + +diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py +index 6cae016a..742f1fa2 100644 +--- a/src/cryptography/x509/extensions.py ++++ b/src/cryptography/x509/extensions.py +@@ -8,7 +8,6 @@ import datetime + import hashlib + import ipaddress + import typing +-from enum import Enum + + from cryptography import utils + from cryptography.hazmat._der import ( +@@ -634,7 +633,7 @@ class DistributionPoint(object): + crl_issuer = utils.read_only_property("_crl_issuer") + + +-class ReasonFlags(Enum): ++class ReasonFlags(utils.Enum): + unspecified = "unspecified" + key_compromise = "keyCompromise" + ca_compromise = "cACompromise" +@@ -978,7 +977,7 @@ class TLSFeature(ExtensionType): + return hash(tuple(self._features)) + + +-class TLSFeatureType(Enum): ++class TLSFeatureType(utils.Enum): + # status_request is defined in RFC 6066 and is used for what is commonly + # called OCSP Must-Staple when present in the TLS Feature extension in an + # X.509 certificate. +diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py +index a579aa21..9069a9f4 100644 +--- a/src/cryptography/x509/name.py ++++ b/src/cryptography/x509/name.py +@@ -3,14 +3,13 @@ + # for complete details. + + import typing +-from enum import Enum + + from cryptography import utils + from cryptography.hazmat.backends import _get_backend + from cryptography.x509.oid import NameOID, ObjectIdentifier + + +-class _ASN1Type(Enum): ++class _ASN1Type(utils.Enum): + UTF8String = 12 + NumericString = 18 + PrintableString = 19 +diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py +index 1c5de73e..bcf210c1 100644 +--- a/src/cryptography/x509/ocsp.py ++++ b/src/cryptography/x509/ocsp.py +@@ -6,8 +6,8 @@ + import abc + import datetime + import typing +-from enum import Enum + ++from cryptography import utils + from cryptography import x509 + from cryptography.hazmat.primitives import hashes, serialization + from cryptography.x509.base import ( +@@ -27,12 +27,12 @@ _OIDS_TO_HASH = { + } + + +-class OCSPResponderEncoding(Enum): ++class OCSPResponderEncoding(utils.Enum): + HASH = "By Hash" + NAME = "By Name" + + +-class OCSPResponseStatus(Enum): ++class OCSPResponseStatus(utils.Enum): + SUCCESSFUL = 0 + MALFORMED_REQUEST = 1 + INTERNAL_ERROR = 2 +@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm): + ) + + +-class OCSPCertStatus(Enum): ++class OCSPCertStatus(utils.Enum): + GOOD = 0 + REVOKED = 1 + UNKNOWN = 2 +diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py +index 6b795e0c..803997ac 100644 +--- a/tests/test_cryptography_utils.py ++++ b/tests/test_cryptography_utils.py +@@ -2,6 +2,7 @@ + # 2.0, and the BSD License. See the LICENSE file in the root of this repository + # for complete details. + ++import enum + import typing + + import pytest +@@ -51,3 +52,13 @@ class TestCachedProperty(object): + assert len(accesses) == 1 + assert t.t == 14 + assert len(accesses) == 1 ++ ++ ++def test_enum(): ++ class TestEnum(utils.Enum): ++ value = "something" ++ ++ assert issubclass(TestEnum, enum.Enum) ++ assert isinstance(TestEnum.value, enum.Enum) ++ assert repr(TestEnum.value) == "" ++ assert str(TestEnum.value) == "TestEnum.value" +-- +2.31.1 + diff --git a/python-cryptography.spec b/python-cryptography.spec index f107e9b..8799805 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -18,6 +18,10 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py %endif +Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch +Patch0002: 0002-WIP-3.0.0-support-5250.patch +Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch +Patch0004: 0004-Use-well-defined-enum-representation.patch ExclusiveArch: %{rust_arches} @@ -117,6 +121,11 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue May 11 2021 Christian Heimes - 3.4.7-2 +- Fix compatibility issue with Python 3.10. Enums now use same + representation as on Python 3.9. (#1952522) +- Backport OpenSSL 3.0.0 compatibility patches. + * Wed Apr 21 2021 Christian Heimes - 3.4.7-1 - Update to 3.4.7 - Remove dependency on python-cryptography-vectors package and use vectors From bcc2ec8af9fee01035ca14968029d5c23fa1713d Mon Sep 17 00:00:00 2001 From: Python Maint Date: Thu, 3 Jun 2021 01:05:02 +0200 Subject: [PATCH 25/90] Rebuilt for Python 3.10 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8799805..23fe6d7 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -121,6 +121,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Jun 02 2021 Python Maint - 3.4.7-3 +- Rebuilt for Python 3.10 + * Tue May 11 2021 Christian Heimes - 3.4.7-2 - Fix compatibility issue with Python 3.10. Enums now use same representation as on Python 3.9. (#1952522) From fe349e0ac6bfbc6e3104f3eab38b037e360c20ac Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 10 Jun 2021 14:27:29 -0400 Subject: [PATCH 26/90] Don't conditionalize Source: directives This makes the specfile compatible with Fedora ELN, RHEL and similar Fedora derivatives. Signed-off-by: Stephen Gallagher --- .gitignore | 1 + python-cryptography.spec | 7 ++++--- sources | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index cf9ac7e..cfa6910 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /cryptography-3.4.6.tar.gz /cryptography-3.4.6.tar.gz.asc /cryptography-3.4.7.tar.gz +/cryptography-3.4.7-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 23fe6d7..1239266 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,17 +7,15 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz -%if 0%{?rhel} # created by ./vendor_rust.py helper script Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -%endif Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch Patch0002: 0002-WIP-3.0.0-support-5250.patch Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch @@ -121,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 +- Don't conditionalize Source: directives + * Wed Jun 02 2021 Python Maint - 3.4.7-3 - Rebuilt for Python 3.10 diff --git a/sources b/sources index a6bf867..6d1fe84 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 +SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387 From ade913d1ad7fdd4da2f361d8e4ca5bf185200530 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 23 Jul 2021 05:54:42 +0000 Subject: [PATCH 27/90] - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 1239266..ee239ed 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -119,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + * Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 - Don't conditionalize Source: directives From 33bbaec862f1ffa590848308ad5f1da097559732 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Tue, 14 Sep 2021 19:12:30 +0200 Subject: [PATCH 28/90] Rebuilt with OpenSSL 3.0.0 --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ee239ed..e997636 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 3.4.7 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -119,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 +- Rebuilt with OpenSSL 3.0.0 + * Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild From 6fb44d50f24f58653774e41fa2c0561782d27060 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 30 Sep 2021 08:19:15 +0200 Subject: [PATCH 29/90] Update to 35.0.0 (#2009117) --- .gitignore | 2 + ...cs12-parse-ordering.-fixes-5872-5879.patch | 130 ------ 0002-WIP-3.0.0-support-5250.patch | 415 ------------------ ...EVP_PKEY_derive-instead-of-DH_comput.patch | 151 ------- ...Use-well-defined-enum-representation.patch | 366 --------------- python-cryptography.spec | 11 +- sources | 4 +- 7 files changed, 9 insertions(+), 1070 deletions(-) delete mode 100644 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch delete mode 100644 0002-WIP-3.0.0-support-5250.patch delete mode 100644 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch delete mode 100644 0004-Use-well-defined-enum-representation.patch diff --git a/.gitignore b/.gitignore index cfa6910..e2d569a 100644 --- a/.gitignore +++ b/.gitignore @@ -39,3 +39,5 @@ /cryptography-3.4.6.tar.gz.asc /cryptography-3.4.7.tar.gz /cryptography-3.4.7-vendor.tar.bz2 +/cryptography-35.0.0.tar.gz +/cryptography-35.0.0-vendor.tar.bz2 diff --git a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch deleted file mode 100644 index e73331a..0000000 --- a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch +++ /dev/null @@ -1,130 +0,0 @@ -From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Sun, 28 Feb 2021 16:06:11 -0600 -Subject: [PATCH 1/4] fix pkcs12 parse ordering. fixes #5872 (#5879) - -* fix pkcs12 parse ordering. fixes #5872 - -* remove an unneeded print - -* simplify the test a bit more - -* index - -* black - -* Update tests/hazmat/primitives/test_pkcs12.py - -Co-authored-by: Alex Gaynor - -Co-authored-by: Alex Gaynor ---- - .../hazmat/backends/openssl/backend.py | 5 +- - tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- - 2 files changed, 59 insertions(+), 4 deletions(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 271873d9..a96d08d8 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -6,6 +6,7 @@ - import collections - import contextlib - import itertools -+import typing - import warnings - from contextlib import contextmanager - -@@ -2562,9 +2563,7 @@ class Backend(object): - sk_x509 = self._lib.sk_X509_new_null() - sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) - -- # reverse the list when building the stack so that they're encoded -- # in the order they were originally provided. it is a mystery -- for ca in reversed(cas): -+ for ca in cas: - res = self._lib.sk_X509_push(sk_x509, ca._x509) - backend.openssl_assert(res >= 1) - -diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py -index b5de09f9..b1759a1b 100644 ---- a/tests/hazmat/primitives/test_pkcs12.py -+++ b/tests/hazmat/primitives/test_pkcs12.py -@@ -4,13 +4,15 @@ - - - import os -+from datetime import datetime - - import pytest - - from cryptography import x509 - from cryptography.hazmat.backends.interfaces import DERSerializationBackend - from cryptography.hazmat.backends.openssl.backend import _RC2 --from cryptography.hazmat.primitives import serialization -+from cryptography.hazmat.primitives import hashes, serialization -+from cryptography.hazmat.primitives.asymmetric import ec - from cryptography.hazmat.primitives.serialization import load_pem_private_key - from cryptography.hazmat.primitives.serialization.pkcs12 import ( - load_key_and_certificates, -@@ -273,3 +275,57 @@ class TestPKCS12Creation(object): - DummyKeySerializationEncryption(), - ) - assert str(exc.value) == "Unsupported key encryption type" -+ -+ -+def test_pkcs12_ordering(): -+ """ -+ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we -+ accidentally thought it was **encoding** that did it, leading to bug -+ https://github.com/pyca/cryptography/issues/5872 -+ This test ensures our ordering is correct going forward. -+ """ -+ -+ def make_cert(name): -+ key = ec.generate_private_key(ec.SECP256R1()) -+ subject = x509.Name( -+ [ -+ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), -+ ] -+ ) -+ now = datetime.utcnow() -+ cert = ( -+ x509.CertificateBuilder() -+ .subject_name(subject) -+ .issuer_name(subject) -+ .public_key(key.public_key()) -+ .serial_number(x509.random_serial_number()) -+ .not_valid_before(now) -+ .not_valid_after(now) -+ .sign(key, hashes.SHA256()) -+ ) -+ return (key, cert) -+ -+ # Make some certificates with distinct names. -+ a_name = "A" * 20 -+ b_name = "B" * 20 -+ c_name = "C" * 20 -+ a_key, a_cert = make_cert(a_name) -+ _, b_cert = make_cert(b_name) -+ _, c_cert = make_cert(c_name) -+ -+ # Bundle them in a PKCS#12 file in order A, B, C. -+ p12 = serialize_key_and_certificates( -+ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() -+ ) -+ -+ # Parse them out. The API should report them in the same order. -+ (key, cert, certs) = load_key_and_certificates(p12, None) -+ assert cert == a_cert -+ assert certs == [b_cert, c_cert] -+ -+ # The ordering in the PKCS#12 file itself should also match. -+ a_idx = p12.index(a_name.encode("utf-8")) -+ b_idx = p12.index(b_name.encode("utf-8")) -+ c_idx = p12.index(c_name.encode("utf-8")) -+ -+ assert a_idx < b_idx < c_idx --- -2.31.1 - diff --git a/0002-WIP-3.0.0-support-5250.patch b/0002-WIP-3.0.0-support-5250.patch deleted file mode 100644 index c99eea8..0000000 --- a/0002-WIP-3.0.0-support-5250.patch +++ /dev/null @@ -1,415 +0,0 @@ -From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 22 Apr 2021 19:16:38 -0500 -Subject: [PATCH 2/4] [WIP] 3.0.0 support (#5250) - -* 3.0.0 support - -* almost...there... - -* make mypy happy ---- - .github/workflows/ci.yml | 7 ++-- - src/_cffi_src/build_openssl.py | 1 + - src/_cffi_src/openssl/cryptography.py | 3 ++ - src/_cffi_src/openssl/err.py | 6 +++ - src/_cffi_src/openssl/fips.py | 2 +- - src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ - .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- - .../hazmat/backends/openssl/ciphers.py | 15 ++++++- - .../hazmat/bindings/openssl/_conditional.py | 11 +++++ - .../hazmat/bindings/openssl/binding.py | 20 +++++++++ - tests/hazmat/backends/test_openssl_memleak.py | 6 ++- - tests/hazmat/bindings/test_openssl.py | 4 +- - tests/hazmat/primitives/test_dh.py | 24 ++++++++++- - 13 files changed, 167 insertions(+), 14 deletions(-) - create mode 100644 src/_cffi_src/openssl/provider.py - -diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml -index cd967a3a..747f84c1 100644 ---- a/.github/workflows/ci.yml -+++ b/.github/workflows/ci.yml -@@ -18,9 +18,10 @@ jobs: - - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} - - {VERSION: "pypy3", TOXENV: "pypy3"} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} -- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -+ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} -diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py -index 08499d66..557296ed 100644 ---- a/src/_cffi_src/build_openssl.py -+++ b/src/_cffi_src/build_openssl.py -@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding( - "osrandom_engine", - "pem", - "pkcs12", -+ "provider", - "rand", - "rsa", - "ssl", -diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py -index e2b5a132..06d1e778 100644 ---- a/src/_cffi_src/openssl/cryptography.py -+++ b/src/_cffi_src/openssl/cryptography.py -@@ -34,6 +34,8 @@ INCLUDES = """ - - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) -+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ -+ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) - - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ - (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) -@@ -53,6 +55,7 @@ INCLUDES = """ - - TYPES = """ - static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; -+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; - - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; -diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py -index 0634b656..8cfeaf5b 100644 ---- a/src/_cffi_src/openssl/err.py -+++ b/src/_cffi_src/openssl/err.py -@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM; - - static const int ERR_LIB_EVP; - static const int ERR_LIB_PEM; -+static const int ERR_LIB_PROV; - static const int ERR_LIB_ASN1; - static const int ERR_LIB_PKCS12; - -@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long); - """ - - CUSTOMIZATIONS = """ -+/* This define is tied to provider support and is conditionally -+ removed if Cryptography_HAS_PROVIDERS is false */ -+#ifndef ERR_LIB_PROV -+#define ERR_LIB_PROV 0 -+#endif - """ -diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py -index b9d0d64d..23c10af9 100644 ---- a/src/_cffi_src/openssl/fips.py -+++ b/src/_cffi_src/openssl/fips.py -@@ -17,7 +17,7 @@ int FIPS_mode(void); - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL -+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - static const long Cryptography_HAS_FIPS = 0; - int (*FIPS_mode_set)(int) = NULL; - int (*FIPS_mode)(void) = NULL; -diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py -new file mode 100644 -index 00000000..d7d659ea ---- /dev/null -+++ b/src/_cffi_src/openssl/provider.py -@@ -0,0 +1,40 @@ -+# This file is dual licensed under the terms of the Apache License, Version -+# 2.0, and the BSD License. See the LICENSE file in the root of this repository -+# for complete details. -+ -+ -+INCLUDES = """ -+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+#include -+#include -+#endif -+""" -+ -+TYPES = """ -+static const long Cryptography_HAS_PROVIDERS; -+ -+typedef ... OSSL_PROVIDER; -+typedef ... OSSL_LIB_CTX; -+ -+static const long PROV_R_BAD_DECRYPT; -+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; -+""" -+ -+FUNCTIONS = """ -+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); -+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); -+""" -+ -+CUSTOMIZATIONS = """ -+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+static const long Cryptography_HAS_PROVIDERS = 1; -+#else -+static const long Cryptography_HAS_PROVIDERS = 0; -+typedef void OSSL_PROVIDER; -+typedef void OSSL_LIB_CTX; -+static const long PROV_R_BAD_DECRYPT = 0; -+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; -+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; -+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; -+#endif -+""" -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index a96d08d8..86e8f0a8 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -1281,6 +1281,11 @@ class Backend(object): - def _evp_pkey_from_der_traditional_key(self, bio_data, password): - key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) - if key != self._ffi.NULL: -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ - key = self._ffi.gc(key, self._lib.EVP_PKEY_free) - if password is not None: - raise TypeError( -@@ -1448,6 +1453,11 @@ class Backend(object): - else: - self._handle_key_loading_error() - -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - if password is not None and userdata.called == 0: -@@ -1470,11 +1480,22 @@ class Backend(object): - "incorrect format or it may be encrypted with an unsupported " - "algorithm." - ) -- elif errors[0]._lib_reason_match( -- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT -- ) or errors[0]._lib_reason_match( -- self._lib.ERR_LIB_PKCS12, -- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, -+ -+ elif ( -+ errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT -+ ) -+ or errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_PKCS12, -+ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, -+ ) -+ or ( -+ self._lib.Cryptography_HAS_PROVIDERS -+ and errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_PROV, -+ self._lib.PROV_R_BAD_DECRYPT, -+ ) -+ ) - ): - raise ValueError("Bad decrypt. Incorrect password?") - -@@ -2520,7 +2541,16 @@ class Backend(object): - if sk_x509_ptr[0] != self._ffi.NULL: - sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) - num = self._lib.sk_X509_num(sk_x509_ptr[0]) -- for i in range(num): -+ -+ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the -+ # certificates. -+ indices: typing.Iterable[int] -+ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ indices = range(num) -+ else: -+ indices = reversed(range(num)) -+ -+ for i in indices: - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 0f96795f..a2dd6894 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -145,7 +145,13 @@ class _CipherContext(object): - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, outbuf, outlen, inbuf, inlen - ) -- self._backend.openssl_assert(res != 0) -+ if res == 0 and isinstance(self._mode, modes.XTS): -+ raise ValueError( -+ "In XTS mode you must supply at least a full block in the " -+ "first update call. For AES this is 16 bytes." -+ ) -+ else: -+ self._backend.openssl_assert(res != 0) - data_processed += inlen - total_out += outlen[0] - -@@ -174,6 +180,13 @@ class _CipherContext(object): - errors[0]._lib_reason_match( - self._backend._lib.ERR_LIB_EVP, - self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, -+ ) -+ or ( -+ self._backend._lib.Cryptography_HAS_PROVIDERS -+ and errors[0]._lib_reason_match( -+ self._backend._lib.ERR_LIB_PROV, -+ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, -+ ) - ), - errors=errors, - ) -diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py -index 86548357..1f42c7be 100644 ---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py -+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py -@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): - ] - - -+def cryptography_has_providers(): -+ return [ -+ "OSSL_PROVIDER_load", -+ "OSSL_PROVIDER_unload", -+ "ERR_LIB_PROV", -+ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", -+ "PROV_R_BAD_DECRYPT", -+ ] -+ -+ - # This is a mapping of - # {condition: function-returning-names-dependent-on-that-condition} so we can - # loop over them and delete unsupported names at runtime. It will be removed -@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = { - "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, - "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, -+ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, - } -diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py -index a2bc36a8..6dcec26a 100644 ---- a/src/cryptography/hazmat/bindings/openssl/binding.py -+++ b/src/cryptography/hazmat/bindings/openssl/binding.py -@@ -113,6 +113,8 @@ class Binding(object): - ffi = ffi - _lib_loaded = False - _init_lock = threading.Lock() -+ _legacy_provider: typing.Any = None -+ _default_provider: typing.Any = None - - def __init__(self): - self._ensure_ffi_initialized() -@@ -140,6 +142,24 @@ class Binding(object): - # adds all ciphers/digests for EVP - cls.lib.OpenSSL_add_all_algorithms() - cls._register_osrandom_engine() -+ # As of OpenSSL 3.0.0 we must register a legacy cipher provider -+ # to get RC2 (needed for junk asymmetric private key -+ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things -+ # are ugly legacy, but we aren't going to get rid of them -+ # any time soon. -+ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"legacy" -+ ) -+ _openssl_assert( -+ cls.lib, cls._legacy_provider != cls.ffi.NULL -+ ) -+ cls._default_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"default" -+ ) -+ _openssl_assert( -+ cls.lib, cls._default_provider != cls.ffi.NULL -+ ) - - @classmethod - def init_static_locks(cls): -diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py -index 0c96516f..0316b5d9 100644 ---- a/tests/hazmat/backends/test_openssl_memleak.py -+++ b/tests/hazmat/backends/test_openssl_memleak.py -@@ -82,7 +82,7 @@ def main(argv): - assert result == 1 - - # Trigger a bunch of initialization stuff. -- import cryptography.hazmat.backends.openssl -+ from cryptography.hazmat.backends.openssl.backend import backend - - start_heap = set(heap) - -@@ -91,6 +91,10 @@ def main(argv): - gc.collect() - gc.collect() - -+ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) -+ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) -+ - if lib.Cryptography_HAS_OPENSSL_CLEANUP: - lib.OPENSSL_cleanup() - -diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py -index fb9a1e36..4d1e3b55 100644 ---- a/tests/hazmat/bindings/test_openssl.py -+++ b/tests/hazmat/bindings/test_openssl.py -@@ -91,7 +91,9 @@ class TestOpenSSL(object): - _openssl_assert(b.lib, False) - - error = exc_info.value.err_code[0] -- assert error.code == 101183626 -+ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined -+ # code is a different value -+ assert error.code in (101183626, 50331786) - assert error.lib == b.lib.ERR_LIB_EVP - assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX - assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH -diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py -index 131807fc..bb29919f 100644 ---- a/tests/hazmat/primitives/test_dh.py -+++ b/tests/hazmat/primitives/test_dh.py -@@ -180,7 +180,23 @@ class TestDH(object): - params = dh.DHParameterNumbers(p, int(vector["g"])) - param = params.parameters(backend) - key = param.generate_private_key() -- assert key.private_numbers().public_numbers.parameter_numbers == params -+ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in -+ # a scenario where loading a known group with p and g returns a -+ # re-serialized form that has q as well (the Sophie Germain prime of -+ # that group). This makes a naive comparison of the parameter numbers -+ # objects fail, so we have to be a bit smarter -+ serialized_params = ( -+ key.private_numbers().public_numbers.parameter_numbers -+ ) -+ if serialized_params.q is None: -+ # This is the path OpenSSL < 3.0 takes -+ assert serialized_params == params -+ else: -+ assert serialized_params.p == params.p -+ assert serialized_params.g == params.g -+ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute -+ # what we expect OpenSSL to have done here. -+ assert serialized_params.q == (params.p - 1) // 2 - - @pytest.mark.skip_fips(reason="non-FIPS parameters") - @pytest.mark.parametrize( -@@ -382,6 +398,12 @@ class TestDH(object): - assert symkey1 != symkey2 - - @pytest.mark.skip_fips(reason="key_size too small for FIPS") -+ @pytest.mark.supported( -+ only_if=lambda backend: ( -+ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+ ), -+ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", -+ ) - def test_load_256bit_key_from_pkcs8(self, backend): - data = load_vectors_from_file( - os.path.join("asymmetric", "DH", "dh_key_256.pem"), --- -2.31.1 - diff --git a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch deleted file mode 100644 index 078950e..0000000 --- a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Wed, 14 Apr 2021 13:15:57 -0500 -Subject: [PATCH 3/4] switch to using EVP_PKEY_derive instead of DH_compute_key - in DH (#5972) - -* switch to using EVP_PKEY_derive instead of DH_compute_key in DH - -Where checks are occurring is changing in OpenSSL 3.0 and this makes it -easier to be consistent (and is the API we should be using anyway). The -tests change because EVP_PKEY_derive now verifies that we have shared -parameters, which the test previously only verified by asserting that -the derived keys didn't match - -* review feedback - -* type ignores required for typeerror tests. some day i will remember this ---- - src/_cffi_src/openssl/dh.py | 1 - - .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- - tests/hazmat/primitives/test_dh.py | 19 ++++--- - 3 files changed, 45 insertions(+), 32 deletions(-) - -diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py -index 979dafa9..50989e45 100644 ---- a/src/_cffi_src/openssl/dh.py -+++ b/src/_cffi_src/openssl/dh.py -@@ -18,7 +18,6 @@ DH *DH_new(void); - void DH_free(DH *); - int DH_size(const DH *); - int DH_generate_key(DH *); --int DH_compute_key(unsigned char *, const BIGNUM *, DH *); - DH *DHparams_dup(DH *); - - /* added in 1.1.0 when the DH struct was opaqued */ -diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py -index 65ddaeec..b928f024 100644 ---- a/src/cryptography/hazmat/backends/openssl/dh.py -+++ b/src/cryptography/hazmat/backends/openssl/dh.py -@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey): - ) - - def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: -- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) -- pub_key = self._backend._ffi.new("BIGNUM **") -- self._backend._lib.DH_get0_key( -- peer_public_key._dh_cdata, # type: ignore[attr-defined] -- pub_key, -- self._backend._ffi.NULL, -+ if not isinstance(peer_public_key, _DHPublicKey): -+ raise TypeError("peer_public_key must be a DHPublicKey") -+ -+ ctx = self._backend._lib.EVP_PKEY_CTX_new( -+ self._evp_pkey, self._backend._ffi.NULL - ) -- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) -- res = self._backend._lib.DH_compute_key( -- buf, pub_key[0], self._dh_cdata -+ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) -+ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) -+ res = self._backend._lib.EVP_PKEY_derive_init(ctx) -+ self._backend.openssl_assert(res == 1) -+ res = self._backend._lib.EVP_PKEY_derive_set_peer( -+ ctx, peer_public_key._evp_pkey -+ ) -+ # Invalid kex errors here in OpenSSL 3.0 because checks were moved -+ # to EVP_PKEY_derive_set_peer -+ self._exchange_assert(res == 1) -+ keylen = self._backend._ffi.new("size_t *") -+ res = self._backend._lib.EVP_PKEY_derive( -+ ctx, self._backend._ffi.NULL, keylen - ) -+ # Invalid kex errors here in OpenSSL < 3 -+ self._exchange_assert(res == 1) -+ self._backend.openssl_assert(keylen[0] > 0) -+ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) -+ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) -+ self._backend.openssl_assert(res == 1) - -- if res == -1: -+ key = self._backend._ffi.buffer(buf, keylen[0])[:] -+ pad = self._key_size_bytes - len(key) -+ -+ if pad > 0: -+ key = (b"\x00" * pad) + key -+ -+ return key -+ -+ def _exchange_assert(self, ok): -+ if not ok: - errors_with_text = self._backend._consume_errors_with_text() - raise ValueError( -- "Error computing shared key. Public key is likely invalid " -- "for this exchange.", -+ "Error computing shared key.", - errors_with_text, - ) -- else: -- self._backend.openssl_assert(res >= 1) -- -- key = self._backend._ffi.buffer(buf)[:res] -- pad = self._key_size_bytes - len(key) -- -- if pad > 0: -- key = (b"\x00" * pad) + key -- -- return key - - def public_key(self) -> dh.DHPublicKey: - dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) -diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py -index bb29919f..2914f7e7 100644 ---- a/tests/hazmat/primitives/test_dh.py -+++ b/tests/hazmat/primitives/test_dh.py -@@ -296,6 +296,12 @@ class TestDH(object): - assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) - assert isinstance(key.parameters(), dh.DHParameters) - -+ def test_exchange_wrong_type(self, backend): -+ parameters = FFDH3072_P.parameters(backend) -+ key1 = parameters.generate_private_key() -+ with pytest.raises(TypeError): -+ key1.exchange(b"invalidtype") # type: ignore[arg-type] -+ - def test_exchange(self, backend): - parameters = FFDH3072_P.parameters(backend) - assert isinstance(parameters, dh.DHParameters) -@@ -386,16 +392,11 @@ class TestDH(object): - key2 = private2.private_key(backend) - pub_key2 = key2.public_key() - -- if pub_key2.public_numbers().y >= parameters1.p: -- with pytest.raises(ValueError): -- key1.exchange(pub_key2) -- else: -- symkey1 = key1.exchange(pub_key2) -- assert symkey1 -- -- symkey2 = key2.exchange(pub_key1) -+ with pytest.raises(ValueError): -+ key1.exchange(pub_key2) - -- assert symkey1 != symkey2 -+ with pytest.raises(ValueError): -+ key2.exchange(pub_key1) - - @pytest.mark.skip_fips(reason="key_size too small for FIPS") - @pytest.mark.supported( --- -2.31.1 - diff --git a/0004-Use-well-defined-enum-representation.patch b/0004-Use-well-defined-enum-representation.patch deleted file mode 100644 index c006543..0000000 --- a/0004-Use-well-defined-enum-representation.patch +++ /dev/null @@ -1,366 +0,0 @@ -From 0a164d2c985b4655929591b191824ed361890b8d Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 10 May 2021 13:27:54 +0200 -Subject: [PATCH 4/4] Use well-defined enum representation - -Python 3.10 changed enum's object and string representation. PyCA -cryptography now uses a custom subclass of enum.Enum() will well-defined -__repr__ and __str__ from Python 3.9. - -Related: https://bugs.python.org/issue40066 -Fixes: https://github.com/pyca/cryptography/issues/5995 -Signed-off-by: Christian Heimes ---- - .github/workflows/ci.yml | 13 +++++++------ - src/cryptography/exceptions.py | 4 ++-- - .../hazmat/primitives/_serialization.py | 11 ++++++----- - src/cryptography/hazmat/primitives/kdf/kbkdf.py | 5 ++--- - .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- - src/cryptography/utils.py | 11 +++++++++++ - src/cryptography/x509/base.py | 4 ++-- - src/cryptography/x509/certificate_transparency.py | 7 ++++--- - src/cryptography/x509/extensions.py | 5 ++--- - src/cryptography/x509/name.py | 3 +-- - src/cryptography/x509/ocsp.py | 8 ++++---- - tests/test_cryptography_utils.py | 11 +++++++++++ - 12 files changed, 54 insertions(+), 32 deletions(-) - -diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml -index 747f84c1..ca298f96 100644 ---- a/.github/workflows/ci.yml -+++ b/.github/workflows/ci.yml -@@ -18,15 +18,16 @@ jobs: - - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} - - {VERSION: "pypy3", TOXENV: "pypy3"} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} -+ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha16"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.3"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.1"}} -+ - {VERSION: "3.10-dev", TOXENV: "py310"} - RUST: - - stable - name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" -@@ -108,8 +109,8 @@ jobs: - - {IMAGE: "sid", TOXENV: "py39"} - - {IMAGE: "ubuntu-bionic", TOXENV: "py36"} - - {IMAGE: "ubuntu-focal", TOXENV: "py38"} -- - {IMAGE: "ubuntu-rolling", TOXENV: "py38"} -- - {IMAGE: "ubuntu-rolling", TOXENV: "py38-randomorder"} -+ - {IMAGE: "ubuntu-rolling", TOXENV: "py39"} -+ - {IMAGE: "ubuntu-rolling", TOXENV: "py39-randomorder"} - - {IMAGE: "fedora", TOXENV: "py39"} - - {IMAGE: "alpine", TOXENV: "py38"} - name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" -diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py -index f5860590..3bd98d82 100644 ---- a/src/cryptography/exceptions.py -+++ b/src/cryptography/exceptions.py -@@ -3,10 +3,10 @@ - # for complete details. - - --from enum import Enum -+from cryptography import utils - - --class _Reasons(Enum): -+class _Reasons(utils.Enum): - BACKEND_MISSING_INTERFACE = 0 - UNSUPPORTED_HASH = 1 - UNSUPPORTED_CIPHER = 2 -diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py -index 96a5ed9b..160a6b89 100644 ---- a/src/cryptography/hazmat/primitives/_serialization.py -+++ b/src/cryptography/hazmat/primitives/_serialization.py -@@ -3,13 +3,14 @@ - # for complete details. - - import abc --from enum import Enum -+ -+from cryptography import utils - - # This exists to break an import cycle. These classes are normally accessible - # from the serialization module. - - --class Encoding(Enum): -+class Encoding(utils.Enum): - PEM = "PEM" - DER = "DER" - OpenSSH = "OpenSSH" -@@ -18,14 +19,14 @@ class Encoding(Enum): - SMIME = "S/MIME" - - --class PrivateFormat(Enum): -+class PrivateFormat(utils.Enum): - PKCS8 = "PKCS8" - TraditionalOpenSSL = "TraditionalOpenSSL" - Raw = "Raw" - OpenSSH = "OpenSSH" - - --class PublicFormat(Enum): -+class PublicFormat(utils.Enum): - SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1" - PKCS1 = "Raw PKCS#1" - OpenSSH = "OpenSSH" -@@ -34,7 +35,7 @@ class PublicFormat(Enum): - UncompressedPoint = "X9.62 Uncompressed Point" - - --class ParameterFormat(Enum): -+class ParameterFormat(utils.Enum): - PKCS3 = "PKCS3" - - -diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py -index ac36474f..75fe7d51 100644 ---- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py -+++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py -@@ -4,7 +4,6 @@ - - - import typing --from enum import Enum - - from cryptography import utils - from cryptography.exceptions import ( -@@ -19,11 +18,11 @@ from cryptography.hazmat.primitives import constant_time, hashes, hmac - from cryptography.hazmat.primitives.kdf import KeyDerivationFunction - - --class Mode(Enum): -+class Mode(utils.Enum): - CounterMode = "ctr" - - --class CounterLocation(Enum): -+class CounterLocation(utils.Enum): - BeforeFixed = "before_fixed" - AfterFixed = "after_fixed" - -diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py -index bcd9e330..57aac7e3 100644 ---- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py -+++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py -@@ -3,8 +3,8 @@ - # for complete details. - - import typing --from enum import Enum - -+from cryptography import utils - from cryptography import x509 - from cryptography.hazmat.backends import _get_backend - from cryptography.hazmat.primitives import hashes, serialization -@@ -35,7 +35,7 @@ _ALLOWED_PRIVATE_KEY_TYPES = typing.Union[ - ] - - --class PKCS7Options(Enum): -+class PKCS7Options(utils.Enum): - Text = "Add text/plain MIME type" - Binary = "Don't translate input data into canonical MIME format" - DetachedSignature = "Don't embed data in the PKCS7 structure" -diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py -index ef0fc443..9e571cfd 100644 ---- a/src/cryptography/utils.py -+++ b/src/cryptography/utils.py -@@ -4,6 +4,7 @@ - - - import abc -+import enum - import inspect - import sys - import typing -@@ -162,3 +163,13 @@ int_from_bytes = deprecated( - "int_from_bytes is deprecated, use int.from_bytes instead", - DeprecatedIn34, - ) -+ -+ -+# Python 3.10 changed representation of enums. We use well-defined object -+# representation and string representation from Python 3.9. -+class Enum(enum.Enum): -+ def __repr__(self): -+ return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>" -+ -+ def __str__(self): -+ return f"{self.__class__.__name__}.{self._name_}" -diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py -index 5505fa3b..26ec43d5 100644 ---- a/src/cryptography/x509/base.py -+++ b/src/cryptography/x509/base.py -@@ -7,8 +7,8 @@ import abc - import datetime - import os - import typing --from enum import Enum - -+from cryptography import utils - from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES - from cryptography.hazmat.backends import _get_backend - from cryptography.hazmat.primitives import hashes, serialization -@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime: - return time - - --class Version(Enum): -+class Version(utils.Enum): - v1 = 0 - v3 = 2 - -diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py -index d51bee92..d80f051a 100644 ---- a/src/cryptography/x509/certificate_transparency.py -+++ b/src/cryptography/x509/certificate_transparency.py -@@ -5,15 +5,16 @@ - - import abc - import datetime --from enum import Enum - -+from cryptography import utils - --class LogEntryType(Enum): -+ -+class LogEntryType(utils.Enum): - X509_CERTIFICATE = 0 - PRE_CERTIFICATE = 1 - - --class Version(Enum): -+class Version(utils.Enum): - v1 = 0 - - -diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py -index 6cae016a..742f1fa2 100644 ---- a/src/cryptography/x509/extensions.py -+++ b/src/cryptography/x509/extensions.py -@@ -8,7 +8,6 @@ import datetime - import hashlib - import ipaddress - import typing --from enum import Enum - - from cryptography import utils - from cryptography.hazmat._der import ( -@@ -634,7 +633,7 @@ class DistributionPoint(object): - crl_issuer = utils.read_only_property("_crl_issuer") - - --class ReasonFlags(Enum): -+class ReasonFlags(utils.Enum): - unspecified = "unspecified" - key_compromise = "keyCompromise" - ca_compromise = "cACompromise" -@@ -978,7 +977,7 @@ class TLSFeature(ExtensionType): - return hash(tuple(self._features)) - - --class TLSFeatureType(Enum): -+class TLSFeatureType(utils.Enum): - # status_request is defined in RFC 6066 and is used for what is commonly - # called OCSP Must-Staple when present in the TLS Feature extension in an - # X.509 certificate. -diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py -index a579aa21..9069a9f4 100644 ---- a/src/cryptography/x509/name.py -+++ b/src/cryptography/x509/name.py -@@ -3,14 +3,13 @@ - # for complete details. - - import typing --from enum import Enum - - from cryptography import utils - from cryptography.hazmat.backends import _get_backend - from cryptography.x509.oid import NameOID, ObjectIdentifier - - --class _ASN1Type(Enum): -+class _ASN1Type(utils.Enum): - UTF8String = 12 - NumericString = 18 - PrintableString = 19 -diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py -index 1c5de73e..bcf210c1 100644 ---- a/src/cryptography/x509/ocsp.py -+++ b/src/cryptography/x509/ocsp.py -@@ -6,8 +6,8 @@ - import abc - import datetime - import typing --from enum import Enum - -+from cryptography import utils - from cryptography import x509 - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.x509.base import ( -@@ -27,12 +27,12 @@ _OIDS_TO_HASH = { - } - - --class OCSPResponderEncoding(Enum): -+class OCSPResponderEncoding(utils.Enum): - HASH = "By Hash" - NAME = "By Name" - - --class OCSPResponseStatus(Enum): -+class OCSPResponseStatus(utils.Enum): - SUCCESSFUL = 0 - MALFORMED_REQUEST = 1 - INTERNAL_ERROR = 2 -@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm): - ) - - --class OCSPCertStatus(Enum): -+class OCSPCertStatus(utils.Enum): - GOOD = 0 - REVOKED = 1 - UNKNOWN = 2 -diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py -index 6b795e0c..803997ac 100644 ---- a/tests/test_cryptography_utils.py -+++ b/tests/test_cryptography_utils.py -@@ -2,6 +2,7 @@ - # 2.0, and the BSD License. See the LICENSE file in the root of this repository - # for complete details. - -+import enum - import typing - - import pytest -@@ -51,3 +52,13 @@ class TestCachedProperty(object): - assert len(accesses) == 1 - assert t.t == 14 - assert len(accesses) == 1 -+ -+ -+def test_enum(): -+ class TestEnum(utils.Enum): -+ value = "something" -+ -+ assert issubclass(TestEnum, enum.Enum) -+ assert isinstance(TestEnum.value, enum.Enum) -+ assert repr(TestEnum.value) == "" -+ assert str(TestEnum.value) == "TestEnum.value" --- -2.31.1 - diff --git a/python-cryptography.spec b/python-cryptography.spec index e997636..41eef9c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.7 -Release: 6%{?dist} +Version: 35.0.0 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -16,10 +16,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam # created by ./vendor_rust.py helper script Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch -Patch0002: 0002-WIP-3.0.0-support-5250.patch -Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch -Patch0004: 0004-Use-well-defined-enum-representation.patch ExclusiveArch: %{rust_arches} @@ -119,6 +115,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Sep 30 2021 Christian Heimes - 35.0-1 +- Update to 35.0.0 (#2009117) + * Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 - Rebuilt with OpenSSL 3.0.0 diff --git a/sources b/sources index 6d1fe84..e8c9874 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 -SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387 +SHA512 (cryptography-35.0.0.tar.gz) = b52b71ced261263e5a9e5856e3fb76b284bba4924160f6e8ad585f6148f79846a3e15d05fc8585020ec00b1e35114fbb0129bdc3acdabf1c60bb4d935767eb30 +SHA512 (cryptography-35.0.0-vendor.tar.bz2) = 2ee028dd6227b83f799bb3f177aefe08c030161a6e50682812b9cc518cd8df1abb65ff87e6c8cc93ecf83313de22af73394a4d4a8941bf54029b002b607fb28f From 0d7db7d607e9d7ef038055d75b8d55f0f4fba625 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 30 Sep 2021 09:55:19 +0200 Subject: [PATCH 30/90] Require rust-asn1 >= 0.6.4 --- python-cryptography.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 41eef9c..811c380 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 35.0.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -33,6 +33,8 @@ BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 +# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 +BuildRequires: rust-asn1-devel >= 0.6.4 %if %{with tests} %if 0%{?fedora} @@ -115,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 +- Require rust-asn1 >= 0.6.4 + * Thu Sep 30 2021 Christian Heimes - 35.0-1 - Update to 35.0.0 (#2009117) From 726f08f3c20224edc2e9297a24e3d8312a474e38 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 22 Nov 2021 23:05:16 +0100 Subject: [PATCH 31/90] Update to 36.0.0, fixes RHBZ#2025347 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e2d569a..dfa9f3e 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,5 @@ /cryptography-3.4.7-vendor.tar.bz2 /cryptography-35.0.0.tar.gz /cryptography-35.0.0-vendor.tar.bz2 +/cryptography-36.0.0.tar.gz +/cryptography-36.0.0-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 811c380..80e09b3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 35.0.0 -Release: 2%{?dist} +Version: 36.0.0 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -117,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 +- Update to 36.0.0, fixes RHBZ#2025347 + * Thu Sep 30 2021 Christian Heimes - 35.0.0-2 - Require rust-asn1 >= 0.6.4 diff --git a/sources b/sources index e8c9874..c1a984e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-35.0.0.tar.gz) = b52b71ced261263e5a9e5856e3fb76b284bba4924160f6e8ad585f6148f79846a3e15d05fc8585020ec00b1e35114fbb0129bdc3acdabf1c60bb4d935767eb30 -SHA512 (cryptography-35.0.0-vendor.tar.bz2) = 2ee028dd6227b83f799bb3f177aefe08c030161a6e50682812b9cc518cd8df1abb65ff87e6c8cc93ecf83313de22af73394a4d4a8941bf54029b002b607fb28f +SHA512 (cryptography-36.0.0.tar.gz) = ed000877a205312733d1a03de7fada0847fd66ec26dce8e7f1bdc51f96b90ddd423c630ff949120b3c775ad3445b41fb3b74e38b0f673b0484c3ea9e38423453 +SHA512 (cryptography-36.0.0-vendor.tar.bz2) = b381c850f6ab346cdf6c0764e88ee3fc3cae132f83742059993574de540e40322892f28ae3c813b34cb5648995e9f4fa0eeb7991aa84ced155fe3e1a1d236cd0 From 78e9ac8bb309016cfa7426d4d6b9a5f9d5133aba Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 21 Jan 2022 11:26:23 +0000 Subject: [PATCH 32/90] - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 80e09b3..3419082 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 36.0.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -117,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + * Mon Nov 22 2021 Christian Heimes - 36.0.0-1 - Update to 36.0.0, fixes RHBZ#2025347 From f5e60ad52019bb1ffa29fae75add78d50b9399c7 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 27 Jan 2022 14:43:41 +0100 Subject: [PATCH 33/90] Skip unstable memleak tests, resolves: RHBZ#2042413 --- python-cryptography.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3419082..07ac471 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 36.0.0 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -105,9 +105,11 @@ cat < %{SOURCE2} >> tests/conftest.py # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes +# not much sense for downstream testing. PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -117,6 +119,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 +- Skip unstable memleak tests, resolves: RHBZ#2042413 + * Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 58e882836491f7a0fed29484545b49960ef6671c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 5 May 2022 08:15:05 +0200 Subject: [PATCH 34/90] Update to 37.0.2, resolves rhbz#2078968 --- .gitignore | 2 ++ python-cryptography.spec | 8 ++++++-- sources | 4 ++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index dfa9f3e..a426298 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,5 @@ /cryptography-35.0.0-vendor.tar.bz2 /cryptography-36.0.0.tar.gz /cryptography-36.0.0-vendor.tar.bz2 +/cryptography-37.0.2.tar.gz +/cryptography-37.0.2-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 07ac471..5594ecc 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,8 +6,8 @@ %global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 36.0.0 -Release: 3%{?dist} +Version: 37.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -44,6 +44,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz %endif @@ -119,6 +120,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu May 05 2022 Christian Heimes - 37.0.2-1 +- Update to 37.0.2, resolves rhbz#2078968 + * Thu Jan 27 2022 Christian Heimes - 36.0.0-3 - Skip unstable memleak tests, resolves: RHBZ#2042413 diff --git a/sources b/sources index c1a984e..536e11b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-36.0.0.tar.gz) = ed000877a205312733d1a03de7fada0847fd66ec26dce8e7f1bdc51f96b90ddd423c630ff949120b3c775ad3445b41fb3b74e38b0f673b0484c3ea9e38423453 -SHA512 (cryptography-36.0.0-vendor.tar.bz2) = b381c850f6ab346cdf6c0764e88ee3fc3cae132f83742059993574de540e40322892f28ae3c813b34cb5648995e9f4fa0eeb7991aa84ced155fe3e1a1d236cd0 +SHA512 (cryptography-37.0.2.tar.gz) = ca6b1e983e79a130b47b1f7cdabeb6041a6102f57483f0820f7bcc6a67e0112b7691f09caa7f391de5aed0a2fee26f394688823da2cd4c8beab553732ac6a305 +SHA512 (cryptography-37.0.2-vendor.tar.bz2) = d100fff9406063c7eb1d0caf7f389c15e49715928ae6c9ec7fd60e97f363ea3590d145e8e7f74958ce4857f60e9e4cd28ac69ef44f9e0dc0730e5d08b073bd9b From 697f9bc002963f9d7a6a83a1a5a9f9c385e37369 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 14 Jun 2022 08:41:16 +0200 Subject: [PATCH 35/90] Bootstrap for Python 3.11 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5594ecc..a844bfb 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +8,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -120,6 +121,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 14 2022 Python Maint - 37.0.2-2 +- Bootstrap for Python 3.11 + * Thu May 05 2022 Christian Heimes - 37.0.2-1 - Update to 37.0.2, resolves rhbz#2078968 From 62733ee588f5d42469d4220d2d79fe969a683d21 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 14 Jun 2022 12:08:28 +0200 Subject: [PATCH 36/90] Rebuilt for Python 3.11 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index a844bfb..eaecf52 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -8,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -121,6 +120,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 14 2022 Python Maint - 37.0.2-3 +- Rebuilt for Python 3.11 + * Tue Jun 14 2022 Python Maint - 37.0.2-2 - Bootstrap for Python 3.11 From f11c50a6f7123165639dbdd0259eac99c86c2891 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 22 Jul 2022 17:38:51 +0000 Subject: [PATCH 37/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index eaecf52..7faf137 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -120,6 +120,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Tue Jun 14 2022 Python Maint - 37.0.2-3 - Rebuilt for Python 3.11 From 29c1c4ffe0307c119ad59cd1eeea5b335ed3d7d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 17 Aug 2022 12:04:42 +0200 Subject: [PATCH 38/90] Drop unused manual requirement on six, drop duplicated manual requirement on cffi The Python-related Requires already were: python(abi) = 3.11 python3-cffi >= 1.7 python3-six >= 1.4.1 python3.11dist(cffi) >= 1.12 Now they are: python(abi) = 3.11 python3.11dist(cffi) >= 1.12 --- python-cryptography.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 7faf137..8224d85 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -32,7 +32,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 # Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 BuildRequires: rust-asn1-devel >= 0.6.4 @@ -58,8 +57,6 @@ Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 # Can be safely removed in Fedora 37 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 @@ -120,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + * Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 19e9b9733277e509e42c9ee0b9cad941077ff424 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 9 Dec 2022 12:09:43 +0100 Subject: [PATCH 39/90] Enable SHA1 signatures in test suite (ELN-only) --- python-cryptography.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8224d85..5288712 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -101,6 +101,12 @@ rm -rf tests/hypothesis cat < %{SOURCE2} >> tests/conftest.py %endif +%if 0%{?eln} +# enable SHA-1 signatures for RSA tests +# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 +export OPENSSL_ENABLE_SHA1_SIGNATURES=yes +%endif + # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes @@ -117,6 +123,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + * Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 - Drop unused requirement of python3-six From ebf415a04ba645888dcb6351ab91aa0336e23044 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Dec 2022 18:30:42 +0100 Subject: [PATCH 40/90] Convert the license tag to SPDX and add missing PSF license --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5288712..e8e0731 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,7 +10,10 @@ Version: 37.0.2 Release: 6%{?dist} Summary: PyCA's cryptography library -License: ASL 2.0 or BSD +# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, +# as well as the Python Software Foundation license for the OS random +# engine derived by CPython. +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script From 4c529569ef2c8a0fca3f52c4c0a831f037a62b18 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Dec 2022 21:03:13 +0100 Subject: [PATCH 41/90] Remove no longer used macro --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e8e0731..8c3583c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -3,7 +3,6 @@ %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography -%global pyo3_version 0.13.1 Name: python-%{srcname} Version: 37.0.2 From 25a80244fef287446e6096a67fd913f56cf9199c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 20 Jan 2023 12:25:02 +0000 Subject: [PATCH 42/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8c3583c..a0c880e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -125,6 +125,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Fri Dec 09 2022 Christian Heimes - 37.0.2-6 - Enable SHA1 signatures in test suite (ELN-only) From 9e3c824a6b1f1acac3f7c97111e0705287d96133 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 22 Feb 2023 09:57:34 +0100 Subject: [PATCH 43/90] Fix CVE-2023-23931 and FTBFS Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 --- CVE-2023-23931.patch | 42 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 12 ++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-23931.patch diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch new file mode 100644 index 0000000..085947c --- /dev/null +++ b/CVE-2023-23931.patch @@ -0,0 +1,42 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index a0c880e..76ea9b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 7%{?dist} +Release: 8%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,9 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# https://github.com/pyca/cryptography/pull/8230 +Patch1: CVE-2023-23931.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -113,9 +116,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES=yes # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes # not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -125,6 +129,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + * Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From cf6e4c6ecf1d73549a6568cef4b43f3dcca19786 Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 26 Jan 2023 21:53:08 +0100 Subject: [PATCH 44/90] ensure correct compiler flags are used for Rust code --- python-cryptography.spec | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 76ea9b9..c40d3a3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 8%{?dist} +Release: 9%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -37,8 +37,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 -BuildRequires: rust-asn1-devel >= 0.6.4 %if %{with tests} %if 0%{?fedora} @@ -73,22 +71,24 @@ recipes to Python developers. %prep %autosetup -p1 -n %{srcname}-%{version} - -%generate_buildrequires - %if 0%{?fedora} -# Fedora: use cargo macros to make use of RPMified crates %cargo_prep -cd src/rust -rm -f Cargo.lock -%cargo_generate_buildrequires -cd ../.. +rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 %endif +%if 0%{?fedora} +%generate_buildrequires +# Fedora: use RPMified crates +cd src/rust +%cargo_generate_buildrequires +cd ../.. +%endif + %build +export RUSTFLAGS="%build_rustflags" %py3_build %install @@ -129,6 +129,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + * Wed Feb 22 2023 Christian Heimes - 37.0.2-8 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 - Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 From 5c59e50b4e4ab60ccbd34707441c304966aa5719 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 9 Mar 2023 08:19:18 +0100 Subject: [PATCH 45/90] Update to 39.0.2 Resolves: rhbz#2124729 --- .gitignore | 2 ++ CVE-2023-23931.patch | 42 ---------------------------------------- python-cryptography.spec | 16 +++++++-------- sources | 4 ++-- 4 files changed, 12 insertions(+), 52 deletions(-) delete mode 100644 CVE-2023-23931.patch diff --git a/.gitignore b/.gitignore index a426298..4a92541 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,5 @@ /cryptography-36.0.0-vendor.tar.bz2 /cryptography-37.0.2.tar.gz /cryptography-37.0.2-vendor.tar.bz2 +/cryptography-39.0.2.tar.gz +/cryptography-39.0.2-vendor.tar.bz2 diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch deleted file mode 100644 index 085947c..0000000 --- a/CVE-2023-23931.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 31 Jan 2023 08:33:54 -0500 -Subject: [PATCH] Don't allow update_into to mutate immutable objects - ---- - src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- - tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 286583f9325..075d68fb905 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") -- baseoutbuf = self._backend._ffi.from_buffer(buf) -+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: -diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py -index 02127dd9cab..bf3b047dec2 100644 ---- a/tests/hazmat/primitives/test_ciphers.py -+++ b/tests/hazmat/primitives/test_ciphers.py -@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): - with pytest.raises(ValueError): - encryptor.update_into(b"testing", buf) - -+ def test_update_into_immutable(self, backend): -+ key = b"\x00" * 16 -+ c = ciphers.Cipher(AES(key), modes.ECB(), backend) -+ encryptor = c.encryptor() -+ buf = b"\x00" * 32 -+ with pytest.raises((TypeError, BufferError)): -+ encryptor.update_into(b"testing", buf) -+ - @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index c40d3a3..40b2f7f 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 37.0.2 -Release: 9%{?dist} +Version: 39.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# https://github.com/pyca/cryptography/pull/8230 -Patch1: CVE-2023-23931.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -33,10 +30,10 @@ BuildRequires: rust-packaging BuildRequires: rust-toolset %endif -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} @@ -45,7 +42,7 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist %endif -BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz @@ -129,6 +126,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + * Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 - Ensure correct compiler flags are used for Rust code. diff --git a/sources b/sources index 536e11b..3ce6c7a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-37.0.2.tar.gz) = ca6b1e983e79a130b47b1f7cdabeb6041a6102f57483f0820f7bcc6a67e0112b7691f09caa7f391de5aed0a2fee26f394688823da2cd4c8beab553732ac6a305 -SHA512 (cryptography-37.0.2-vendor.tar.bz2) = d100fff9406063c7eb1d0caf7f389c15e49715928ae6c9ec7fd60e97f363ea3590d145e8e7f74958ce4857f60e9e4cd28ac69ef44f9e0dc0730e5d08b073bd9b +SHA512 (cryptography-39.0.2.tar.gz) = 06ae3e2c0c2a5fa9e80dab7181a7c8b64aa9359bfd149837f179e65372a90acc905aae7476516ba8da4c4137bd25ba115d911728858551d2862280352b09b95e +SHA512 (cryptography-39.0.2-vendor.tar.bz2) = 4e92ec50e01f99e160ab6c5e12fbd7e1297aaa2dfb5f0f35019308a44661e938a082c9a4ce0d9b5fbe1ed94cde49ae6b193c3f3f7035e9f5f5a97f2108595667 From 231f32cf9664dc30d86af4aaa6a16626509e2231 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 9 Mar 2023 12:55:39 +0100 Subject: [PATCH 46/90] Don't run tests requiring pytz on RHEL pytz is unwanted on RHEL 10+. --- python-cryptography.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 40b2f7f..9877601 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 39.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -41,11 +41,11 @@ BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist +BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 -BuildRequires: python%{python3_pkgversion}-pytz %endif %description @@ -97,8 +97,8 @@ find . -name .keep -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis tests on RHEL -rm -rf tests/hypothesis +# skip hypothesis and pytz tests on RHEL +rm -rf tests/hypothesis tests/x509 # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif @@ -126,6 +126,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL + * Sat Mar 04 2023 Christian Heimes - 39.0.2-1 - Update to 39.0.2, resolves rhbz#2124729 From 0dbc0e5e1df4aa27e22eb637ae15136b8397643d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 9 Mar 2023 13:28:58 +0100 Subject: [PATCH 47/90] Don't try to run tests of vendored dependencies in %check --- python-cryptography.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 9877601..07d9285 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -116,6 +116,7 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES=yes # see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ + --ignore vendor \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif @@ -128,6 +129,7 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog * Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 - Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check * Sat Mar 04 2023 Christian Heimes - 39.0.2-1 - Update to 39.0.2, resolves rhbz#2124729 From 55eaa10d2d97f19c966ba4c3e039f420b4f779bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 13 Mar 2023 21:09:36 +0100 Subject: [PATCH 48/90] Remove an undesired %{?eln} conditional Fixes https://github.com/fedora-eln/eln/issues/120 --- python-cryptography.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 07d9285..38888b0 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -103,11 +103,9 @@ rm -rf tests/hypothesis tests/x509 cat < %{SOURCE2} >> tests/conftest.py %endif -%if 0%{?eln} # enable SHA-1 signatures for RSA tests # also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 export OPENSSL_ENABLE_SHA1_SIGNATURES=yes -%endif # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests From 2894c08790a4b4a9e0bdc0ba6a03e513264f5dd6 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 28 Mar 2023 08:45:39 +0200 Subject: [PATCH 49/90] Update to 40.0.2 Resolves: rhbz#2181430 --- .gitignore | 8 ++++++++ python-cryptography.spec | 15 ++++++++++++--- sources | 4 ++-- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 4a92541..77cad2f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/results_python-cryptography +/*.src.rpm /cryptography-1.3.1.tar.gz /cryptography-1.5.3.tar.gz /cryptography-1.7.1.tar.gz @@ -47,3 +49,9 @@ /cryptography-37.0.2-vendor.tar.bz2 /cryptography-39.0.2.tar.gz /cryptography-39.0.2-vendor.tar.bz2 +/cryptography-40.0.0.tar.gz +/cryptography-40.0.0-vendor.tar.bz2 +/cryptography-40.0.1.tar.gz +/cryptography-40.0.1-vendor.tar.bz2 +/cryptography-40.0.2.tar.gz +/cryptography-40.0.2-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 38888b0..6dc34f5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 39.0.2 -Release: 2%{?dist} +Version: 40.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -34,6 +34,8 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %if %{with tests} %if 0%{?fedora} @@ -45,7 +47,7 @@ BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description @@ -84,8 +86,12 @@ cd src/rust cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + %build export RUSTFLAGS="%build_rustflags" +export OPENSSL_NO_VENDOR=1 %py3_build %install @@ -125,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + * Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 - Don't run tests requiring pytz on RHEL - Don't try to run tests of vendored dependencies in %%check diff --git a/sources b/sources index 3ce6c7a..3532c84 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-39.0.2.tar.gz) = 06ae3e2c0c2a5fa9e80dab7181a7c8b64aa9359bfd149837f179e65372a90acc905aae7476516ba8da4c4137bd25ba115d911728858551d2862280352b09b95e -SHA512 (cryptography-39.0.2-vendor.tar.bz2) = 4e92ec50e01f99e160ab6c5e12fbd7e1297aaa2dfb5f0f35019308a44661e938a082c9a4ce0d9b5fbe1ed94cde49ae6b193c3f3f7035e9f5f5a97f2108595667 +SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e +SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d From a64728bbef7bb73a1718152c04ff53aa3225b951 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 12 Jun 2023 22:50:52 -0400 Subject: [PATCH 50/90] Use vendored rust-pem in RHEL builds --- python-cryptography.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6dc34f5..402389d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -26,6 +26,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -34,8 +36,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %if %{with tests} %if 0%{?fedora} @@ -131,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + * Tue Apr 18 2023 Christian Heimes - 40.0.2-1 - Update to 40.0.2, resolves rhbz#2181430 From bd226dd0d02b7f96f2602496b1ee87b9e27bb582 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 14 Jun 2023 16:13:50 +0200 Subject: [PATCH 51/90] Bootstrap for Python 3.12 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 402389d..336b8fc 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +7,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -131,6 +132,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + * Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 - Use vendored rust-pem in RHEL builds From f32ed18be7458c0152a5b26a5fc4d72db38bdcb7 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 10 Jul 2023 14:05:42 +0200 Subject: [PATCH 52/90] Rebuilt for Python 3.12 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 336b8fc..5c8b8a7 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -132,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + * Wed Jun 14 2023 Python Maint - 40.0.2-3 - Bootstrap for Python 3.12 From 9421b4a468a2e9b0f2719e09e426d94f912101a0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 21 Jul 2023 08:43:20 +0000 Subject: [PATCH 53/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5c8b8a7..0323ca3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -131,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Mon Jul 10 2023 Python Maint - 40.0.2-4 - Rebuilt for Python 3.12 From 7b18e1445dd861fc9515a51991ebd2eb12a5580f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 9 Aug 2023 14:07:18 +0200 Subject: [PATCH 54/90] Update to 41.0.3 - Update to upstream version 41.0.3 - Use pyo3 0.19 Resolves: rhbz#2211237 --- .gitignore | 2 ++ pyo3-0.19.patch | 52 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 14 ++++++++--- sources | 4 ++-- 4 files changed, 67 insertions(+), 5 deletions(-) create mode 100644 pyo3-0.19.patch diff --git a/.gitignore b/.gitignore index 77cad2f..e69e967 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,5 @@ /cryptography-40.0.1-vendor.tar.bz2 /cryptography-40.0.2.tar.gz /cryptography-40.0.2-vendor.tar.bz2 +/cryptography-41.0.3.tar.gz +/cryptography-41.0.3-vendor.tar.bz2 diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0323ca3..0365a9a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 40.0.2 -Release: 5%{?dist} +Version: 41.0.3 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +Patch1: pyo3-0.19.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -69,8 +71,10 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} +# patch pyo3 depedency +%autopatch -p1 1 %cargo_prep rm src/rust/Cargo.lock %else @@ -131,6 +135,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + * Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index 3532c84..f529925 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e -SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d +SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd +SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From c8cc5d4cdc2023b87412484beb7b46cb4d94322f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 14 Aug 2023 07:24:10 +0200 Subject: [PATCH 55/90] Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 --- ouroboros-0.17.patch | 13 +++++++++++++ python-cryptography.spec | 9 +++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ouroboros-0.17.patch diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/python-cryptography.spec b/python-cryptography.spec index 0365a9a..567841d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -73,8 +74,9 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} -# patch pyo3 depedency +# patch pyo3 and ouroboros depedency %autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -135,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + * Wed Aug 09 2023 Christian Heimes - 41.0.3-1 - Update to 41.0.3, resolves rhbz#2211237 - Use pyo3 0.19 From bee6bfddb5dfa6a012d396b73a9ca7b76c336ed4 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 26 Oct 2023 17:20:09 +0200 Subject: [PATCH 56/90] Update to 41.0.5, resolves RHBZ#2239707 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e69e967..51aeae3 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,5 @@ /cryptography-40.0.2-vendor.tar.bz2 /cryptography-41.0.3.tar.gz /cryptography-41.0.3-vendor.tar.bz2 +/cryptography-41.0.5-vendor.tar.bz2 +/cryptography-41.0.5.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 567841d..311aa65 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.3 -Release: 2%{?dist} +Version: 41.0.5 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + * Mon Aug 14 2023 Christian Heimes - 41.0.3-2 - Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 diff --git a/sources b/sources index f529925..7c4beae 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd -SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 +SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From 3f8bd894bea444ebc52aeb2924024a0ac13afd30 Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Fri, 1 Dec 2023 16:14:04 +0100 Subject: [PATCH 57/90] Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 311aa65..a1c787e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + * Thu Oct 26 2023 Christian Heimes - 41.0.5-1 - Update to 41.0.5, resolves RHBZ#2239707 From 1c91adf0cdbc7fa52ae7c5e8d67160a91dce666c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 22 Jan 2024 00:29:41 +0000 Subject: [PATCH 58/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index a1c787e..3f3be64 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 - Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) From cee9a5770df87232d5d199a4e4a1966231745fdf Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 26 Jan 2024 02:54:42 +0000 Subject: [PATCH 59/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3f3be64..5849991 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From fdff266e83b3bbee278465a3c0652d733283b682 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Thu, 1 Feb 2024 10:48:14 -0500 Subject: [PATCH 60/90] Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 51aeae3..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ /cryptography-41.0.3-vendor.tar.bz2 /cryptography-41.0.5-vendor.tar.bz2 /cryptography-41.0.5.tar.gz +/cryptography-41.0.7.tar.gz +/cryptography-41.0.7-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 5849991..0f4f843 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.5 -Release: 4%{?dist} +Version: 41.0.7 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + * Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 7c4beae..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 -SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e From 2b20ce4281d9888f5ab5931b8a2d4ddaeb1b5977 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Jan 2024 12:09:52 +0100 Subject: [PATCH 61/90] Update to 42.0.5, resolves RHBZ#2251816 --- .gitignore | 2 + ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 38 +++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 100 insertions(+), 84 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..578df22 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0f4f843..8a592eb 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 +Version: 42.0.5 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,8 +19,7 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} @@ -29,8 +28,6 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +45,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +71,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +80,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,13 +132,17 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog +* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 +- Update to 42.0.5, resolves RHBZ#2251816 +- Modernize spec file to use pyproject RPM macros + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..0e97b72 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 +SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 2220bc3f080af3e3a474ad8ffcd8ae79bf020ee6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 28 May 2024 13:29:39 +0200 Subject: [PATCH 62/90] Revert "Update to 42.0.5, resolves RHBZ#2251816" This reverts commit 2b20ce4281d9888f5ab5931b8a2d4ddaeb1b5977. --- .gitignore | 2 - ouroboros-0.17.patch | 13 ++++++ pyo3-0.19.patch | 52 +++++++++++++++++++++++ python-cryptography.spec | 38 ++++++++--------- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 84 insertions(+), 100 deletions(-) create mode 100644 ouroboros-0.17.patch create mode 100644 pyo3-0.19.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 578df22..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -61,5 +61,3 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 -/cryptography-42.0.5.tar.gz -/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 8a592eb..0f4f843 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.5 +Version: 41.0.7 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,7 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -28,6 +29,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -45,7 +48,6 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -71,8 +73,10 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 %if 0%{?fedora} +# patch pyo3 and ouroboros depedency +%autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -80,33 +84,27 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml - - -%generate_buildrequires -%pyproject_buildrequires -t %if 0%{?fedora} +%generate_buildrequires # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%pyproject_wheel - +%py3_build %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%pyproject_install -%pyproject_save_files %{srcname} - +%py3_install %check %if %{with tests} @@ -132,17 +130,13 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif - -%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} +%files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD - +%{python3_sitearch}/%{srcname} +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog -* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 -- Update to 42.0.5, resolves RHBZ#2251816 -- Modernize spec file to use pyproject RPM macros - * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 0e97b72..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 -SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e diff --git a/vendor_rust.py b/vendor_rust.py index eb53abd..cd8355e 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile(r"Version:\s*(.*)") +RE_VERSION = re.compile("Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 1eecfff494b2e21e4fd11706b1259a8fce0b762e Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 22:03:00 +0200 Subject: [PATCH 63/90] Bootstrap for Python 3.13 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 0f4f843..6d4be22 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +7,7 @@ Name: python-%{srcname} Version: 41.0.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +138,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 From a7c29b32fa3b30a50a63ef143725235bcabc7930 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Sat, 8 Jun 2024 08:13:50 +0200 Subject: [PATCH 64/90] Rebuilt for Python 3.13 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6d4be22..52208e8 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -138,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + * Fri Jun 07 2024 Python Maint - 41.0.7-2 - Bootstrap for Python 3.13 From cb16ef22f994a7232a1c9825f4cb99473cfae70d Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 2 Jul 2024 11:50:53 -0400 Subject: [PATCH 65/90] Update to 42.0.8, resolves RHBZ#2251816" This reverts commit 2220bc3f080af3e3a474ad8ffcd8ae79bf020ee6 and bumps the version up from 42.0.5 to 42.0.8. Additionally, a dependency on the openssl-devel-engine is necessary. Longer-term this should be dropped[0]. [0] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Co-authored-by: Christian Heimes --- .gitignore | 4 ++ ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 37 +++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 100 insertions(+), 85 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..79738f6 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,7 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 +/cryptography-42.0.8.tar.gz +/cryptography-42.0.8-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 52208e8..e0a00e6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 -Release: 3%{?dist} +Version: 42.0.8 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,18 +19,16 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel +BuildRequires: openssl-devel-engine BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +46,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +72,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +81,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,11 +133,11 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog * Sat Jun 08 2024 Python Maint - 41.0.7-3 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..e9ffcca 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568 +SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 3d1bdaeb4555273c696fb56a33e19b5e0b28e927 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 3 Jul 2024 10:26:37 -0400 Subject: [PATCH 66/90] Switch to autorelease and autochangelog macros I forgot to bump manually add a changelog entry for the 42.0.8 update. Let's make that impossible in the future. [skip changelog] --- changelog | 248 +++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 248 +-------------------------------------- 2 files changed, 250 insertions(+), 246 deletions(-) create mode 100644 changelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..fa06f3e --- /dev/null +++ b/changelog @@ -0,0 +1,248 @@ +* Tue Jul 02 2024 Jeremy Cline - 42.0.8-1 +- Update to 42.0.8, fixes rhbz#2251816 + +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check + +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + +* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jun 14 2022 Python Maint - 37.0.2-3 +- Rebuilt for Python 3.11 + +* Tue Jun 14 2022 Python Maint - 37.0.2-2 +- Bootstrap for Python 3.11 + +* Thu May 05 2022 Christian Heimes - 37.0.2-1 +- Update to 37.0.2, resolves rhbz#2078968 + +* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 +- Skip unstable memleak tests, resolves: RHBZ#2042413 + +* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 +- Update to 36.0.0, fixes RHBZ#2025347 + +* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 +- Require rust-asn1 >= 0.6.4 + +* Thu Sep 30 2021 Christian Heimes - 35.0-1 +- Update to 35.0.0 (#2009117) + +* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 +- Don't conditionalize Source: directives + +* Wed Jun 02 2021 Python Maint - 3.4.7-3 +- Rebuilt for Python 3.10 + +* Tue May 11 2021 Christian Heimes - 3.4.7-2 +- Fix compatibility issue with Python 3.10. Enums now use same + representation as on Python 3.9. (#1952522) +- Backport OpenSSL 3.0.0 compatibility patches. + +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. (#1952024) + +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + +* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 21 2020 Christian Heimes - 3.0-1 +- Update to 3.0 (#185897) + +* Sat May 23 2020 Miro Hrončok - 2.9-3 +- Rebuilt for Python 3.9 + +* Tue May 12 2020 Felix Schwarz - 2.9-2 +- add source file verification + +* Fri Apr 03 2020 Christian Heimes - 2.9-1 +- Update to 2.9 (#1820348) + +* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Christian Heimes - 2.8-2 +- cryptography 2.8+ no longer depends on python-asn1crypto + +* Thu Oct 17 2019 Christian Heimes - 2.8-1 +- Update to 2.8 +- Resolves: rhbz#1762779 + +* Sun Oct 13 2019 Christian Heimes - 2.7-3 +- Skip unit tests that fail with OpenSSL 1.1.1.d +- Resolves: rhbz#1761194 +- Fix and simplify Python 3 packaging + +* Sat Oct 12 2019 Christian Heimes - 2.7-2 +- Drop Python 2 package +- Resolves: rhbz#1761081 + +* Tue Sep 03 2019 Randy Barlow - 2.7-1 +- Update to 2.7 (#1715680). + +* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 +- New upstream release 2.6.1, resolves RHBZ#1683691 + +* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 +- Updated to 2.5. + +* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + +* Wed Jul 18 2018 Christian Heimes - 2.3-1 +- New upstream release 2.3 +- Fix AEAD tag truncation bug, RHBZ#1602752 + +* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 +- Rebuilt for Python 3.7 + +* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 +- New upstream release 2.2.1 + +* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 +- New upstream release 2.1.4 + +* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 +- Build requires gcc + +* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/python-cryptography.spec b/python-cryptography.spec index e0a00e6..ba3d651 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 42.0.8 -Release: 1%{?dist} +Release: %autorelease Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -140,248 +140,4 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog -* Sat Jun 08 2024 Python Maint - 41.0.7-3 -- Rebuilt for Python 3.13 - -* Fri Jun 07 2024 Python Maint - 41.0.7-2 -- Bootstrap for Python 3.13 - -* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 -- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 - -* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 -- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) - -* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 -- Update to 41.0.5, resolves RHBZ#2239707 - -* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 -- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 - -* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 -- Update to 41.0.3, resolves rhbz#2211237 -- Use pyo3 0.19 - -* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Mon Jul 10 2023 Python Maint - 40.0.2-4 -- Rebuilt for Python 3.12 - -* Wed Jun 14 2023 Python Maint - 40.0.2-3 -- Bootstrap for Python 3.12 - -* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 -- Use vendored rust-pem in RHEL builds - -* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 -- Update to 40.0.2, resolves rhbz#2181430 - -* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 -- Don't run tests requiring pytz on RHEL -- Don't try to run tests of vendored dependencies in %%check - -* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 -- Update to 39.0.2, resolves rhbz#2124729 - -* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 -- Ensure correct compiler flags are used for Rust code. - -* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 -- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 -- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 - -* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 -- Enable SHA1 signatures in test suite (ELN-only) - -* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 -- Drop unused requirement of python3-six - -* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Tue Jun 14 2022 Python Maint - 37.0.2-3 -- Rebuilt for Python 3.11 - -* Tue Jun 14 2022 Python Maint - 37.0.2-2 -- Bootstrap for Python 3.11 - -* Thu May 05 2022 Christian Heimes - 37.0.2-1 -- Update to 37.0.2, resolves rhbz#2078968 - -* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 -- Skip unstable memleak tests, resolves: RHBZ#2042413 - -* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 -- Update to 36.0.0, fixes RHBZ#2025347 - -* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 -- Require rust-asn1 >= 0.6.4 - -* Thu Sep 30 2021 Christian Heimes - 35.0-1 -- Update to 35.0.0 (#2009117) - -* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 -- Rebuilt with OpenSSL 3.0.0 - -* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 -- Don't conditionalize Source: directives - -* Wed Jun 02 2021 Python Maint - 3.4.7-3 -- Rebuilt for Python 3.10 - -* Tue May 11 2021 Christian Heimes - 3.4.7-2 -- Fix compatibility issue with Python 3.10. Enums now use same - representation as on Python 3.9. (#1952522) -- Backport OpenSSL 3.0.0 compatibility patches. - -* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 -- Update to 3.4.7 -- Remove dependency on python-cryptography-vectors package and use vectors - directly from Github source tar ball. (#1952024) - -* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 -- Update to 3.4.6 (#1927044) - -* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 -- Update to 3.4.5 (#1927044) - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 -- Skip iso8601 and pretend tests on RHEL - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 -- Provide RHEL build infrastructure - -* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 -- Update to 3.4.4 (#1927044) - -* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 -- Update to 3.4.2 (#1926339) -- Package no longer depends on Rust (#1926181) - -* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 -- Use dynamically generated BuildRequires for PyO3 Rust module. -- Drop unnecessary CARGO_NET_OFFLINE environment variable. - -* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 -- Update to 3.4.1 (#1925953) - -* Sun Feb 07 2021 Christian Heimes - 3.4-2 -- Add missing abi3 and pytest dependencies - -* Sun Feb 07 2021 Christian Heimes - 3.4-1 -- Update to 3.4 (#1925953) -- Remove Python 2 support -- Remove unused python-idna dependency -- Add Rust support - -* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 -- Update to 3.3.1 (#1905756) - -* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 -- Update to 3.2.1 (#1892153) - -* Mon Oct 26 2020 Christian Heimes - 3.2-1 -- Update to 3.2 (#1891378) - -* Mon Sep 07 2020 Christian Heimes - 3.1-1 -- Update to 3.1 (#1872978) - -* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 21 2020 Christian Heimes - 3.0-1 -- Update to 3.0 (#185897) - -* Sat May 23 2020 Miro Hrončok - 2.9-3 -- Rebuilt for Python 3.9 - -* Tue May 12 2020 Felix Schwarz - 2.9-2 -- add source file verification - -* Fri Apr 03 2020 Christian Heimes - 2.9-1 -- Update to 2.9 (#1820348) - -* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Jan 13 2020 Christian Heimes - 2.8-2 -- cryptography 2.8+ no longer depends on python-asn1crypto - -* Thu Oct 17 2019 Christian Heimes - 2.8-1 -- Update to 2.8 -- Resolves: rhbz#1762779 - -* Sun Oct 13 2019 Christian Heimes - 2.7-3 -- Skip unit tests that fail with OpenSSL 1.1.1.d -- Resolves: rhbz#1761194 -- Fix and simplify Python 3 packaging - -* Sat Oct 12 2019 Christian Heimes - 2.7-2 -- Drop Python 2 package -- Resolves: rhbz#1761081 - -* Tue Sep 03 2019 Randy Barlow - 2.7-1 -- Update to 2.7 (#1715680). - -* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 -- Rebuilt for Python 3.8 - -* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 -- New upstream release 2.6.1, resolves RHBZ#1683691 - -* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 -- Updated to 2.5. - -* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Aug 13 2018 Christian Heimes - 2.3-2 -- Use TLSv1.2 in test as workaround for RHBZ#1615143 - -* Wed Jul 18 2018 Christian Heimes - 2.3-1 -- New upstream release 2.3 -- Fix AEAD tag truncation bug, RHBZ#1602752 - -* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 -- Rebuilt for Python 3.7 - -* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 -- New upstream release 2.2.1 - -* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 -- New upstream release 2.1.4 - -* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 -- Build requires gcc - -* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 -- Update Python 2 dependency declarations to new packaging standards - (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) - -* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +%autochangelog From 4dcec288f2a9f08c49015ea485357a3a636a337d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 3 Jul 2024 18:45:24 +0200 Subject: [PATCH 67/90] Drop unneeded dependency on tox There is no additional dependency generated by it, other than tox and tox-current-env. There is no tox configuration in the source tarball. If desired, there is a [test] extra, so we could use -x test instead, but that would break the %if 0%{?fedora} tests dependencies separation. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ba3d651..3670a2a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -86,7 +86,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml %generate_buildrequires -%pyproject_buildrequires -t +%pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates cd src/rust From 143d2e3463f824c20b62b8c73688bdf950b2893d Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 3 Jul 2024 14:39:39 -0400 Subject: [PATCH 68/90] Fix the build for ELN PyO3 doesn't support Python 3.13 until 0.22, but cryptography 0.42 is using 0.20 at the moment. Use ABI3 forward compatibility for ELN builds until cryptography updates. The Rawhide build is using crates from the distro which must be setting this in some way, but I'm not familiar enough with PyO3 or Fedora's Rust packaging to find it quickly. Fixes rhbz#2295602 --- python-cryptography.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3670a2a..e6fe8cd 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -98,6 +98,11 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 +# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can +# be dropped when a cryptography release bumps to pyo3 >= 0.22 +%if 0%{?rhel} +export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 +%endif %pyproject_wheel From 1483ac22f765c6e01502dfe2114d5d2c6e2a3aab Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 12 Jul 2024 10:47:14 -0400 Subject: [PATCH 69/90] Skip benchmark tests on RHEL This avoids dependencies on the otherwise unnecessary certifi and pytest-benchmark. --- python-cryptography.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e6fe8cd..edb70ca 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -40,15 +40,15 @@ BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 -BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif @@ -83,6 +83,9 @@ rm src/rust/Cargo.lock # Remove cosmetical pytest-subtests 0.10.0 option sed -i 's,--no-subtests-shortletter,,' pyproject.toml +%if ! 0%{?fedora} +sed -i 's,--benchmark-disable,,' pyproject.toml +%endif %generate_buildrequires @@ -117,8 +120,8 @@ find . -name .keep -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis and pytz tests on RHEL -rm -rf tests/hypothesis tests/x509 +# skip benchmark, hypothesis, and pytz tests on RHEL +rm -rf tests/bench tests/hypothesis tests/x509 # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From cf26149d18b4b220d2b2193340372799a1674a71 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 12 Jul 2024 10:51:44 -0400 Subject: [PATCH 70/90] Remove unused pytest-subtests dependency This dependency was switched out for a built-in miniature replacement as of version 41.0.0: https://github.com/pyca/cryptography/commit/22759dbab0bc85da995febcc3e82680fe6b2804a --- python-cryptography.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index edb70ca..722047a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description @@ -81,8 +80,6 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %if ! 0%{?fedora} sed -i 's,--benchmark-disable,,' pyproject.toml %endif From bc9adfb4dea6d5c3b23e79acd64686488d8a03d2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jul 2024 10:44:42 +0000 Subject: [PATCH 71/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 4dc6d7b0babe0baa4d3a68a40ed31ff52057218a Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 24 Jul 2024 16:43:12 -0400 Subject: [PATCH 72/90] Automatically apply all patches during autosetup Commit 7b18e1445dd8 ("Update to 41.0.3") introduces a patch that was applied behind a conditional. This is no longer the case, so revert back to letting autosetup apply all patches. [skip changelog] --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 722047a..e376447 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -70,8 +70,7 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 +%autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock From 696a6afd84d72791fbf0c87e48802128e90db565 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 24 Jul 2024 16:23:21 -0400 Subject: [PATCH 73/90] Update to v43.0.0 Additionally, this builds the package with OPENSSL_NO_ENGINE=1 This drops the skip-overflow-tests-32bit.patch as its included in v43.0.0. It picks up the patch in https://github.com/pyca/cryptography/pull/11328 to allow building with OPENSSL_NO_ENGINE=1. --- .gitignore | 2 + 11328.patch | 36 ++++++++++++++++ python-cryptography.spec | 11 ++--- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- 5 files changed, 43 insertions(+), 83 deletions(-) create mode 100644 11328.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 79738f6..fca5c45 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ /cryptography-42.0.5-vendor.tar.bz2 /cryptography-42.0.8.tar.gz /cryptography-42.0.8-vendor.tar.bz2 +/cryptography-43.0.0.tar.gz +/cryptography-43.0.0-vendor.tar.bz2 diff --git a/11328.patch b/11328.patch new file mode 100644 index 0000000..3dd1aee --- /dev/null +++ b/11328.patch @@ -0,0 +1,36 @@ +From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 22 Jul 2024 09:09:05 +0200 +Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined + +Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE +support. Downstream has moved `openssl/engine.h` into a separate RPM +package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The +compiler flag disables PyCA cryptography's ENGINE support successfully. +We also like to build the downstream package without the `engine.h` +header file present. + +This commit makes the include conditional. The `ENGINE` type is +defined in `openssl/types.h`. + +See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide +See: https://issues.redhat.com/browse/RHEL-33747 +Signed-off-by: Christian Heimes +--- + src/_cffi_src/openssl/engine.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py +index 9629a2c8f929..f47e20327003 100644 +--- a/src/_cffi_src/openssl/engine.py ++++ b/src/_cffi_src/openssl/engine.py +@@ -5,7 +5,9 @@ + from __future__ import annotations + + INCLUDES = """ ++#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL + #include ++#endif + """ + + TYPES = """ diff --git a/python-cryptography.spec b/python-cryptography.spec index e376447..e7a1b1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.8 +Version: 43.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,12 +19,11 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch: 11328.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel -BuildRequires: openssl-devel-engine BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} @@ -97,11 +96,7 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can -# be dropped when a cryptography release bumps to pyo3 >= 0.22 -%if 0%{?rhel} -export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 -%endif +export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index e9ffcca..fe39107 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568 -SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c +SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 +SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 From fdf62093b4dec4102ef193c5fb08b8dd25e721a4 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 30 Jul 2024 11:15:34 -0400 Subject: [PATCH 74/90] Flip off lock = true maturin config Upstream switched to maturin in v43[0]. Since we fiddle with the lockfile maturin wants to update it since upstream configures `lock = true`. Turn that off. This fixes the v43 build in rawhide. [0] https://github.com/pyca/cryptography/pull/8815 [skip changelog] --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index e7a1b1c..d83d2b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -72,6 +72,7 @@ recipes to Python developers. %autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep +sed -i 's/locked = true//g' pyproject.toml rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates From ed6d65f51610e2b85a297376b32a0c032b3ea98f Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Wed, 4 Sep 2024 11:41:44 +0200 Subject: [PATCH 75/90] allow sha1 in OAEP In FIPS mode, RSA OAEP padding is refused with an error message: "This combination of padding and hash algorithm is not supported by this backend." It picks up the patch in https://github.com/pyca/cryptography/pull/11536 to allow sha1 in OAEP. Fixes: https://github.com/pyca/cryptography/issues/11512 Related: https://issues.redhat.com/browse/RHEL-40210 Signed-off-by: Francisco Trivino --- 11536.patch | 26 ++++++++++++++++++++++++++ python-cryptography.spec | 1 + 2 files changed, 27 insertions(+) create mode 100644 11536.patch diff --git a/11536.patch b/11536.patch new file mode 100644 index 0000000..b18f149 --- /dev/null +++ b/11536.patch @@ -0,0 +1,26 @@ +From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 3 Sep 2024 20:19:02 -0400 +Subject: [PATCH] allow sha1 in OAEP (#11536) + +fixes #11512 +--- + src/rust/src/backend/rsa.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index 3c01e7421..066b1412a 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu + } + + fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { +- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) ++ md == &openssl::hash::MessageDigest::sha1() + || md == &openssl::hash::MessageDigest::sha224() + || md == &openssl::hash::MessageDigest::sha256() + || md == &openssl::hash::MessageDigest::sha384() +-- +2.46.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index d83d2b1..eff8c1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch: 11328.patch +Patch: 11536.patch ExclusiveArch: %{rust_arches} From bc4d913fc3b2fb5b81083731af0a64abdb72509e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 18 Jan 2025 13:19:11 +0000 Subject: [PATCH 76/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 83987f70ef712cc0b5935dc5e8f2354f74476c30 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 15:51:57 +0000 Subject: [PATCH 77/90] Update to v44.0.0 This release is largely adding new features. One behavioral which might cause issues is: - Enforce the RFC 5280 requirement that extended key usage extensions must not be empty. Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst --- .gitignore | 2 ++ python-cryptography.spec | 6 +----- sources | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index fca5c45..ea7f662 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,5 @@ /cryptography-42.0.8-vendor.tar.bz2 /cryptography-43.0.0.tar.gz /cryptography-43.0.0-vendor.tar.bz2 +/cryptography-44.0.0.tar.gz +/cryptography-44.0.0-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index eff8c1c..c4c0e69 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 43.0.0 +Version: 44.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch: 11328.patch -Patch: 11536.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -74,7 +71,6 @@ recipes to Python developers. %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml -rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 diff --git a/sources b/sources index fe39107..d10f2cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 -SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 +SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad +SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b From 78a177912460d18470df2783ed7ef86bdbf84ab5 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 18:39:23 +0000 Subject: [PATCH 78/90] Include fix to exclude Cargo.toml from wheels Merged upstream at https://github.com/pyca/cryptography/pull/12091 [skip changelog] --- 11328.patch | 36 ------------------------------------ 11536.patch | 26 -------------------------- 12091.patch | 34 ++++++++++++++++++++++++++++++++++ python-cryptography.spec | 5 +++++ 4 files changed, 39 insertions(+), 62 deletions(-) delete mode 100644 11328.patch delete mode 100644 11536.patch create mode 100644 12091.patch diff --git a/11328.patch b/11328.patch deleted file mode 100644 index 3dd1aee..0000000 --- a/11328.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 22 Jul 2024 09:09:05 +0200 -Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined - -Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE -support. Downstream has moved `openssl/engine.h` into a separate RPM -package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The -compiler flag disables PyCA cryptography's ENGINE support successfully. -We also like to build the downstream package without the `engine.h` -header file present. - -This commit makes the include conditional. The `ENGINE` type is -defined in `openssl/types.h`. - -See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide -See: https://issues.redhat.com/browse/RHEL-33747 -Signed-off-by: Christian Heimes ---- - src/_cffi_src/openssl/engine.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py -index 9629a2c8f929..f47e20327003 100644 ---- a/src/_cffi_src/openssl/engine.py -+++ b/src/_cffi_src/openssl/engine.py -@@ -5,7 +5,9 @@ - from __future__ import annotations - - INCLUDES = """ -+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL - #include -+#endif - """ - - TYPES = """ diff --git a/11536.patch b/11536.patch deleted file mode 100644 index b18f149..0000000 --- a/11536.patch +++ /dev/null @@ -1,26 +0,0 @@ -From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 3 Sep 2024 20:19:02 -0400 -Subject: [PATCH] allow sha1 in OAEP (#11536) - -fixes #11512 ---- - src/rust/src/backend/rsa.rs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs -index 3c01e7421..066b1412a 100644 ---- a/src/rust/src/backend/rsa.rs -+++ b/src/rust/src/backend/rsa.rs -@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu - } - - fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { -- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) -+ md == &openssl::hash::MessageDigest::sha1() - || md == &openssl::hash::MessageDigest::sha224() - || md == &openssl::hash::MessageDigest::sha256() - || md == &openssl::hash::MessageDigest::sha384() --- -2.46.0 - diff --git a/12091.patch b/12091.patch new file mode 100644 index 0000000..96ef95a --- /dev/null +++ b/12091.patch @@ -0,0 +1,34 @@ +From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 +From: Johan Andersson +Date: Tue, 3 Dec 2024 00:43:31 +0100 +Subject: [PATCH] build: remove cargo.toml files from wheels + +--- + pyproject.toml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/pyproject.toml b/pyproject.toml +index 4266e3bd5ba4..0378e78815e3 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -101,15 +101,17 @@ include = [ + "src/_cffi_src/**/*.c", + "src/_cffi_src/**/*.h", + +- "**/Cargo.toml", +- "**/Cargo.lock", ++ "Cargo.toml", ++ "Cargo.lock", ++ "src/rust/**/Cargo.toml", ++ "src/rust/**/Cargo.lock", + "src/rust/**/*.rs", + + "tests/**/*.py", + ] + exclude = [ + "vectors/**/*", +- "src/rust/target/**/*", ++ "target/**/*", + "docs/_build/**/*", + ".github/**/*", + ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index c4c0e69..110249d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,6 +19,10 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# Merged for 45.0.0+ +# https://github.com/pyca/cryptography/pull/12091 +Patch: 12091.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -102,6 +106,7 @@ export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete +find . -name Cargo.toml -print -delete %pyproject_install %pyproject_save_files %{srcname} From 606ff1ca7ed14791fb66c3029c65397436b2902f Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 6 Feb 2025 13:47:30 +0100 Subject: [PATCH 79/90] Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004) From 25b75b110cb4173e173476cd88ded741b37c3a98 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 3 Mar 2025 23:22:02 -0500 Subject: [PATCH 80/90] Do not delete tests/x509 on RHEL tests/x509 now provides imports used by tests in other directories, and no longer require pytz. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 110249d..e10429e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -115,7 +115,7 @@ find . -name Cargo.toml -print -delete %if %{with tests} %if 0%{?rhel} # skip benchmark, hypothesis, and pytz tests on RHEL -rm -rf tests/bench tests/hypothesis tests/x509 +rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From 683f73c2b86b3035a407c58d8da331232bc68cc1 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 6 Mar 2025 11:43:48 -0500 Subject: [PATCH 81/90] Modernize Rust macro usage This adds automatically generated licensing data, and bundled provides for vendored dependencies in the RHEL builds. --- python-cryptography.spec | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e10429e..91b85b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -12,7 +12,13 @@ Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, # as well as the Python Software Foundation license for the OS random # engine derived by CPython. -License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +# Rust crate dependency licenses: +# Apache-2.0 +# Apache-2.0 OR MIT +# BSD-3-Clause +# MIT +# MIT OR Apache-2.0 +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0) URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script @@ -71,13 +77,13 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +%cargo_prep -v vendor %endif %if ! 0%{?fedora} @@ -89,9 +95,7 @@ sed -i 's,--benchmark-disable,,' pyproject.toml %pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates -cd src/rust %cargo_generate_buildrequires -cd ../.. %endif @@ -101,6 +105,12 @@ export OPENSSL_NO_VENDOR=1 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if ! 0%{?fedora} +%cargo_vendor_manifest +%endif + %install # Actually other *.c and *.h are appropriate @@ -139,6 +149,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD +%license LICENSE.dependencies +%if ! 0%{?fedora} +%license cargo-vendor.txt +%endif %changelog From f06f4c280408a86ae39f4a942bc6b2d46038b84f Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 19 May 2025 10:49:48 -0400 Subject: [PATCH 82/90] Update to v45.0.2 This update includes two backwards-incompatible changes with v44: - Made SSH private key loading more consistent with other private key loading: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised). - The :meth:`VerifiedClient.subject ` property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension. Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst --- .gitignore | 2 ++ 12091.patch | 34 ---------------------------------- python-cryptography.spec | 6 +----- sources | 4 ++-- 4 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 12091.patch diff --git a/.gitignore b/.gitignore index ea7f662..6778d54 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ /cryptography-43.0.0-vendor.tar.bz2 /cryptography-44.0.0.tar.gz /cryptography-44.0.0-vendor.tar.bz2 +/cryptography-45.0.2.tar.gz +/cryptography-45.0.2-vendor.tar.bz2 diff --git a/12091.patch b/12091.patch deleted file mode 100644 index 96ef95a..0000000 --- a/12091.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 -From: Johan Andersson -Date: Tue, 3 Dec 2024 00:43:31 +0100 -Subject: [PATCH] build: remove cargo.toml files from wheels - ---- - pyproject.toml | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/pyproject.toml b/pyproject.toml -index 4266e3bd5ba4..0378e78815e3 100644 ---- a/pyproject.toml -+++ b/pyproject.toml -@@ -101,15 +101,17 @@ include = [ - "src/_cffi_src/**/*.c", - "src/_cffi_src/**/*.h", - -- "**/Cargo.toml", -- "**/Cargo.lock", -+ "Cargo.toml", -+ "Cargo.lock", -+ "src/rust/**/Cargo.toml", -+ "src/rust/**/Cargo.lock", - "src/rust/**/*.rs", - - "tests/**/*.py", - ] - exclude = [ - "vectors/**/*", -- "src/rust/target/**/*", -+ "target/**/*", - "docs/_build/**/*", - ".github/**/*", - ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index 91b85b9..3907b6b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 44.0.0 +Version: 45.0.2 Release: %autorelease Summary: PyCA's cryptography library @@ -25,10 +25,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# Merged for 45.0.0+ -# https://github.com/pyca/cryptography/pull/12091 -Patch: 12091.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel diff --git a/sources b/sources index d10f2cb..c6a4acc 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad -SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b +SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 +SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From adc63ac786ecfec84079d5ecb2ee7d8f6a41b5bd Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Sun, 25 May 2025 12:49:30 -0400 Subject: [PATCH 83/90] Update to v45.0.3 This fixes two issues from v45: - Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). - Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6778d54..4a18b60 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ /cryptography-44.0.0-vendor.tar.bz2 /cryptography-45.0.2.tar.gz /cryptography-45.0.2-vendor.tar.bz2 +/cryptography-45.0.3.tar.gz +/cryptography-45.0.3-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 3907b6b..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.2 +Version: 45.0.3 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index c6a4acc..9fb264e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 -SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 +SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 2fadd7bb9ab0a159e6d5f845cd1d6b922c6d6dab Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 13:37:55 +0200 Subject: [PATCH 84/90] Bootstrap for Python 3.14 --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..27fad32 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 65da927d85a980fe32d693d7f3ae2a5c1703740c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 4 Jun 2025 18:30:16 +0200 Subject: [PATCH 85/90] Rebuilt for Python 3.14 --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 27fad32..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 8034f94f7793712d41c2a2b2b3c55ea6a1c85da1 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 11 Jun 2025 09:31:07 -0400 Subject: [PATCH 86/90] Update to v45.0.4 The upstream release fixes a single issue: - Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) Fixes rhbz #2371350 --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4a18b60..4ad8197 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ /cryptography-45.0.2-vendor.tar.bz2 /cryptography-45.0.3.tar.gz /cryptography-45.0.3-vendor.tar.bz2 +/cryptography-45.0.4.tar.gz +/cryptography-45.0.4-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..ae9b0b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.3 +Version: 45.0.4 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index 9fb264e..e79ea50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 -SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df +SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 22e34bf15083c5690415b1cf16fbbafae1ac0c1e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 07:25:06 +0000 Subject: [PATCH 87/90] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 5e511855936600aa1b4f9108e740cf9ec0265588 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 13:32:38 +0200 Subject: [PATCH 88/90] Rebuilt for Python 3.14.0rc2 bytecode From 5e1fd8e20da2a7587e12bd6ef621c6ac6a6af07b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 13:05:04 +0200 Subject: [PATCH 89/90] Rebuilt for Python 3.14.0rc3 bytecode From 1a3a50b8d38e467b5a9b4422d073bf0b915ba94b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 22 Oct 2025 13:03:41 +0100 Subject: [PATCH 90/90] Drop pytz test req, only needed for py < 3.9 The pytz requirement now is only used for CI for py < 3.9: pytz==2025.2 ; python_full_version < '3.9' Also drop no longer valid comment snippet --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ae9b0b1..16b4d7e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist -BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 %endif @@ -120,7 +119,7 @@ find . -name Cargo.toml -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip benchmark, hypothesis, and pytz tests on RHEL +# skip benchmark and hypothesis tests on RHEL rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py