From 29c1c4ffe0307c119ad59cd1eeea5b335ed3d7d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 17 Aug 2022 12:04:42 +0200 Subject: [PATCH 01/54] Drop unused manual requirement on six, drop duplicated manual requirement on cffi The Python-related Requires already were: python(abi) = 3.11 python3-cffi >= 1.7 python3-six >= 1.4.1 python3.11dist(cffi) >= 1.12 Now they are: python(abi) = 3.11 python3.11dist(cffi) >= 1.12 --- python-cryptography.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 7faf137..8224d85 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -32,7 +32,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 # Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 BuildRequires: rust-asn1-devel >= 0.6.4 @@ -58,8 +57,6 @@ Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 # Can be safely removed in Fedora 37 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 @@ -120,6 +117,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + * Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 19e9b9733277e509e42c9ee0b9cad941077ff424 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 9 Dec 2022 12:09:43 +0100 Subject: [PATCH 02/54] Enable SHA1 signatures in test suite (ELN-only) --- python-cryptography.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8224d85..5288712 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 5%{?dist} +Release: 6%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -101,6 +101,12 @@ rm -rf tests/hypothesis cat < %{SOURCE2} >> tests/conftest.py %endif +%if 0%{?eln} +# enable SHA-1 signatures for RSA tests +# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 +export OPENSSL_ENABLE_SHA1_SIGNATURES=yes +%endif + # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes @@ -117,6 +123,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + * Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 - Drop unused requirement of python3-six From ebf415a04ba645888dcb6351ab91aa0336e23044 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Dec 2022 18:30:42 +0100 Subject: [PATCH 03/54] Convert the license tag to SPDX and add missing PSF license --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5288712..e8e0731 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -10,7 +10,10 @@ Version: 37.0.2 Release: 6%{?dist} Summary: PyCA's cryptography library -License: ASL 2.0 or BSD +# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, +# as well as the Python Software Foundation license for the OS random +# engine derived by CPython. +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script From 4c529569ef2c8a0fca3f52c4c0a831f037a62b18 Mon Sep 17 00:00:00 2001 From: Charalampos Stratakis Date: Tue, 13 Dec 2022 21:03:13 +0100 Subject: [PATCH 04/54] Remove no longer used macro --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e8e0731..8c3583c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -3,7 +3,6 @@ %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography -%global pyo3_version 0.13.1 Name: python-%{srcname} Version: 37.0.2 From 25a80244fef287446e6096a67fd913f56cf9199c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 20 Jan 2023 12:25:02 +0000 Subject: [PATCH 05/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 8c3583c..a0c880e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 6%{?dist} +Release: 7%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -125,6 +125,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Fri Dec 09 2022 Christian Heimes - 37.0.2-6 - Enable SHA1 signatures in test suite (ELN-only) From 9e3c824a6b1f1acac3f7c97111e0705287d96133 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 22 Feb 2023 09:57:34 +0100 Subject: [PATCH 06/54] Fix CVE-2023-23931 and FTBFS Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 --- CVE-2023-23931.patch | 42 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 12 ++++++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-23931.patch diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch new file mode 100644 index 0000000..085947c --- /dev/null +++ b/CVE-2023-23931.patch @@ -0,0 +1,42 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index a0c880e..76ea9b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 7%{?dist} +Release: 8%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,9 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# https://github.com/pyca/cryptography/pull/8230 +Patch1: CVE-2023-23931.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -113,9 +116,10 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES=yes # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes # not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -125,6 +129,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + * Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From f611a9dbb66ea6ac574889cf9797cd0ed346ad03 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 22 Feb 2023 09:57:34 +0100 Subject: [PATCH 07/54] Fix CVE-2023-23931 and FTBFS Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 --- CVE-2023-23931.patch | 42 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 15 ++++++++++++-- 2 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 CVE-2023-23931.patch diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch new file mode 100644 index 0000000..085947c --- /dev/null +++ b/CVE-2023-23931.patch @@ -0,0 +1,42 @@ +From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 31 Jan 2023 08:33:54 -0500 +Subject: [PATCH] Don't allow update_into to mutate immutable objects + +--- + src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- + tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 286583f9325..075d68fb905 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: + data_processed = 0 + total_out = 0 + outlen = self._backend._ffi.new("int *") +- baseoutbuf = self._backend._ffi.from_buffer(buf) ++ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) + baseinbuf = self._backend._ffi.from_buffer(data) + + while data_processed != total_data_len: +diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py +index 02127dd9cab..bf3b047dec2 100644 +--- a/tests/hazmat/primitives/test_ciphers.py ++++ b/tests/hazmat/primitives/test_ciphers.py +@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): + with pytest.raises(ValueError): + encryptor.update_into(b"testing", buf) + ++ def test_update_into_immutable(self, backend): ++ key = b"\x00" * 16 ++ c = ciphers.Cipher(AES(key), modes.ECB(), backend) ++ encryptor = c.encryptor() ++ buf = b"\x00" * 32 ++ with pytest.raises((TypeError, BufferError)): ++ encryptor.update_into(b"testing", buf) ++ + @pytest.mark.supported( + only_if=lambda backend: backend.cipher_supported( + AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index 7faf137..b2184b2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -7,7 +7,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library License: ASL 2.0 or BSD @@ -17,6 +17,9 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# https://github.com/pyca/cryptography/pull/8230 +Patch1: CVE-2023-23931.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -108,9 +111,10 @@ cat < %{SOURCE2} >> tests/conftest.py # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests # see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes # not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif %files -n python%{python3_pkgversion}-%{srcname} @@ -120,6 +124,13 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 22 2023 Christian Heimes - 37.0.2-5 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + * Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From cf6e4c6ecf1d73549a6568cef4b43f3dcca19786 Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 26 Jan 2023 21:53:08 +0100 Subject: [PATCH 08/54] ensure correct compiler flags are used for Rust code --- python-cryptography.spec | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 76ea9b9..c40d3a3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 37.0.2 -Release: 8%{?dist} +Release: 9%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -37,8 +37,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -# Cargo.toml requires asn1 0.6, but package FTBFS with 0.6.1 -BuildRequires: rust-asn1-devel >= 0.6.4 %if %{with tests} %if 0%{?fedora} @@ -73,22 +71,24 @@ recipes to Python developers. %prep %autosetup -p1 -n %{srcname}-%{version} - -%generate_buildrequires - %if 0%{?fedora} -# Fedora: use cargo macros to make use of RPMified crates %cargo_prep -cd src/rust -rm -f Cargo.lock -%cargo_generate_buildrequires -cd ../.. +rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 %endif +%if 0%{?fedora} +%generate_buildrequires +# Fedora: use RPMified crates +cd src/rust +%cargo_generate_buildrequires +cd ../.. +%endif + %build +export RUSTFLAGS="%build_rustflags" %py3_build %install @@ -129,6 +129,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + * Wed Feb 22 2023 Christian Heimes - 37.0.2-8 - Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 - Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 From 5c59e50b4e4ab60ccbd34707441c304966aa5719 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 9 Mar 2023 08:19:18 +0100 Subject: [PATCH 09/54] Update to 39.0.2 Resolves: rhbz#2124729 --- .gitignore | 2 ++ CVE-2023-23931.patch | 42 ---------------------------------------- python-cryptography.spec | 16 +++++++-------- sources | 4 ++-- 4 files changed, 12 insertions(+), 52 deletions(-) delete mode 100644 CVE-2023-23931.patch diff --git a/.gitignore b/.gitignore index a426298..4a92541 100644 --- a/.gitignore +++ b/.gitignore @@ -45,3 +45,5 @@ /cryptography-36.0.0-vendor.tar.bz2 /cryptography-37.0.2.tar.gz /cryptography-37.0.2-vendor.tar.bz2 +/cryptography-39.0.2.tar.gz +/cryptography-39.0.2-vendor.tar.bz2 diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch deleted file mode 100644 index 085947c..0000000 --- a/CVE-2023-23931.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 31 Jan 2023 08:33:54 -0500 -Subject: [PATCH] Don't allow update_into to mutate immutable objects - ---- - src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- - tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 286583f9325..075d68fb905 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") -- baseoutbuf = self._backend._ffi.from_buffer(buf) -+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: -diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py -index 02127dd9cab..bf3b047dec2 100644 ---- a/tests/hazmat/primitives/test_ciphers.py -+++ b/tests/hazmat/primitives/test_ciphers.py -@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): - with pytest.raises(ValueError): - encryptor.update_into(b"testing", buf) - -+ def test_update_into_immutable(self, backend): -+ key = b"\x00" * 16 -+ c = ciphers.Cipher(AES(key), modes.ECB(), backend) -+ encryptor = c.encryptor() -+ buf = b"\x00" * 32 -+ with pytest.raises((TypeError, BufferError)): -+ encryptor.update_into(b"testing", buf) -+ - @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/python-cryptography.spec b/python-cryptography.spec index c40d3a3..40b2f7f 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 37.0.2 -Release: 9%{?dist} +Version: 39.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# https://github.com/pyca/cryptography/pull/8230 -Patch1: CVE-2023-23931.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -33,10 +30,10 @@ BuildRequires: rust-packaging BuildRequires: rust-toolset %endif -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} @@ -45,7 +42,7 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist %endif -BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 BuildRequires: python%{python3_pkgversion}-pytz @@ -129,6 +126,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + * Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 - Ensure correct compiler flags are used for Rust code. diff --git a/sources b/sources index 536e11b..3ce6c7a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-37.0.2.tar.gz) = ca6b1e983e79a130b47b1f7cdabeb6041a6102f57483f0820f7bcc6a67e0112b7691f09caa7f391de5aed0a2fee26f394688823da2cd4c8beab553732ac6a305 -SHA512 (cryptography-37.0.2-vendor.tar.bz2) = d100fff9406063c7eb1d0caf7f389c15e49715928ae6c9ec7fd60e97f363ea3590d145e8e7f74958ce4857f60e9e4cd28ac69ef44f9e0dc0730e5d08b073bd9b +SHA512 (cryptography-39.0.2.tar.gz) = 06ae3e2c0c2a5fa9e80dab7181a7c8b64aa9359bfd149837f179e65372a90acc905aae7476516ba8da4c4137bd25ba115d911728858551d2862280352b09b95e +SHA512 (cryptography-39.0.2-vendor.tar.bz2) = 4e92ec50e01f99e160ab6c5e12fbd7e1297aaa2dfb5f0f35019308a44661e938a082c9a4ce0d9b5fbe1ed94cde49ae6b193c3f3f7035e9f5f5a97f2108595667 From 231f32cf9664dc30d86af4aaa6a16626509e2231 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 9 Mar 2023 12:55:39 +0100 Subject: [PATCH 10/54] Don't run tests requiring pytz on RHEL pytz is unwanted on RHEL 10+. --- python-cryptography.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 40b2f7f..9877601 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 39.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -41,11 +41,11 @@ BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist +BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 -BuildRequires: python%{python3_pkgversion}-pytz %endif %description @@ -97,8 +97,8 @@ find . -name .keep -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis tests on RHEL -rm -rf tests/hypothesis +# skip hypothesis and pytz tests on RHEL +rm -rf tests/hypothesis tests/x509 # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif @@ -126,6 +126,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL + * Sat Mar 04 2023 Christian Heimes - 39.0.2-1 - Update to 39.0.2, resolves rhbz#2124729 From 0dbc0e5e1df4aa27e22eb637ae15136b8397643d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Thu, 9 Mar 2023 13:28:58 +0100 Subject: [PATCH 11/54] Don't try to run tests of vendored dependencies in %check --- python-cryptography.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 9877601..07d9285 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -116,6 +116,7 @@ export OPENSSL_ENABLE_SHA1_SIGNATURES=yes # see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ + --ignore vendor \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif @@ -128,6 +129,7 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog * Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 - Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check * Sat Mar 04 2023 Christian Heimes - 39.0.2-1 - Update to 39.0.2, resolves rhbz#2124729 From 55eaa10d2d97f19c966ba4c3e039f420b4f779bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Mon, 13 Mar 2023 21:09:36 +0100 Subject: [PATCH 12/54] Remove an undesired %{?eln} conditional Fixes https://github.com/fedora-eln/eln/issues/120 --- python-cryptography.spec | 2 -- 1 file changed, 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 07d9285..38888b0 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -103,11 +103,9 @@ rm -rf tests/hypothesis tests/x509 cat < %{SOURCE2} >> tests/conftest.py %endif -%if 0%{?eln} # enable SHA-1 signatures for RSA tests # also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 export OPENSSL_ENABLE_SHA1_SIGNATURES=yes -%endif # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests From 2894c08790a4b4a9e0bdc0ba6a03e513264f5dd6 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 28 Mar 2023 08:45:39 +0200 Subject: [PATCH 13/54] Update to 40.0.2 Resolves: rhbz#2181430 --- .gitignore | 8 ++++++++ python-cryptography.spec | 15 ++++++++++++--- sources | 4 ++-- 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/.gitignore b/.gitignore index 4a92541..77cad2f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/results_python-cryptography +/*.src.rpm /cryptography-1.3.1.tar.gz /cryptography-1.5.3.tar.gz /cryptography-1.7.1.tar.gz @@ -47,3 +49,9 @@ /cryptography-37.0.2-vendor.tar.bz2 /cryptography-39.0.2.tar.gz /cryptography-39.0.2-vendor.tar.bz2 +/cryptography-40.0.0.tar.gz +/cryptography-40.0.0-vendor.tar.bz2 +/cryptography-40.0.1.tar.gz +/cryptography-40.0.1-vendor.tar.bz2 +/cryptography-40.0.2.tar.gz +/cryptography-40.0.2-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 38888b0..6dc34f5 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 39.0.2 -Release: 2%{?dist} +Version: 40.0.2 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -34,6 +34,8 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %if %{with tests} %if 0%{?fedora} @@ -45,7 +47,7 @@ BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description @@ -84,8 +86,12 @@ cd src/rust cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + %build export RUSTFLAGS="%build_rustflags" +export OPENSSL_NO_VENDOR=1 %py3_build %install @@ -125,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + * Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 - Don't run tests requiring pytz on RHEL - Don't try to run tests of vendored dependencies in %%check diff --git a/sources b/sources index 3ce6c7a..3532c84 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-39.0.2.tar.gz) = 06ae3e2c0c2a5fa9e80dab7181a7c8b64aa9359bfd149837f179e65372a90acc905aae7476516ba8da4c4137bd25ba115d911728858551d2862280352b09b95e -SHA512 (cryptography-39.0.2-vendor.tar.bz2) = 4e92ec50e01f99e160ab6c5e12fbd7e1297aaa2dfb5f0f35019308a44661e938a082c9a4ce0d9b5fbe1ed94cde49ae6b193c3f3f7035e9f5f5a97f2108595667 +SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e +SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d From a64728bbef7bb73a1718152c04ff53aa3225b951 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 12 Jun 2023 22:50:52 -0400 Subject: [PATCH 14/54] Use vendored rust-pem in RHEL builds --- python-cryptography.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6dc34f5..402389d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -26,6 +26,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -34,8 +36,6 @@ BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %if %{with tests} %if 0%{?fedora} @@ -131,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + * Tue Apr 18 2023 Christian Heimes - 40.0.2-1 - Update to 40.0.2, resolves rhbz#2181430 From bd226dd0d02b7f96f2602496b1ee87b9e27bb582 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 14 Jun 2023 16:13:50 +0200 Subject: [PATCH 15/54] Bootstrap for Python 3.12 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 402389d..336b8fc 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +7,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -131,6 +132,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + * Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 - Use vendored rust-pem in RHEL builds From f32ed18be7458c0152a5b26a5fc4d72db38bdcb7 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Mon, 10 Jul 2023 14:05:42 +0200 Subject: [PATCH 16/54] Rebuilt for Python 3.12 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 336b8fc..5c8b8a7 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -132,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + * Wed Jun 14 2023 Python Maint - 40.0.2-3 - Bootstrap for Python 3.12 From 9421b4a468a2e9b0f2719e09e426d94f912101a0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 21 Jul 2023 08:43:20 +0000 Subject: [PATCH 17/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 5c8b8a7..0323ca3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 40.0.2 -Release: 4%{?dist} +Release: 5%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -131,6 +131,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Mon Jul 10 2023 Python Maint - 40.0.2-4 - Rebuilt for Python 3.12 From 7b18e1445dd861fc9515a51991ebd2eb12a5580f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 9 Aug 2023 14:07:18 +0200 Subject: [PATCH 18/54] Update to 41.0.3 - Update to upstream version 41.0.3 - Use pyo3 0.19 Resolves: rhbz#2211237 --- .gitignore | 2 ++ pyo3-0.19.patch | 52 ++++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 14 ++++++++--- sources | 4 ++-- 4 files changed, 67 insertions(+), 5 deletions(-) create mode 100644 pyo3-0.19.patch diff --git a/.gitignore b/.gitignore index 77cad2f..e69e967 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,5 @@ /cryptography-40.0.1-vendor.tar.bz2 /cryptography-40.0.2.tar.gz /cryptography-40.0.2-vendor.tar.bz2 +/cryptography-41.0.3.tar.gz +/cryptography-41.0.3-vendor.tar.bz2 diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0323ca3..0365a9a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 40.0.2 -Release: 5%{?dist} +Version: 41.0.3 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,6 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +Patch1: pyo3-0.19.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -69,8 +71,10 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} +# patch pyo3 depedency +%autopatch -p1 1 %cargo_prep rm src/rust/Cargo.lock %else @@ -131,6 +135,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + * Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index 3532c84..f529925 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-40.0.2.tar.gz) = 4f49a71cc7348cf90ff4e67d73486a07e065efdc3e321c7f2a642dd459057a90b1c26055bdbed076ebe5b8ea4ec544aaa62b9811fd62f0d818af7e0687b4aa9e -SHA512 (cryptography-40.0.2-vendor.tar.bz2) = d45692545b50a1995837ec61b193f395bf4de021e3c4f059e3c3cc705b1b09628b1e8f00efd1d0f3f0936dc66e39cb2ac9defe484f952552e7b0e402e947fd6d +SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd +SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From c8cc5d4cdc2023b87412484beb7b46cb4d94322f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 14 Aug 2023 07:24:10 +0200 Subject: [PATCH 19/54] Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 --- ouroboros-0.17.patch | 13 +++++++++++++ python-cryptography.spec | 9 +++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ouroboros-0.17.patch diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/python-cryptography.spec b/python-cryptography.spec index 0365a9a..567841d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -73,8 +74,9 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} %if 0%{?fedora} -# patch pyo3 depedency +# patch pyo3 and ouroboros depedency %autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -135,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + * Wed Aug 09 2023 Christian Heimes - 41.0.3-1 - Update to 41.0.3, resolves rhbz#2211237 - Use pyo3 0.19 From bee6bfddb5dfa6a012d396b73a9ca7b76c336ed4 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Thu, 26 Oct 2023 17:20:09 +0200 Subject: [PATCH 20/54] Update to 41.0.5, resolves RHBZ#2239707 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index e69e967..51aeae3 100644 --- a/.gitignore +++ b/.gitignore @@ -57,3 +57,5 @@ /cryptography-40.0.2-vendor.tar.bz2 /cryptography-41.0.3.tar.gz /cryptography-41.0.3-vendor.tar.bz2 +/cryptography-41.0.5-vendor.tar.bz2 +/cryptography-41.0.5.tar.gz diff --git a/python-cryptography.spec b/python-cryptography.spec index 567841d..311aa65 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.3 -Release: 2%{?dist} +Version: 41.0.5 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + * Mon Aug 14 2023 Christian Heimes - 41.0.3-2 - Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 diff --git a/sources b/sources index f529925..7c4beae 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.3.tar.gz) = a1b3c922dc1cc527af152e3d26d65754806c4eeef5e3bcb13e5d86e67c618a7a04de6ca182bc332ff36f3c670b9e5581e6f609f738e0236ada89aa65681fa0cd -SHA512 (cryptography-41.0.3-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 +SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 From 3f8bd894bea444ebc52aeb2924024a0ac13afd30 Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Fri, 1 Dec 2023 16:14:04 +0100 Subject: [PATCH 21/54] Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 311aa65..a1c787e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + * Thu Oct 26 2023 Christian Heimes - 41.0.5-1 - Update to 41.0.5, resolves RHBZ#2239707 From 1c91adf0cdbc7fa52ae7c5e8d67160a91dce666c Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Mon, 22 Jan 2024 00:29:41 +0000 Subject: [PATCH 22/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index a1c787e..3f3be64 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 - Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) From cee9a5770df87232d5d199a4e4a1966231745fdf Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 26 Jan 2024 02:54:42 +0000 Subject: [PATCH 23/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild --- python-cryptography.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3f3be64..5849991 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.5 -Release: 3%{?dist} +Release: 4%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + * Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From fdff266e83b3bbee278465a3c0652d733283b682 Mon Sep 17 00:00:00 2001 From: "Benjamin A. Beasley" Date: Thu, 1 Feb 2024 10:48:14 -0500 Subject: [PATCH 24/54] Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 --- .gitignore | 2 ++ python-cryptography.spec | 7 +++++-- sources | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 51aeae3..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -59,3 +59,5 @@ /cryptography-41.0.3-vendor.tar.bz2 /cryptography-41.0.5-vendor.tar.bz2 /cryptography-41.0.5.tar.gz +/cryptography-41.0.7.tar.gz +/cryptography-41.0.7-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 5849991..0f4f843 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.5 -Release: 4%{?dist} +Version: 41.0.7 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + * Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild diff --git a/sources b/sources index 7c4beae..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.5.tar.gz) = b647b4f5155437242d7a31d84bd1cdc83284d96d334a3d6169533d597540f525d3f1686bab3a5fe3cb64a4fa6ded5e5d19489dfff0e93d86c274f20e69ca07e9 -SHA512 (cryptography-41.0.5-vendor.tar.bz2) = 67f0575a1ff53bfba01b14f01f79f2442b0971c67c23eb32ebf77813c7a7e22efdcea3ed6926712cb4d875f71b6f21d24c105b3cdad51e24dc84fa3995edd381 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e From 2b20ce4281d9888f5ab5931b8a2d4ddaeb1b5977 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Jan 2024 12:09:52 +0100 Subject: [PATCH 25/54] Update to 42.0.5, resolves RHBZ#2251816 --- .gitignore | 2 + ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 38 +++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 100 insertions(+), 84 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..578df22 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,5 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0f4f843..8a592eb 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 +Version: 42.0.5 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,8 +19,7 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} @@ -29,8 +28,6 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +45,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +71,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +80,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,13 +132,17 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog +* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 +- Update to 42.0.5, resolves RHBZ#2251816 +- Modernize spec file to use pyproject RPM macros + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..0e97b72 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 +SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 2220bc3f080af3e3a474ad8ffcd8ae79bf020ee6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Tue, 28 May 2024 13:29:39 +0200 Subject: [PATCH 26/54] Revert "Update to 42.0.5, resolves RHBZ#2251816" This reverts commit 2b20ce4281d9888f5ab5931b8a2d4ddaeb1b5977. --- .gitignore | 2 - ouroboros-0.17.patch | 13 ++++++ pyo3-0.19.patch | 52 +++++++++++++++++++++++ python-cryptography.spec | 38 ++++++++--------- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 84 insertions(+), 100 deletions(-) create mode 100644 ouroboros-0.17.patch create mode 100644 pyo3-0.19.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 578df22..c4051ad 100644 --- a/.gitignore +++ b/.gitignore @@ -61,5 +61,3 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 -/cryptography-42.0.5.tar.gz -/cryptography-42.0.5-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000..a41a2c3 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000..692232a --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 8a592eb..0f4f843 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.5 +Version: 41.0.7 Release: 1%{?dist} Summary: PyCA's cryptography library @@ -19,7 +19,8 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} @@ -28,6 +29,8 @@ BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging +# test_load_with_other_sections in 40.0 fails with pem 1.1.0 +BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -45,7 +48,6 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -71,8 +73,10 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 %if 0%{?fedora} +# patch pyo3 and ouroboros depedency +%autopatch -p1 1 +%autopatch -p1 2 %cargo_prep rm src/rust/Cargo.lock %else @@ -80,33 +84,27 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml - - -%generate_buildrequires -%pyproject_buildrequires -t %if 0%{?fedora} +%generate_buildrequires # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%pyproject_wheel - +%py3_build %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%pyproject_install -%pyproject_save_files %{srcname} - +%py3_install %check %if %{with tests} @@ -132,17 +130,13 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif - -%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} +%files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD - +%{python3_sitearch}/%{srcname} +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog -* Wed Mar 06 2024 Christian Heimes - 42.0.1-5 -- Update to 42.0.5, resolves RHBZ#2251816 -- Modernize spec file to use pyproject RPM macros - * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 0e97b72..44bd6ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9 -SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4 +SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 +SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e diff --git a/vendor_rust.py b/vendor_rust.py index eb53abd..cd8355e 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile(r"Version:\s*(.*)") +RE_VERSION = re.compile("Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 1eecfff494b2e21e4fd11706b1259a8fce0b762e Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 7 Jun 2024 22:03:00 +0200 Subject: [PATCH 27/54] Bootstrap for Python 3.13 --- python-cryptography.spec | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 0f4f843..6d4be22 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +7,7 @@ Name: python-%{srcname} Version: 41.0.7 -Release: 1%{?dist} +Release: 2%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -137,6 +138,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + * Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 From a7c29b32fa3b30a50a63ef143725235bcabc7930 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Sat, 8 Jun 2024 08:13:50 +0200 Subject: [PATCH 28/54] Rebuilt for Python 3.13 --- python-cryptography.spec | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 6d4be22..52208e8 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -7,7 +6,7 @@ Name: python-%{srcname} Version: 41.0.7 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -138,6 +137,9 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + * Fri Jun 07 2024 Python Maint - 41.0.7-2 - Bootstrap for Python 3.13 From cb16ef22f994a7232a1c9825f4cb99473cfae70d Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 2 Jul 2024 11:50:53 -0400 Subject: [PATCH 29/54] Update to 42.0.8, resolves RHBZ#2251816" This reverts commit 2220bc3f080af3e3a474ad8ffcd8ae79bf020ee6 and bumps the version up from 42.0.5 to 42.0.8. Additionally, a dependency on the openssl-devel-engine is necessary. Longer-term this should be dropped[0]. [0] https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine Co-authored-by: Christian Heimes --- .gitignore | 4 ++ ouroboros-0.17.patch | 13 ------ pyo3-0.19.patch | 52 ----------------------- python-cryptography.spec | 37 +++++++++-------- skip-overflow-tests-32bit.patch | 73 +++++++++++++++++++++++++++++++++ sources | 4 +- vendor_rust.py | 2 +- 7 files changed, 100 insertions(+), 85 deletions(-) delete mode 100644 ouroboros-0.17.patch delete mode 100644 pyo3-0.19.patch create mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index c4051ad..79738f6 100644 --- a/.gitignore +++ b/.gitignore @@ -61,3 +61,7 @@ /cryptography-41.0.5.tar.gz /cryptography-41.0.7.tar.gz /cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 +/cryptography-42.0.8.tar.gz +/cryptography-42.0.8-vendor.tar.bz2 diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch deleted file mode 100644 index a41a2c3..0000000 --- a/ouroboros-0.17.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 9dd060f8b..8004c7e76 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } - cryptography-openssl = { path = "cryptography-openssl" } - pem = "1.1" --ouroboros = "0.15" -+ouroboros = "0.17" - openssl = "0.10.54" - openssl-sys = "0.9.88" - foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch deleted file mode 100644 index 692232a..0000000 --- a/pyo3-0.19.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml -index 01fba147e..9dd060f8b 100644 ---- a/src/rust/Cargo.toml -+++ b/src/rust/Cargo.toml -@@ -9,7 +9,7 @@ rust-version = "1.56.0" - - [dependencies] - once_cell = "1" --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - asn1 = { version = "0.15.2", default-features = false } - cryptography-cffi = { path = "cryptography-cffi" } - cryptography-x509 = { path = "cryptography-x509" } -diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml -index 65051c2a4..24e53991b 100644 ---- a/src/rust/cryptography-cffi/Cargo.toml -+++ b/src/rust/cryptography-cffi/Cargo.toml -@@ -8,7 +8,7 @@ publish = false - rust-version = "1.56.0" - - [dependencies] --pyo3 = { version = "0.18", features = ["abi3-py37"] } -+pyo3 = { version = "0.19", features = ["abi3-py37"] } - openssl-sys = "0.9.88" - - [build-dependencies] -diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs -index 923015035..1380d6eb8 100644 ---- a/src/rust/src/x509/crl.rs -+++ b/src/rust/src/x509/crl.rs -@@ -145,7 +145,7 @@ impl CertificateRevocationList { - revoked_certs - }); - -- if idx.is_instance_of::()? { -+ if idx.is_instance_of::() { - let indices = idx - .downcast::()? - .indices(self.len().try_into().unwrap())?; -diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs -index 98d1bd63b..dcf28833f 100644 ---- a/src/rust/src/x509/extensions.rs -+++ b/src/rust/src/x509/extensions.rs -@@ -211,7 +211,7 @@ fn encode_certificate_policies( - let mut qualifiers = vec![]; - for py_qualifier in py_policy_qualifiers.iter()? { - let py_qualifier = py_qualifier?; -- let qualifier = if py_qualifier.is_instance_of::()? { -+ let qualifier = if py_qualifier.is_instance_of::() { - let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { - Some(s) => s, - None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 52208e8..e0a00e6 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,8 +5,8 @@ %global srcname cryptography Name: python-%{srcname} -Version: 41.0.7 -Release: 3%{?dist} +Version: 42.0.8 +Release: 1%{?dist} Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -19,18 +19,16 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: pyo3-0.19.patch -Patch2: ouroboros-0.17.patch +Patch1: skip-overflow-tests-32bit.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel +BuildRequires: openssl-devel-engine BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} BuildRequires: rust-packaging -# test_load_with_other_sections in 40.0 fails with pem 1.1.0 -BuildRequires: rust-pem-devel >= 1.1.1 %else BuildRequires: rust-toolset %endif @@ -48,6 +46,7 @@ BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 @@ -73,10 +72,8 @@ recipes to Python developers. %prep %autosetup -p1 -N -n %{srcname}-%{version} -%if 0%{?fedora} -# patch pyo3 and ouroboros depedency %autopatch -p1 1 -%autopatch -p1 2 +%if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock %else @@ -84,27 +81,33 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -%if 0%{?fedora} +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml + + %generate_buildrequires +%pyproject_buildrequires -t +%if 0%{?fedora} # Fedora: use RPMified crates cd src/rust %cargo_generate_buildrequires cd ../.. %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -%py3_build +%pyproject_wheel + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} @@ -130,11 +133,11 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + %changelog * Sat Jun 08 2024 Python Maint - 41.0.7-3 diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch new file mode 100644 index 0000000..1dec3d9 --- /dev/null +++ b/skip-overflow-tests-32bit.patch @@ -0,0 +1,73 @@ +From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 8 Feb 2024 09:11:21 -0600 +Subject: [PATCH] skip overflow aead tests on 32-bit systems + +--- + tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py +index a1f99ab815ed..2f0d52d82682 100644 +--- a/tests/hazmat/primitives/test_aead.py ++++ b/tests/hazmat/primitives/test_aead.py +@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): + ) + class TestChaCha20Poly1305: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = ChaCha20Poly1305.generate_key() +@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESCCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESCCM.generate_key(128) +@@ -378,7 +380,8 @@ def _load_gcm_vectors(): + + class TestAESGCM: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCM.generate_key(128) +@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): + ) + class TestAESOCB3: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESOCB3.generate_key(128) +@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESSIV.generate_key(256) +@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): + ) + class TestAESGCMSIV: + @pytest.mark.skipif( +- sys.platform not in {"linux", "darwin"}, reason="mmap required" ++ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, ++ reason="mmap and 64-bit platform required", + ) + def test_data_too_large(self): + key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index 44bd6ba..e9ffcca 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307 -SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e +SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568 +SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument( From 3d1bdaeb4555273c696fb56a33e19b5e0b28e927 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 3 Jul 2024 10:26:37 -0400 Subject: [PATCH 30/54] Switch to autorelease and autochangelog macros I forgot to bump manually add a changelog entry for the 42.0.8 update. Let's make that impossible in the future. [skip changelog] --- changelog | 248 +++++++++++++++++++++++++++++++++++++++ python-cryptography.spec | 248 +-------------------------------------- 2 files changed, 250 insertions(+), 246 deletions(-) create mode 100644 changelog diff --git a/changelog b/changelog new file mode 100644 index 0000000..fa06f3e --- /dev/null +++ b/changelog @@ -0,0 +1,248 @@ +* Tue Jul 02 2024 Jeremy Cline - 42.0.8-1 +- Update to 42.0.8, fixes rhbz#2251816 + +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check + +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + +* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jun 14 2022 Python Maint - 37.0.2-3 +- Rebuilt for Python 3.11 + +* Tue Jun 14 2022 Python Maint - 37.0.2-2 +- Bootstrap for Python 3.11 + +* Thu May 05 2022 Christian Heimes - 37.0.2-1 +- Update to 37.0.2, resolves rhbz#2078968 + +* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 +- Skip unstable memleak tests, resolves: RHBZ#2042413 + +* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 +- Update to 36.0.0, fixes RHBZ#2025347 + +* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 +- Require rust-asn1 >= 0.6.4 + +* Thu Sep 30 2021 Christian Heimes - 35.0-1 +- Update to 35.0.0 (#2009117) + +* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 +- Don't conditionalize Source: directives + +* Wed Jun 02 2021 Python Maint - 3.4.7-3 +- Rebuilt for Python 3.10 + +* Tue May 11 2021 Christian Heimes - 3.4.7-2 +- Fix compatibility issue with Python 3.10. Enums now use same + representation as on Python 3.9. (#1952522) +- Backport OpenSSL 3.0.0 compatibility patches. + +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. (#1952024) + +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + +* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 21 2020 Christian Heimes - 3.0-1 +- Update to 3.0 (#185897) + +* Sat May 23 2020 Miro Hrončok - 2.9-3 +- Rebuilt for Python 3.9 + +* Tue May 12 2020 Felix Schwarz - 2.9-2 +- add source file verification + +* Fri Apr 03 2020 Christian Heimes - 2.9-1 +- Update to 2.9 (#1820348) + +* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Christian Heimes - 2.8-2 +- cryptography 2.8+ no longer depends on python-asn1crypto + +* Thu Oct 17 2019 Christian Heimes - 2.8-1 +- Update to 2.8 +- Resolves: rhbz#1762779 + +* Sun Oct 13 2019 Christian Heimes - 2.7-3 +- Skip unit tests that fail with OpenSSL 1.1.1.d +- Resolves: rhbz#1761194 +- Fix and simplify Python 3 packaging + +* Sat Oct 12 2019 Christian Heimes - 2.7-2 +- Drop Python 2 package +- Resolves: rhbz#1761081 + +* Tue Sep 03 2019 Randy Barlow - 2.7-1 +- Update to 2.7 (#1715680). + +* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 +- New upstream release 2.6.1, resolves RHBZ#1683691 + +* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 +- Updated to 2.5. + +* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + +* Wed Jul 18 2018 Christian Heimes - 2.3-1 +- New upstream release 2.3 +- Fix AEAD tag truncation bug, RHBZ#1602752 + +* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 +- Rebuilt for Python 3.7 + +* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 +- New upstream release 2.2.1 + +* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 +- New upstream release 2.1.4 + +* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 +- Build requires gcc + +* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/python-cryptography.spec b/python-cryptography.spec index e0a00e6..ba3d651 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -6,7 +6,7 @@ Name: python-%{srcname} Version: 42.0.8 -Release: 1%{?dist} +Release: %autorelease Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, @@ -140,248 +140,4 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog -* Sat Jun 08 2024 Python Maint - 41.0.7-3 -- Rebuilt for Python 3.13 - -* Fri Jun 07 2024 Python Maint - 41.0.7-2 -- Bootstrap for Python 3.13 - -* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 -- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 - -* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 -- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) - -* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 -- Update to 41.0.5, resolves RHBZ#2239707 - -* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 -- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 - -* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 -- Update to 41.0.3, resolves rhbz#2211237 -- Use pyo3 0.19 - -* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Mon Jul 10 2023 Python Maint - 40.0.2-4 -- Rebuilt for Python 3.12 - -* Wed Jun 14 2023 Python Maint - 40.0.2-3 -- Bootstrap for Python 3.12 - -* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 -- Use vendored rust-pem in RHEL builds - -* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 -- Update to 40.0.2, resolves rhbz#2181430 - -* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 -- Don't run tests requiring pytz on RHEL -- Don't try to run tests of vendored dependencies in %%check - -* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 -- Update to 39.0.2, resolves rhbz#2124729 - -* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 -- Ensure correct compiler flags are used for Rust code. - -* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 -- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 -- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 - -* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 -- Enable SHA1 signatures in test suite (ELN-only) - -* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 -- Drop unused requirement of python3-six - -* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Tue Jun 14 2022 Python Maint - 37.0.2-3 -- Rebuilt for Python 3.11 - -* Tue Jun 14 2022 Python Maint - 37.0.2-2 -- Bootstrap for Python 3.11 - -* Thu May 05 2022 Christian Heimes - 37.0.2-1 -- Update to 37.0.2, resolves rhbz#2078968 - -* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 -- Skip unstable memleak tests, resolves: RHBZ#2042413 - -* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 -- Update to 36.0.0, fixes RHBZ#2025347 - -* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 -- Require rust-asn1 >= 0.6.4 - -* Thu Sep 30 2021 Christian Heimes - 35.0-1 -- Update to 35.0.0 (#2009117) - -* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 -- Rebuilt with OpenSSL 3.0.0 - -* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 -- Don't conditionalize Source: directives - -* Wed Jun 02 2021 Python Maint - 3.4.7-3 -- Rebuilt for Python 3.10 - -* Tue May 11 2021 Christian Heimes - 3.4.7-2 -- Fix compatibility issue with Python 3.10. Enums now use same - representation as on Python 3.9. (#1952522) -- Backport OpenSSL 3.0.0 compatibility patches. - -* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 -- Update to 3.4.7 -- Remove dependency on python-cryptography-vectors package and use vectors - directly from Github source tar ball. (#1952024) - -* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 -- Update to 3.4.6 (#1927044) - -* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 -- Update to 3.4.5 (#1927044) - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 -- Skip iso8601 and pretend tests on RHEL - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 -- Provide RHEL build infrastructure - -* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 -- Update to 3.4.4 (#1927044) - -* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 -- Update to 3.4.2 (#1926339) -- Package no longer depends on Rust (#1926181) - -* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 -- Use dynamically generated BuildRequires for PyO3 Rust module. -- Drop unnecessary CARGO_NET_OFFLINE environment variable. - -* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 -- Update to 3.4.1 (#1925953) - -* Sun Feb 07 2021 Christian Heimes - 3.4-2 -- Add missing abi3 and pytest dependencies - -* Sun Feb 07 2021 Christian Heimes - 3.4-1 -- Update to 3.4 (#1925953) -- Remove Python 2 support -- Remove unused python-idna dependency -- Add Rust support - -* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 -- Update to 3.3.1 (#1905756) - -* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 -- Update to 3.2.1 (#1892153) - -* Mon Oct 26 2020 Christian Heimes - 3.2-1 -- Update to 3.2 (#1891378) - -* Mon Sep 07 2020 Christian Heimes - 3.1-1 -- Update to 3.1 (#1872978) - -* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 21 2020 Christian Heimes - 3.0-1 -- Update to 3.0 (#185897) - -* Sat May 23 2020 Miro Hrončok - 2.9-3 -- Rebuilt for Python 3.9 - -* Tue May 12 2020 Felix Schwarz - 2.9-2 -- add source file verification - -* Fri Apr 03 2020 Christian Heimes - 2.9-1 -- Update to 2.9 (#1820348) - -* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Jan 13 2020 Christian Heimes - 2.8-2 -- cryptography 2.8+ no longer depends on python-asn1crypto - -* Thu Oct 17 2019 Christian Heimes - 2.8-1 -- Update to 2.8 -- Resolves: rhbz#1762779 - -* Sun Oct 13 2019 Christian Heimes - 2.7-3 -- Skip unit tests that fail with OpenSSL 1.1.1.d -- Resolves: rhbz#1761194 -- Fix and simplify Python 3 packaging - -* Sat Oct 12 2019 Christian Heimes - 2.7-2 -- Drop Python 2 package -- Resolves: rhbz#1761081 - -* Tue Sep 03 2019 Randy Barlow - 2.7-1 -- Update to 2.7 (#1715680). - -* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 -- Rebuilt for Python 3.8 - -* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 -- New upstream release 2.6.1, resolves RHBZ#1683691 - -* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 -- Updated to 2.5. - -* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Aug 13 2018 Christian Heimes - 2.3-2 -- Use TLSv1.2 in test as workaround for RHBZ#1615143 - -* Wed Jul 18 2018 Christian Heimes - 2.3-1 -- New upstream release 2.3 -- Fix AEAD tag truncation bug, RHBZ#1602752 - -* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 -- Rebuilt for Python 3.7 - -* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 -- New upstream release 2.2.1 - -* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 -- New upstream release 2.1.4 - -* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 -- Build requires gcc - -* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 -- Update Python 2 dependency declarations to new packaging standards - (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) - -* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +%autochangelog From 4dcec288f2a9f08c49015ea485357a3a636a337d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= Date: Wed, 3 Jul 2024 18:45:24 +0200 Subject: [PATCH 31/54] Drop unneeded dependency on tox There is no additional dependency generated by it, other than tox and tox-current-env. There is no tox configuration in the source tarball. If desired, there is a [test] extra, so we could use -x test instead, but that would break the %if 0%{?fedora} tests dependencies separation. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ba3d651..3670a2a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -86,7 +86,7 @@ sed -i 's,--no-subtests-shortletter,,' pyproject.toml %generate_buildrequires -%pyproject_buildrequires -t +%pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates cd src/rust From 143d2e3463f824c20b62b8c73688bdf950b2893d Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 3 Jul 2024 14:39:39 -0400 Subject: [PATCH 32/54] Fix the build for ELN PyO3 doesn't support Python 3.13 until 0.22, but cryptography 0.42 is using 0.20 at the moment. Use ABI3 forward compatibility for ELN builds until cryptography updates. The Rawhide build is using crates from the distro which must be setting this in some way, but I'm not familiar enough with PyO3 or Fedora's Rust packaging to find it quickly. Fixes rhbz#2295602 --- python-cryptography.spec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 3670a2a..e6fe8cd 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -98,6 +98,11 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 +# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can +# be dropped when a cryptography release bumps to pyo3 >= 0.22 +%if 0%{?rhel} +export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 +%endif %pyproject_wheel From 1483ac22f765c6e01502dfe2114d5d2c6e2a3aab Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 12 Jul 2024 10:47:14 -0400 Subject: [PATCH 33/54] Skip benchmark tests on RHEL This avoids dependencies on the otherwise unnecessary certifi and pytest-benchmark. --- python-cryptography.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e6fe8cd..edb70ca 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -40,15 +40,15 @@ BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif -BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 -BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif @@ -83,6 +83,9 @@ rm src/rust/Cargo.lock # Remove cosmetical pytest-subtests 0.10.0 option sed -i 's,--no-subtests-shortletter,,' pyproject.toml +%if ! 0%{?fedora} +sed -i 's,--benchmark-disable,,' pyproject.toml +%endif %generate_buildrequires @@ -117,8 +120,8 @@ find . -name .keep -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis and pytz tests on RHEL -rm -rf tests/hypothesis tests/x509 +# skip benchmark, hypothesis, and pytz tests on RHEL +rm -rf tests/bench tests/hypothesis tests/x509 # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From cf26149d18b4b220d2b2193340372799a1674a71 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Fri, 12 Jul 2024 10:51:44 -0400 Subject: [PATCH 34/54] Remove unused pytest-subtests dependency This dependency was switched out for a built-in miniature replacement as of version 41.0.0: https://github.com/pyca/cryptography/commit/22759dbab0bc85da995febcc3e82680fe6b2804a --- python-cryptography.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index edb70ca..722047a 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-pytest-xdist BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description @@ -81,8 +80,6 @@ rm src/rust/Cargo.lock %cargo_prep -V 1 %endif -# Remove cosmetical pytest-subtests 0.10.0 option -sed -i 's,--no-subtests-shortletter,,' pyproject.toml %if ! 0%{?fedora} sed -i 's,--benchmark-disable,,' pyproject.toml %endif From bc9adfb4dea6d5c3b23e79acd64686488d8a03d2 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 19 Jul 2024 10:44:42 +0000 Subject: [PATCH 35/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 4dc6d7b0babe0baa4d3a68a40ed31ff52057218a Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 24 Jul 2024 16:43:12 -0400 Subject: [PATCH 36/54] Automatically apply all patches during autosetup Commit 7b18e1445dd8 ("Update to 41.0.3") introduces a patch that was applied behind a conditional. This is no longer the case, so revert back to letting autosetup apply all patches. [skip changelog] --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 722047a..e376447 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -70,8 +70,7 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -N -n %{srcname}-%{version} -%autopatch -p1 1 +%autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep rm src/rust/Cargo.lock From 696a6afd84d72791fbf0c87e48802128e90db565 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 24 Jul 2024 16:23:21 -0400 Subject: [PATCH 37/54] Update to v43.0.0 Additionally, this builds the package with OPENSSL_NO_ENGINE=1 This drops the skip-overflow-tests-32bit.patch as its included in v43.0.0. It picks up the patch in https://github.com/pyca/cryptography/pull/11328 to allow building with OPENSSL_NO_ENGINE=1. --- .gitignore | 2 + 11328.patch | 36 ++++++++++++++++ python-cryptography.spec | 11 ++--- skip-overflow-tests-32bit.patch | 73 --------------------------------- sources | 4 +- 5 files changed, 43 insertions(+), 83 deletions(-) create mode 100644 11328.patch delete mode 100644 skip-overflow-tests-32bit.patch diff --git a/.gitignore b/.gitignore index 79738f6..fca5c45 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ /cryptography-42.0.5-vendor.tar.bz2 /cryptography-42.0.8.tar.gz /cryptography-42.0.8-vendor.tar.bz2 +/cryptography-43.0.0.tar.gz +/cryptography-43.0.0-vendor.tar.bz2 diff --git a/11328.patch b/11328.patch new file mode 100644 index 0000000..3dd1aee --- /dev/null +++ b/11328.patch @@ -0,0 +1,36 @@ +From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 22 Jul 2024 09:09:05 +0200 +Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined + +Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE +support. Downstream has moved `openssl/engine.h` into a separate RPM +package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The +compiler flag disables PyCA cryptography's ENGINE support successfully. +We also like to build the downstream package without the `engine.h` +header file present. + +This commit makes the include conditional. The `ENGINE` type is +defined in `openssl/types.h`. + +See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide +See: https://issues.redhat.com/browse/RHEL-33747 +Signed-off-by: Christian Heimes +--- + src/_cffi_src/openssl/engine.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py +index 9629a2c8f929..f47e20327003 100644 +--- a/src/_cffi_src/openssl/engine.py ++++ b/src/_cffi_src/openssl/engine.py +@@ -5,7 +5,9 @@ + from __future__ import annotations + + INCLUDES = """ ++#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL + #include ++#endif + """ + + TYPES = """ diff --git a/python-cryptography.spec b/python-cryptography.spec index e376447..e7a1b1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.8 +Version: 43.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,12 +19,11 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch1: skip-overflow-tests-32bit.patch +Patch: 11328.patch ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel -BuildRequires: openssl-devel-engine BuildRequires: gcc BuildRequires: gnupg2 %if 0%{?fedora} @@ -97,11 +96,7 @@ cd ../.. %build export RUSTFLAGS="%build_rustflags" export OPENSSL_NO_VENDOR=1 -# Temporary work-around for using pyo3 0.20 with Python 3.13 on ELN; This can -# be dropped when a cryptography release bumps to pyo3 >= 0.22 -%if 0%{?rhel} -export PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 -%endif +export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel diff --git a/skip-overflow-tests-32bit.patch b/skip-overflow-tests-32bit.patch deleted file mode 100644 index 1dec3d9..0000000 --- a/skip-overflow-tests-32bit.patch +++ /dev/null @@ -1,73 +0,0 @@ -From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 8 Feb 2024 09:11:21 -0600 -Subject: [PATCH] skip overflow aead tests on 32-bit systems - ---- - tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py -index a1f99ab815ed..2f0d52d82682 100644 ---- a/tests/hazmat/primitives/test_aead.py -+++ b/tests/hazmat/primitives/test_aead.py -@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend): - ) - class TestChaCha20Poly1305: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = ChaCha20Poly1305.generate_key() -@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESCCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESCCM.generate_key(128) -@@ -378,7 +380,8 @@ def _load_gcm_vectors(): - - class TestAESGCM: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCM.generate_key(128) -@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend): - ) - class TestAESOCB3: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESOCB3.generate_key(128) -@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESSIV.generate_key(256) -@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend): - ) - class TestAESGCMSIV: - @pytest.mark.skipif( -- sys.platform not in {"linux", "darwin"}, reason="mmap required" -+ sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31, -+ reason="mmap and 64-bit platform required", - ) - def test_data_too_large(self): - key = AESGCMSIV.generate_key(256) diff --git a/sources b/sources index e9ffcca..fe39107 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-42.0.8.tar.gz) = 969e76f9605795e9126a5b896d73e5a958654bf50dd99dbb5d08dac26abb0c45c1695cfb6a114ca22360986fe711bbf3b1ecb6c45955154c352ae3e6ece25568 -SHA512 (cryptography-42.0.8-vendor.tar.bz2) = 57e60a7ae729e2870f1ee07c9978a56a6095f33b0797efcae0846ed53772d24c02528a5906c32941ed58751bdff7a147d094c0deeda3b5593f9892b20725d48c +SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 +SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 From fdf62093b4dec4102ef193c5fb08b8dd25e721a4 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 30 Jul 2024 11:15:34 -0400 Subject: [PATCH 38/54] Flip off lock = true maturin config Upstream switched to maturin in v43[0]. Since we fiddle with the lockfile maturin wants to update it since upstream configures `lock = true`. Turn that off. This fixes the v43 build in rawhide. [0] https://github.com/pyca/cryptography/pull/8815 [skip changelog] --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index e7a1b1c..d83d2b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -72,6 +72,7 @@ recipes to Python developers. %autosetup -p1 -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep +sed -i 's/locked = true//g' pyproject.toml rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates From ed6d65f51610e2b85a297376b32a0c032b3ea98f Mon Sep 17 00:00:00 2001 From: Francisco Trivino Date: Wed, 4 Sep 2024 11:41:44 +0200 Subject: [PATCH 39/54] allow sha1 in OAEP In FIPS mode, RSA OAEP padding is refused with an error message: "This combination of padding and hash algorithm is not supported by this backend." It picks up the patch in https://github.com/pyca/cryptography/pull/11536 to allow sha1 in OAEP. Fixes: https://github.com/pyca/cryptography/issues/11512 Related: https://issues.redhat.com/browse/RHEL-40210 Signed-off-by: Francisco Trivino --- 11536.patch | 26 ++++++++++++++++++++++++++ python-cryptography.spec | 1 + 2 files changed, 27 insertions(+) create mode 100644 11536.patch diff --git a/11536.patch b/11536.patch new file mode 100644 index 0000000..b18f149 --- /dev/null +++ b/11536.patch @@ -0,0 +1,26 @@ +From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 3 Sep 2024 20:19:02 -0400 +Subject: [PATCH] allow sha1 in OAEP (#11536) + +fixes #11512 +--- + src/rust/src/backend/rsa.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index 3c01e7421..066b1412a 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu + } + + fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { +- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) ++ md == &openssl::hash::MessageDigest::sha1() + || md == &openssl::hash::MessageDigest::sha224() + || md == &openssl::hash::MessageDigest::sha256() + || md == &openssl::hash::MessageDigest::sha384() +-- +2.46.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index d83d2b1..eff8c1c 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -20,6 +20,7 @@ Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py Patch: 11328.patch +Patch: 11536.patch ExclusiveArch: %{rust_arches} From bc4d913fc3b2fb5b81083731af0a64abdb72509e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 18 Jan 2025 13:19:11 +0000 Subject: [PATCH 40/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From 83987f70ef712cc0b5935dc5e8f2354f74476c30 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 15:51:57 +0000 Subject: [PATCH 41/54] Update to v44.0.0 This release is largely adding new features. One behavioral which might cause issues is: - Enforce the RFC 5280 requirement that extended key usage extensions must not be empty. Complete changelog: https://github.com/pyca/cryptography/blob/44.0.0/CHANGELOG.rst --- .gitignore | 2 ++ python-cryptography.spec | 6 +----- sources | 4 ++-- 3 files changed, 5 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index fca5c45..ea7f662 100644 --- a/.gitignore +++ b/.gitignore @@ -67,3 +67,5 @@ /cryptography-42.0.8-vendor.tar.bz2 /cryptography-43.0.0.tar.gz /cryptography-43.0.0-vendor.tar.bz2 +/cryptography-44.0.0.tar.gz +/cryptography-44.0.0-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index eff8c1c..c4c0e69 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 43.0.0 +Version: 44.0.0 Release: %autorelease Summary: PyCA's cryptography library @@ -19,9 +19,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch: 11328.patch -Patch: 11536.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -74,7 +71,6 @@ recipes to Python developers. %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml -rm src/rust/Cargo.lock %else # RHEL: use vendored Rust crates %cargo_prep -V 1 diff --git a/sources b/sources index fe39107..d10f2cb 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7 -SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924 +SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad +SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b From 78a177912460d18470df2783ed7ef86bdbf84ab5 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Tue, 21 Jan 2025 18:39:23 +0000 Subject: [PATCH 42/54] Include fix to exclude Cargo.toml from wheels Merged upstream at https://github.com/pyca/cryptography/pull/12091 [skip changelog] --- 11328.patch | 36 ------------------------------------ 11536.patch | 26 -------------------------- 12091.patch | 34 ++++++++++++++++++++++++++++++++++ python-cryptography.spec | 5 +++++ 4 files changed, 39 insertions(+), 62 deletions(-) delete mode 100644 11328.patch delete mode 100644 11536.patch create mode 100644 12091.patch diff --git a/11328.patch b/11328.patch deleted file mode 100644 index 3dd1aee..0000000 --- a/11328.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 22 Jul 2024 09:09:05 +0200 -Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined - -Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE -support. Downstream has moved `openssl/engine.h` into a separate RPM -package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The -compiler flag disables PyCA cryptography's ENGINE support successfully. -We also like to build the downstream package without the `engine.h` -header file present. - -This commit makes the include conditional. The `ENGINE` type is -defined in `openssl/types.h`. - -See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide -See: https://issues.redhat.com/browse/RHEL-33747 -Signed-off-by: Christian Heimes ---- - src/_cffi_src/openssl/engine.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py -index 9629a2c8f929..f47e20327003 100644 ---- a/src/_cffi_src/openssl/engine.py -+++ b/src/_cffi_src/openssl/engine.py -@@ -5,7 +5,9 @@ - from __future__ import annotations - - INCLUDES = """ -+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL - #include -+#endif - """ - - TYPES = """ diff --git a/11536.patch b/11536.patch deleted file mode 100644 index b18f149..0000000 --- a/11536.patch +++ /dev/null @@ -1,26 +0,0 @@ -From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 3 Sep 2024 20:19:02 -0400 -Subject: [PATCH] allow sha1 in OAEP (#11536) - -fixes #11512 ---- - src/rust/src/backend/rsa.rs | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs -index 3c01e7421..066b1412a 100644 ---- a/src/rust/src/backend/rsa.rs -+++ b/src/rust/src/backend/rsa.rs -@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu - } - - fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { -- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) -+ md == &openssl::hash::MessageDigest::sha1() - || md == &openssl::hash::MessageDigest::sha224() - || md == &openssl::hash::MessageDigest::sha256() - || md == &openssl::hash::MessageDigest::sha384() --- -2.46.0 - diff --git a/12091.patch b/12091.patch new file mode 100644 index 0000000..96ef95a --- /dev/null +++ b/12091.patch @@ -0,0 +1,34 @@ +From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 +From: Johan Andersson +Date: Tue, 3 Dec 2024 00:43:31 +0100 +Subject: [PATCH] build: remove cargo.toml files from wheels + +--- + pyproject.toml | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/pyproject.toml b/pyproject.toml +index 4266e3bd5ba4..0378e78815e3 100644 +--- a/pyproject.toml ++++ b/pyproject.toml +@@ -101,15 +101,17 @@ include = [ + "src/_cffi_src/**/*.c", + "src/_cffi_src/**/*.h", + +- "**/Cargo.toml", +- "**/Cargo.lock", ++ "Cargo.toml", ++ "Cargo.lock", ++ "src/rust/**/Cargo.toml", ++ "src/rust/**/Cargo.lock", + "src/rust/**/*.rs", + + "tests/**/*.py", + ] + exclude = [ + "vectors/**/*", +- "src/rust/target/**/*", ++ "target/**/*", + "docs/_build/**/*", + ".github/**/*", + ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index c4c0e69..110249d 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -19,6 +19,10 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py +# Merged for 45.0.0+ +# https://github.com/pyca/cryptography/pull/12091 +Patch: 12091.patch + ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel @@ -102,6 +106,7 @@ export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete +find . -name Cargo.toml -print -delete %pyproject_install %pyproject_save_files %{srcname} From 606ff1ca7ed14791fb66c3029c65397436b2902f Mon Sep 17 00:00:00 2001 From: Fabio Valentini Date: Thu, 6 Feb 2025 13:47:30 +0100 Subject: [PATCH 43/54] Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004) From 25b75b110cb4173e173476cd88ded741b37c3a98 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Mon, 3 Mar 2025 23:22:02 -0500 Subject: [PATCH 44/54] Do not delete tests/x509 on RHEL tests/x509 now provides imports used by tests in other directories, and no longer require pytz. --- python-cryptography.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 110249d..e10429e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -115,7 +115,7 @@ find . -name Cargo.toml -print -delete %if %{with tests} %if 0%{?rhel} # skip benchmark, hypothesis, and pytz tests on RHEL -rm -rf tests/bench tests/hypothesis tests/x509 +rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif From 683f73c2b86b3035a407c58d8da331232bc68cc1 Mon Sep 17 00:00:00 2001 From: Yaakov Selkowitz Date: Thu, 6 Mar 2025 11:43:48 -0500 Subject: [PATCH 45/54] Modernize Rust macro usage This adds automatically generated licensing data, and bundled provides for vendored dependencies in the RHEL builds. --- python-cryptography.spec | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index e10429e..91b85b9 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -12,7 +12,13 @@ Summary: PyCA's cryptography library # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, # as well as the Python Software Foundation license for the OS random # engine derived by CPython. -License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +# Rust crate dependency licenses: +# Apache-2.0 +# Apache-2.0 OR MIT +# BSD-3-Clause +# MIT +# MIT OR Apache-2.0 +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0) URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script @@ -71,13 +77,13 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} +%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version} %if 0%{?fedora} %cargo_prep sed -i 's/locked = true//g' pyproject.toml %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +%cargo_prep -v vendor %endif %if ! 0%{?fedora} @@ -89,9 +95,7 @@ sed -i 's,--benchmark-disable,,' pyproject.toml %pyproject_buildrequires %if 0%{?fedora} # Fedora: use RPMified crates -cd src/rust %cargo_generate_buildrequires -cd ../.. %endif @@ -101,6 +105,12 @@ export OPENSSL_NO_VENDOR=1 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " %pyproject_wheel +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if ! 0%{?fedora} +%cargo_vendor_manifest +%endif + %install # Actually other *.c and *.h are appropriate @@ -139,6 +149,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD +%license LICENSE.dependencies +%if ! 0%{?fedora} +%license cargo-vendor.txt +%endif %changelog From f06f4c280408a86ae39f4a942bc6b2d46038b84f Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Mon, 19 May 2025 10:49:48 -0400 Subject: [PATCH 46/54] Update to v45.0.2 This update includes two backwards-incompatible changes with v44: - Made SSH private key loading more consistent with other private key loading: :func:`~cryptography.hazmat.primitives.serialization.load_ssh_private_key` now raises a TypeError if the key is unencrypted but a password is provided (previously no exception was raised), and raises a TypeError if the key is encrypted but no password is provided (previously a ValueError was raised). - The :meth:`VerifiedClient.subject ` property can now be None since a custom extension policy may allow certificates without a Subject Alternative Name extension. Full changelog: https://github.com/pyca/cryptography/blob/45.0.2/CHANGELOG.rst --- .gitignore | 2 ++ 12091.patch | 34 ---------------------------------- python-cryptography.spec | 6 +----- sources | 4 ++-- 4 files changed, 5 insertions(+), 41 deletions(-) delete mode 100644 12091.patch diff --git a/.gitignore b/.gitignore index ea7f662..6778d54 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,5 @@ /cryptography-43.0.0-vendor.tar.bz2 /cryptography-44.0.0.tar.gz /cryptography-44.0.0-vendor.tar.bz2 +/cryptography-45.0.2.tar.gz +/cryptography-45.0.2-vendor.tar.bz2 diff --git a/12091.patch b/12091.patch deleted file mode 100644 index 96ef95a..0000000 --- a/12091.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 68369a6dbae71a9314ac0ecc8b88c435600cb4e9 Mon Sep 17 00:00:00 2001 -From: Johan Andersson -Date: Tue, 3 Dec 2024 00:43:31 +0100 -Subject: [PATCH] build: remove cargo.toml files from wheels - ---- - pyproject.toml | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/pyproject.toml b/pyproject.toml -index 4266e3bd5ba4..0378e78815e3 100644 ---- a/pyproject.toml -+++ b/pyproject.toml -@@ -101,15 +101,17 @@ include = [ - "src/_cffi_src/**/*.c", - "src/_cffi_src/**/*.h", - -- "**/Cargo.toml", -- "**/Cargo.lock", -+ "Cargo.toml", -+ "Cargo.lock", -+ "src/rust/**/Cargo.toml", -+ "src/rust/**/Cargo.lock", - "src/rust/**/*.rs", - - "tests/**/*.py", - ] - exclude = [ - "vectors/**/*", -- "src/rust/target/**/*", -+ "target/**/*", - "docs/_build/**/*", - ".github/**/*", - ".readthedocs.yml", diff --git a/python-cryptography.spec b/python-cryptography.spec index 91b85b9..3907b6b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 44.0.0 +Version: 45.0.2 Release: %autorelease Summary: PyCA's cryptography library @@ -25,10 +25,6 @@ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcnam Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# Merged for 45.0.0+ -# https://github.com/pyca/cryptography/pull/12091 -Patch: 12091.patch - ExclusiveArch: %{rust_arches} BuildRequires: openssl-devel diff --git a/sources b/sources index d10f2cb..c6a4acc 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-44.0.0.tar.gz) = 6a0320ef3ece42e5b501d5381f719e01cb20b2971f0334a8a37f7b9a941482399901500f59817bffb1da579673e7785741a3016f51ac3bbf9bec55ff5df611ad -SHA512 (cryptography-44.0.0-vendor.tar.bz2) = 53b52a5aac5de01ac878e5fb477e890b093e6886d8a0b210801402900000560d7a3b8a85414b81f0ff22aadf6f7bbd94ccace70666709197b97424207942af2b +SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 +SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From adc63ac786ecfec84079d5ecb2ee7d8f6a41b5bd Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Sun, 25 May 2025 12:49:30 -0400 Subject: [PATCH 47/54] Update to v45.0.3 This fixes two issues from v45: - Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys encrypted by Bouncy Castle). - Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly insecure, this remains prevalent. --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 6778d54..4a18b60 100644 --- a/.gitignore +++ b/.gitignore @@ -71,3 +71,5 @@ /cryptography-44.0.0-vendor.tar.bz2 /cryptography-45.0.2.tar.gz /cryptography-45.0.2-vendor.tar.bz2 +/cryptography-45.0.3.tar.gz +/cryptography-45.0.3-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 3907b6b..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.2 +Version: 45.0.3 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index c6a4acc..9fb264e 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.2.tar.gz) = c0393f7e75cf5bba3ae8b6deea00d2a27b097ab6c4a5b59727e76d0df537fbbb648bb1879cd85f26aff93e8f4bedfdf178090330dc42e7d1c939a4b4379443e0 -SHA512 (cryptography-45.0.2-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 +SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 2fadd7bb9ab0a159e6d5f845cd1d6b922c6d6dab Mon Sep 17 00:00:00 2001 From: Python Maint Date: Tue, 3 Jun 2025 13:37:55 +0200 Subject: [PATCH 48/54] Bootstrap for Python 3.14 --- python-cryptography.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..27fad32 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,3 +1,4 @@ +%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 65da927d85a980fe32d693d7f3ae2a5c1703740c Mon Sep 17 00:00:00 2001 From: Python Maint Date: Wed, 4 Jun 2025 18:30:16 +0200 Subject: [PATCH 49/54] Rebuilt for Python 3.14 --- python-cryptography.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index 27fad32..31b41e2 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,3 @@ -%global _without_tests 1 %bcond_without tests %{!?python3_pkgversion:%global python3_pkgversion 3} From 8034f94f7793712d41c2a2b2b3c55ea6a1c85da1 Mon Sep 17 00:00:00 2001 From: Jeremy Cline Date: Wed, 11 Jun 2025 09:31:07 -0400 Subject: [PATCH 50/54] Update to v45.0.4 The upstream release fixes a single issue: - Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.) Fixes rhbz #2371350 --- .gitignore | 2 ++ python-cryptography.spec | 2 +- sources | 4 ++-- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 4a18b60..4ad8197 100644 --- a/.gitignore +++ b/.gitignore @@ -73,3 +73,5 @@ /cryptography-45.0.2-vendor.tar.bz2 /cryptography-45.0.3.tar.gz /cryptography-45.0.3-vendor.tar.bz2 +/cryptography-45.0.4.tar.gz +/cryptography-45.0.4-vendor.tar.bz2 diff --git a/python-cryptography.spec b/python-cryptography.spec index 31b41e2..ae9b0b1 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -5,7 +5,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 45.0.3 +Version: 45.0.4 Release: %autorelease Summary: PyCA's cryptography library diff --git a/sources b/sources index 9fb264e..e79ea50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-45.0.3.tar.gz) = 498facb35ad9db2de76c0d5120ae1322b730efeccf62ab324af1e88193e70d177ac92fbdac6b9dafc953c84c43dcc8c6bdabf3dbb3eb0c0854cb16ab0782ddb3 -SHA512 (cryptography-45.0.3-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 +SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df +SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 From 22e34bf15083c5690415b1cf16fbbafae1ac0c1e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 07:25:06 +0000 Subject: [PATCH 51/54] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild From 5e511855936600aa1b4f9108e740cf9ec0265588 Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 15 Aug 2025 13:32:38 +0200 Subject: [PATCH 52/54] Rebuilt for Python 3.14.0rc2 bytecode From 5e1fd8e20da2a7587e12bd6ef621c6ac6a6af07b Mon Sep 17 00:00:00 2001 From: Python Maint Date: Fri, 19 Sep 2025 13:05:04 +0200 Subject: [PATCH 53/54] Rebuilt for Python 3.14.0rc3 bytecode From 1a3a50b8d38e467b5a9b4422d073bf0b915ba94b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 22 Oct 2025 13:03:41 +0100 Subject: [PATCH 54/54] Drop pytz test req, only needed for py < 3.9 The pytz requirement now is only used for CI for py < 3.9: pytz==2025.2 ; python_full_version < '3.9' Also drop no longer valid comment snippet --- python-cryptography.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/python-cryptography.spec b/python-cryptography.spec index ae9b0b1..16b4d7e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -49,7 +49,6 @@ BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist -BuildRequires: python%{python3_pkgversion}-pytz %endif BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 %endif @@ -120,7 +119,7 @@ find . -name Cargo.toml -print -delete %check %if %{with tests} %if 0%{?rhel} -# skip benchmark, hypothesis, and pytz tests on RHEL +# skip benchmark and hypothesis tests on RHEL rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py