diff --git a/.gitignore b/.gitignore index cfa6910..4ad8197 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +/results_python-cryptography +/*.src.rpm /cryptography-1.3.1.tar.gz /cryptography-1.5.3.tar.gz /cryptography-1.7.1.tar.gz @@ -39,3 +41,37 @@ /cryptography-3.4.6.tar.gz.asc /cryptography-3.4.7.tar.gz /cryptography-3.4.7-vendor.tar.bz2 +/cryptography-35.0.0.tar.gz +/cryptography-35.0.0-vendor.tar.bz2 +/cryptography-36.0.0.tar.gz +/cryptography-36.0.0-vendor.tar.bz2 +/cryptography-37.0.2.tar.gz +/cryptography-37.0.2-vendor.tar.bz2 +/cryptography-39.0.2.tar.gz +/cryptography-39.0.2-vendor.tar.bz2 +/cryptography-40.0.0.tar.gz +/cryptography-40.0.0-vendor.tar.bz2 +/cryptography-40.0.1.tar.gz +/cryptography-40.0.1-vendor.tar.bz2 +/cryptography-40.0.2.tar.gz +/cryptography-40.0.2-vendor.tar.bz2 +/cryptography-41.0.3.tar.gz +/cryptography-41.0.3-vendor.tar.bz2 +/cryptography-41.0.5-vendor.tar.bz2 +/cryptography-41.0.5.tar.gz +/cryptography-41.0.7.tar.gz +/cryptography-41.0.7-vendor.tar.bz2 +/cryptography-42.0.5.tar.gz +/cryptography-42.0.5-vendor.tar.bz2 +/cryptography-42.0.8.tar.gz +/cryptography-42.0.8-vendor.tar.bz2 +/cryptography-43.0.0.tar.gz +/cryptography-43.0.0-vendor.tar.bz2 +/cryptography-44.0.0.tar.gz +/cryptography-44.0.0-vendor.tar.bz2 +/cryptography-45.0.2.tar.gz +/cryptography-45.0.2-vendor.tar.bz2 +/cryptography-45.0.3.tar.gz +/cryptography-45.0.3-vendor.tar.bz2 +/cryptography-45.0.4.tar.gz +/cryptography-45.0.4-vendor.tar.bz2 diff --git a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch b/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch deleted file mode 100644 index e73331a..0000000 --- a/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch +++ /dev/null @@ -1,130 +0,0 @@ -From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Sun, 28 Feb 2021 16:06:11 -0600 -Subject: [PATCH 1/4] fix pkcs12 parse ordering. fixes #5872 (#5879) - -* fix pkcs12 parse ordering. fixes #5872 - -* remove an unneeded print - -* simplify the test a bit more - -* index - -* black - -* Update tests/hazmat/primitives/test_pkcs12.py - -Co-authored-by: Alex Gaynor - -Co-authored-by: Alex Gaynor ---- - .../hazmat/backends/openssl/backend.py | 5 +- - tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- - 2 files changed, 59 insertions(+), 4 deletions(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 271873d9..a96d08d8 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -6,6 +6,7 @@ - import collections - import contextlib - import itertools -+import typing - import warnings - from contextlib import contextmanager - -@@ -2562,9 +2563,7 @@ class Backend(object): - sk_x509 = self._lib.sk_X509_new_null() - sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) - -- # reverse the list when building the stack so that they're encoded -- # in the order they were originally provided. it is a mystery -- for ca in reversed(cas): -+ for ca in cas: - res = self._lib.sk_X509_push(sk_x509, ca._x509) - backend.openssl_assert(res >= 1) - -diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py -index b5de09f9..b1759a1b 100644 ---- a/tests/hazmat/primitives/test_pkcs12.py -+++ b/tests/hazmat/primitives/test_pkcs12.py -@@ -4,13 +4,15 @@ - - - import os -+from datetime import datetime - - import pytest - - from cryptography import x509 - from cryptography.hazmat.backends.interfaces import DERSerializationBackend - from cryptography.hazmat.backends.openssl.backend import _RC2 --from cryptography.hazmat.primitives import serialization -+from cryptography.hazmat.primitives import hashes, serialization -+from cryptography.hazmat.primitives.asymmetric import ec - from cryptography.hazmat.primitives.serialization import load_pem_private_key - from cryptography.hazmat.primitives.serialization.pkcs12 import ( - load_key_and_certificates, -@@ -273,3 +275,57 @@ class TestPKCS12Creation(object): - DummyKeySerializationEncryption(), - ) - assert str(exc.value) == "Unsupported key encryption type" -+ -+ -+def test_pkcs12_ordering(): -+ """ -+ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we -+ accidentally thought it was **encoding** that did it, leading to bug -+ https://github.com/pyca/cryptography/issues/5872 -+ This test ensures our ordering is correct going forward. -+ """ -+ -+ def make_cert(name): -+ key = ec.generate_private_key(ec.SECP256R1()) -+ subject = x509.Name( -+ [ -+ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), -+ ] -+ ) -+ now = datetime.utcnow() -+ cert = ( -+ x509.CertificateBuilder() -+ .subject_name(subject) -+ .issuer_name(subject) -+ .public_key(key.public_key()) -+ .serial_number(x509.random_serial_number()) -+ .not_valid_before(now) -+ .not_valid_after(now) -+ .sign(key, hashes.SHA256()) -+ ) -+ return (key, cert) -+ -+ # Make some certificates with distinct names. -+ a_name = "A" * 20 -+ b_name = "B" * 20 -+ c_name = "C" * 20 -+ a_key, a_cert = make_cert(a_name) -+ _, b_cert = make_cert(b_name) -+ _, c_cert = make_cert(c_name) -+ -+ # Bundle them in a PKCS#12 file in order A, B, C. -+ p12 = serialize_key_and_certificates( -+ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() -+ ) -+ -+ # Parse them out. The API should report them in the same order. -+ (key, cert, certs) = load_key_and_certificates(p12, None) -+ assert cert == a_cert -+ assert certs == [b_cert, c_cert] -+ -+ # The ordering in the PKCS#12 file itself should also match. -+ a_idx = p12.index(a_name.encode("utf-8")) -+ b_idx = p12.index(b_name.encode("utf-8")) -+ c_idx = p12.index(c_name.encode("utf-8")) -+ -+ assert a_idx < b_idx < c_idx --- -2.31.1 - diff --git a/0002-WIP-3.0.0-support-5250.patch b/0002-WIP-3.0.0-support-5250.patch deleted file mode 100644 index c99eea8..0000000 --- a/0002-WIP-3.0.0-support-5250.patch +++ /dev/null @@ -1,415 +0,0 @@ -From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Thu, 22 Apr 2021 19:16:38 -0500 -Subject: [PATCH 2/4] [WIP] 3.0.0 support (#5250) - -* 3.0.0 support - -* almost...there... - -* make mypy happy ---- - .github/workflows/ci.yml | 7 ++-- - src/_cffi_src/build_openssl.py | 1 + - src/_cffi_src/openssl/cryptography.py | 3 ++ - src/_cffi_src/openssl/err.py | 6 +++ - src/_cffi_src/openssl/fips.py | 2 +- - src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ - .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- - .../hazmat/backends/openssl/ciphers.py | 15 ++++++- - .../hazmat/bindings/openssl/_conditional.py | 11 +++++ - .../hazmat/bindings/openssl/binding.py | 20 +++++++++ - tests/hazmat/backends/test_openssl_memleak.py | 6 ++- - tests/hazmat/bindings/test_openssl.py | 4 +- - tests/hazmat/primitives/test_dh.py | 24 ++++++++++- - 13 files changed, 167 insertions(+), 14 deletions(-) - create mode 100644 src/_cffi_src/openssl/provider.py - -diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml -index cd967a3a..747f84c1 100644 ---- a/.github/workflows/ci.yml -+++ b/.github/workflows/ci.yml -@@ -18,9 +18,10 @@ jobs: - - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} - - {VERSION: "pypy3", TOXENV: "pypy3"} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} -- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -+ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} -diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py -index 08499d66..557296ed 100644 ---- a/src/_cffi_src/build_openssl.py -+++ b/src/_cffi_src/build_openssl.py -@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding( - "osrandom_engine", - "pem", - "pkcs12", -+ "provider", - "rand", - "rsa", - "ssl", -diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py -index e2b5a132..06d1e778 100644 ---- a/src/_cffi_src/openssl/cryptography.py -+++ b/src/_cffi_src/openssl/cryptography.py -@@ -34,6 +34,8 @@ INCLUDES = """ - - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) -+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ -+ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) - - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ - (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) -@@ -53,6 +55,7 @@ INCLUDES = """ - - TYPES = """ - static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; -+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; - - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; -diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py -index 0634b656..8cfeaf5b 100644 ---- a/src/_cffi_src/openssl/err.py -+++ b/src/_cffi_src/openssl/err.py -@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM; - - static const int ERR_LIB_EVP; - static const int ERR_LIB_PEM; -+static const int ERR_LIB_PROV; - static const int ERR_LIB_ASN1; - static const int ERR_LIB_PKCS12; - -@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long); - """ - - CUSTOMIZATIONS = """ -+/* This define is tied to provider support and is conditionally -+ removed if Cryptography_HAS_PROVIDERS is false */ -+#ifndef ERR_LIB_PROV -+#define ERR_LIB_PROV 0 -+#endif - """ -diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py -index b9d0d64d..23c10af9 100644 ---- a/src/_cffi_src/openssl/fips.py -+++ b/src/_cffi_src/openssl/fips.py -@@ -17,7 +17,7 @@ int FIPS_mode(void); - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL -+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - static const long Cryptography_HAS_FIPS = 0; - int (*FIPS_mode_set)(int) = NULL; - int (*FIPS_mode)(void) = NULL; -diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py -new file mode 100644 -index 00000000..d7d659ea ---- /dev/null -+++ b/src/_cffi_src/openssl/provider.py -@@ -0,0 +1,40 @@ -+# This file is dual licensed under the terms of the Apache License, Version -+# 2.0, and the BSD License. See the LICENSE file in the root of this repository -+# for complete details. -+ -+ -+INCLUDES = """ -+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+#include -+#include -+#endif -+""" -+ -+TYPES = """ -+static const long Cryptography_HAS_PROVIDERS; -+ -+typedef ... OSSL_PROVIDER; -+typedef ... OSSL_LIB_CTX; -+ -+static const long PROV_R_BAD_DECRYPT; -+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; -+""" -+ -+FUNCTIONS = """ -+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); -+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); -+""" -+ -+CUSTOMIZATIONS = """ -+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+static const long Cryptography_HAS_PROVIDERS = 1; -+#else -+static const long Cryptography_HAS_PROVIDERS = 0; -+typedef void OSSL_PROVIDER; -+typedef void OSSL_LIB_CTX; -+static const long PROV_R_BAD_DECRYPT = 0; -+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; -+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; -+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; -+#endif -+""" -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index a96d08d8..86e8f0a8 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -1281,6 +1281,11 @@ class Backend(object): - def _evp_pkey_from_der_traditional_key(self, bio_data, password): - key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) - if key != self._ffi.NULL: -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ - key = self._ffi.gc(key, self._lib.EVP_PKEY_free) - if password is not None: - raise TypeError( -@@ -1448,6 +1453,11 @@ class Backend(object): - else: - self._handle_key_loading_error() - -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ - evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - - if password is not None and userdata.called == 0: -@@ -1470,11 +1480,22 @@ class Backend(object): - "incorrect format or it may be encrypted with an unsupported " - "algorithm." - ) -- elif errors[0]._lib_reason_match( -- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT -- ) or errors[0]._lib_reason_match( -- self._lib.ERR_LIB_PKCS12, -- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, -+ -+ elif ( -+ errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT -+ ) -+ or errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_PKCS12, -+ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, -+ ) -+ or ( -+ self._lib.Cryptography_HAS_PROVIDERS -+ and errors[0]._lib_reason_match( -+ self._lib.ERR_LIB_PROV, -+ self._lib.PROV_R_BAD_DECRYPT, -+ ) -+ ) - ): - raise ValueError("Bad decrypt. Incorrect password?") - -@@ -2520,7 +2541,16 @@ class Backend(object): - if sk_x509_ptr[0] != self._ffi.NULL: - sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) - num = self._lib.sk_X509_num(sk_x509_ptr[0]) -- for i in range(num): -+ -+ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the -+ # certificates. -+ indices: typing.Iterable[int] -+ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ indices = range(num) -+ else: -+ indices = reversed(range(num)) -+ -+ for i in indices: - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) - x509 = self._ffi.gc(x509, self._lib.X509_free) -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 0f96795f..a2dd6894 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -145,7 +145,13 @@ class _CipherContext(object): - res = self._backend._lib.EVP_CipherUpdate( - self._ctx, outbuf, outlen, inbuf, inlen - ) -- self._backend.openssl_assert(res != 0) -+ if res == 0 and isinstance(self._mode, modes.XTS): -+ raise ValueError( -+ "In XTS mode you must supply at least a full block in the " -+ "first update call. For AES this is 16 bytes." -+ ) -+ else: -+ self._backend.openssl_assert(res != 0) - data_processed += inlen - total_out += outlen[0] - -@@ -174,6 +180,13 @@ class _CipherContext(object): - errors[0]._lib_reason_match( - self._backend._lib.ERR_LIB_EVP, - self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, -+ ) -+ or ( -+ self._backend._lib.Cryptography_HAS_PROVIDERS -+ and errors[0]._lib_reason_match( -+ self._backend._lib.ERR_LIB_PROV, -+ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, -+ ) - ), - errors=errors, - ) -diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py -index 86548357..1f42c7be 100644 ---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py -+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py -@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): - ] - - -+def cryptography_has_providers(): -+ return [ -+ "OSSL_PROVIDER_load", -+ "OSSL_PROVIDER_unload", -+ "ERR_LIB_PROV", -+ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", -+ "PROV_R_BAD_DECRYPT", -+ ] -+ -+ - # This is a mapping of - # {condition: function-returning-names-dependent-on-that-condition} so we can - # loop over them and delete unsupported names at runtime. It will be removed -@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = { - "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, - "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, -+ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, - } -diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py -index a2bc36a8..6dcec26a 100644 ---- a/src/cryptography/hazmat/bindings/openssl/binding.py -+++ b/src/cryptography/hazmat/bindings/openssl/binding.py -@@ -113,6 +113,8 @@ class Binding(object): - ffi = ffi - _lib_loaded = False - _init_lock = threading.Lock() -+ _legacy_provider: typing.Any = None -+ _default_provider: typing.Any = None - - def __init__(self): - self._ensure_ffi_initialized() -@@ -140,6 +142,24 @@ class Binding(object): - # adds all ciphers/digests for EVP - cls.lib.OpenSSL_add_all_algorithms() - cls._register_osrandom_engine() -+ # As of OpenSSL 3.0.0 we must register a legacy cipher provider -+ # to get RC2 (needed for junk asymmetric private key -+ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things -+ # are ugly legacy, but we aren't going to get rid of them -+ # any time soon. -+ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"legacy" -+ ) -+ _openssl_assert( -+ cls.lib, cls._legacy_provider != cls.ffi.NULL -+ ) -+ cls._default_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"default" -+ ) -+ _openssl_assert( -+ cls.lib, cls._default_provider != cls.ffi.NULL -+ ) - - @classmethod - def init_static_locks(cls): -diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py -index 0c96516f..0316b5d9 100644 ---- a/tests/hazmat/backends/test_openssl_memleak.py -+++ b/tests/hazmat/backends/test_openssl_memleak.py -@@ -82,7 +82,7 @@ def main(argv): - assert result == 1 - - # Trigger a bunch of initialization stuff. -- import cryptography.hazmat.backends.openssl -+ from cryptography.hazmat.backends.openssl.backend import backend - - start_heap = set(heap) - -@@ -91,6 +91,10 @@ def main(argv): - gc.collect() - gc.collect() - -+ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: -+ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) -+ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) -+ - if lib.Cryptography_HAS_OPENSSL_CLEANUP: - lib.OPENSSL_cleanup() - -diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py -index fb9a1e36..4d1e3b55 100644 ---- a/tests/hazmat/bindings/test_openssl.py -+++ b/tests/hazmat/bindings/test_openssl.py -@@ -91,7 +91,9 @@ class TestOpenSSL(object): - _openssl_assert(b.lib, False) - - error = exc_info.value.err_code[0] -- assert error.code == 101183626 -+ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined -+ # code is a different value -+ assert error.code in (101183626, 50331786) - assert error.lib == b.lib.ERR_LIB_EVP - assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX - assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH -diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py -index 131807fc..bb29919f 100644 ---- a/tests/hazmat/primitives/test_dh.py -+++ b/tests/hazmat/primitives/test_dh.py -@@ -180,7 +180,23 @@ class TestDH(object): - params = dh.DHParameterNumbers(p, int(vector["g"])) - param = params.parameters(backend) - key = param.generate_private_key() -- assert key.private_numbers().public_numbers.parameter_numbers == params -+ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in -+ # a scenario where loading a known group with p and g returns a -+ # re-serialized form that has q as well (the Sophie Germain prime of -+ # that group). This makes a naive comparison of the parameter numbers -+ # objects fail, so we have to be a bit smarter -+ serialized_params = ( -+ key.private_numbers().public_numbers.parameter_numbers -+ ) -+ if serialized_params.q is None: -+ # This is the path OpenSSL < 3.0 takes -+ assert serialized_params == params -+ else: -+ assert serialized_params.p == params.p -+ assert serialized_params.g == params.g -+ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute -+ # what we expect OpenSSL to have done here. -+ assert serialized_params.q == (params.p - 1) // 2 - - @pytest.mark.skip_fips(reason="non-FIPS parameters") - @pytest.mark.parametrize( -@@ -382,6 +398,12 @@ class TestDH(object): - assert symkey1 != symkey2 - - @pytest.mark.skip_fips(reason="key_size too small for FIPS") -+ @pytest.mark.supported( -+ only_if=lambda backend: ( -+ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER -+ ), -+ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", -+ ) - def test_load_256bit_key_from_pkcs8(self, backend): - data = load_vectors_from_file( - os.path.join("asymmetric", "DH", "dh_key_256.pem"), --- -2.31.1 - diff --git a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch b/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch deleted file mode 100644 index 078950e..0000000 --- a/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch +++ /dev/null @@ -1,151 +0,0 @@ -From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Wed, 14 Apr 2021 13:15:57 -0500 -Subject: [PATCH 3/4] switch to using EVP_PKEY_derive instead of DH_compute_key - in DH (#5972) - -* switch to using EVP_PKEY_derive instead of DH_compute_key in DH - -Where checks are occurring is changing in OpenSSL 3.0 and this makes it -easier to be consistent (and is the API we should be using anyway). The -tests change because EVP_PKEY_derive now verifies that we have shared -parameters, which the test previously only verified by asserting that -the derived keys didn't match - -* review feedback - -* type ignores required for typeerror tests. some day i will remember this ---- - src/_cffi_src/openssl/dh.py | 1 - - .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- - tests/hazmat/primitives/test_dh.py | 19 ++++--- - 3 files changed, 45 insertions(+), 32 deletions(-) - -diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py -index 979dafa9..50989e45 100644 ---- a/src/_cffi_src/openssl/dh.py -+++ b/src/_cffi_src/openssl/dh.py -@@ -18,7 +18,6 @@ DH *DH_new(void); - void DH_free(DH *); - int DH_size(const DH *); - int DH_generate_key(DH *); --int DH_compute_key(unsigned char *, const BIGNUM *, DH *); - DH *DHparams_dup(DH *); - - /* added in 1.1.0 when the DH struct was opaqued */ -diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py -index 65ddaeec..b928f024 100644 ---- a/src/cryptography/hazmat/backends/openssl/dh.py -+++ b/src/cryptography/hazmat/backends/openssl/dh.py -@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey): - ) - - def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: -- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) -- pub_key = self._backend._ffi.new("BIGNUM **") -- self._backend._lib.DH_get0_key( -- peer_public_key._dh_cdata, # type: ignore[attr-defined] -- pub_key, -- self._backend._ffi.NULL, -+ if not isinstance(peer_public_key, _DHPublicKey): -+ raise TypeError("peer_public_key must be a DHPublicKey") -+ -+ ctx = self._backend._lib.EVP_PKEY_CTX_new( -+ self._evp_pkey, self._backend._ffi.NULL - ) -- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) -- res = self._backend._lib.DH_compute_key( -- buf, pub_key[0], self._dh_cdata -+ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) -+ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) -+ res = self._backend._lib.EVP_PKEY_derive_init(ctx) -+ self._backend.openssl_assert(res == 1) -+ res = self._backend._lib.EVP_PKEY_derive_set_peer( -+ ctx, peer_public_key._evp_pkey -+ ) -+ # Invalid kex errors here in OpenSSL 3.0 because checks were moved -+ # to EVP_PKEY_derive_set_peer -+ self._exchange_assert(res == 1) -+ keylen = self._backend._ffi.new("size_t *") -+ res = self._backend._lib.EVP_PKEY_derive( -+ ctx, self._backend._ffi.NULL, keylen - ) -+ # Invalid kex errors here in OpenSSL < 3 -+ self._exchange_assert(res == 1) -+ self._backend.openssl_assert(keylen[0] > 0) -+ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) -+ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) -+ self._backend.openssl_assert(res == 1) - -- if res == -1: -+ key = self._backend._ffi.buffer(buf, keylen[0])[:] -+ pad = self._key_size_bytes - len(key) -+ -+ if pad > 0: -+ key = (b"\x00" * pad) + key -+ -+ return key -+ -+ def _exchange_assert(self, ok): -+ if not ok: - errors_with_text = self._backend._consume_errors_with_text() - raise ValueError( -- "Error computing shared key. Public key is likely invalid " -- "for this exchange.", -+ "Error computing shared key.", - errors_with_text, - ) -- else: -- self._backend.openssl_assert(res >= 1) -- -- key = self._backend._ffi.buffer(buf)[:res] -- pad = self._key_size_bytes - len(key) -- -- if pad > 0: -- key = (b"\x00" * pad) + key -- -- return key - - def public_key(self) -> dh.DHPublicKey: - dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) -diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py -index bb29919f..2914f7e7 100644 ---- a/tests/hazmat/primitives/test_dh.py -+++ b/tests/hazmat/primitives/test_dh.py -@@ -296,6 +296,12 @@ class TestDH(object): - assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) - assert isinstance(key.parameters(), dh.DHParameters) - -+ def test_exchange_wrong_type(self, backend): -+ parameters = FFDH3072_P.parameters(backend) -+ key1 = parameters.generate_private_key() -+ with pytest.raises(TypeError): -+ key1.exchange(b"invalidtype") # type: ignore[arg-type] -+ - def test_exchange(self, backend): - parameters = FFDH3072_P.parameters(backend) - assert isinstance(parameters, dh.DHParameters) -@@ -386,16 +392,11 @@ class TestDH(object): - key2 = private2.private_key(backend) - pub_key2 = key2.public_key() - -- if pub_key2.public_numbers().y >= parameters1.p: -- with pytest.raises(ValueError): -- key1.exchange(pub_key2) -- else: -- symkey1 = key1.exchange(pub_key2) -- assert symkey1 -- -- symkey2 = key2.exchange(pub_key1) -+ with pytest.raises(ValueError): -+ key1.exchange(pub_key2) - -- assert symkey1 != symkey2 -+ with pytest.raises(ValueError): -+ key2.exchange(pub_key1) - - @pytest.mark.skip_fips(reason="key_size too small for FIPS") - @pytest.mark.supported( --- -2.31.1 - diff --git a/0004-Use-well-defined-enum-representation.patch b/0004-Use-well-defined-enum-representation.patch deleted file mode 100644 index c006543..0000000 --- a/0004-Use-well-defined-enum-representation.patch +++ /dev/null @@ -1,366 +0,0 @@ -From 0a164d2c985b4655929591b191824ed361890b8d Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 10 May 2021 13:27:54 +0200 -Subject: [PATCH 4/4] Use well-defined enum representation - -Python 3.10 changed enum's object and string representation. PyCA -cryptography now uses a custom subclass of enum.Enum() will well-defined -__repr__ and __str__ from Python 3.9. - -Related: https://bugs.python.org/issue40066 -Fixes: https://github.com/pyca/cryptography/issues/5995 -Signed-off-by: Christian Heimes ---- - .github/workflows/ci.yml | 13 +++++++------ - src/cryptography/exceptions.py | 4 ++-- - .../hazmat/primitives/_serialization.py | 11 ++++++----- - src/cryptography/hazmat/primitives/kdf/kbkdf.py | 5 ++--- - .../hazmat/primitives/serialization/pkcs7.py | 4 ++-- - src/cryptography/utils.py | 11 +++++++++++ - src/cryptography/x509/base.py | 4 ++-- - src/cryptography/x509/certificate_transparency.py | 7 ++++--- - src/cryptography/x509/extensions.py | 5 ++--- - src/cryptography/x509/name.py | 3 +-- - src/cryptography/x509/ocsp.py | 8 ++++---- - tests/test_cryptography_utils.py | 11 +++++++++++ - 12 files changed, 54 insertions(+), 32 deletions(-) - -diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml -index 747f84c1..ca298f96 100644 ---- a/.github/workflows/ci.yml -+++ b/.github/workflows/ci.yml -@@ -18,15 +18,16 @@ jobs: - - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} - - {VERSION: "pypy3", TOXENV: "pypy3"} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} -+ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} -+ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha16"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.3"}} - - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.1"}} -+ - {VERSION: "3.10-dev", TOXENV: "py310"} - RUST: - - stable - name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}" -@@ -108,8 +109,8 @@ jobs: - - {IMAGE: "sid", TOXENV: "py39"} - - {IMAGE: "ubuntu-bionic", TOXENV: "py36"} - - {IMAGE: "ubuntu-focal", TOXENV: "py38"} -- - {IMAGE: "ubuntu-rolling", TOXENV: "py38"} -- - {IMAGE: "ubuntu-rolling", TOXENV: "py38-randomorder"} -+ - {IMAGE: "ubuntu-rolling", TOXENV: "py39"} -+ - {IMAGE: "ubuntu-rolling", TOXENV: "py39-randomorder"} - - {IMAGE: "fedora", TOXENV: "py39"} - - {IMAGE: "alpine", TOXENV: "py38"} - name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}" -diff --git a/src/cryptography/exceptions.py b/src/cryptography/exceptions.py -index f5860590..3bd98d82 100644 ---- a/src/cryptography/exceptions.py -+++ b/src/cryptography/exceptions.py -@@ -3,10 +3,10 @@ - # for complete details. - - --from enum import Enum -+from cryptography import utils - - --class _Reasons(Enum): -+class _Reasons(utils.Enum): - BACKEND_MISSING_INTERFACE = 0 - UNSUPPORTED_HASH = 1 - UNSUPPORTED_CIPHER = 2 -diff --git a/src/cryptography/hazmat/primitives/_serialization.py b/src/cryptography/hazmat/primitives/_serialization.py -index 96a5ed9b..160a6b89 100644 ---- a/src/cryptography/hazmat/primitives/_serialization.py -+++ b/src/cryptography/hazmat/primitives/_serialization.py -@@ -3,13 +3,14 @@ - # for complete details. - - import abc --from enum import Enum -+ -+from cryptography import utils - - # This exists to break an import cycle. These classes are normally accessible - # from the serialization module. - - --class Encoding(Enum): -+class Encoding(utils.Enum): - PEM = "PEM" - DER = "DER" - OpenSSH = "OpenSSH" -@@ -18,14 +19,14 @@ class Encoding(Enum): - SMIME = "S/MIME" - - --class PrivateFormat(Enum): -+class PrivateFormat(utils.Enum): - PKCS8 = "PKCS8" - TraditionalOpenSSL = "TraditionalOpenSSL" - Raw = "Raw" - OpenSSH = "OpenSSH" - - --class PublicFormat(Enum): -+class PublicFormat(utils.Enum): - SubjectPublicKeyInfo = "X.509 subjectPublicKeyInfo with PKCS#1" - PKCS1 = "Raw PKCS#1" - OpenSSH = "OpenSSH" -@@ -34,7 +35,7 @@ class PublicFormat(Enum): - UncompressedPoint = "X9.62 Uncompressed Point" - - --class ParameterFormat(Enum): -+class ParameterFormat(utils.Enum): - PKCS3 = "PKCS3" - - -diff --git a/src/cryptography/hazmat/primitives/kdf/kbkdf.py b/src/cryptography/hazmat/primitives/kdf/kbkdf.py -index ac36474f..75fe7d51 100644 ---- a/src/cryptography/hazmat/primitives/kdf/kbkdf.py -+++ b/src/cryptography/hazmat/primitives/kdf/kbkdf.py -@@ -4,7 +4,6 @@ - - - import typing --from enum import Enum - - from cryptography import utils - from cryptography.exceptions import ( -@@ -19,11 +18,11 @@ from cryptography.hazmat.primitives import constant_time, hashes, hmac - from cryptography.hazmat.primitives.kdf import KeyDerivationFunction - - --class Mode(Enum): -+class Mode(utils.Enum): - CounterMode = "ctr" - - --class CounterLocation(Enum): -+class CounterLocation(utils.Enum): - BeforeFixed = "before_fixed" - AfterFixed = "after_fixed" - -diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py -index bcd9e330..57aac7e3 100644 ---- a/src/cryptography/hazmat/primitives/serialization/pkcs7.py -+++ b/src/cryptography/hazmat/primitives/serialization/pkcs7.py -@@ -3,8 +3,8 @@ - # for complete details. - - import typing --from enum import Enum - -+from cryptography import utils - from cryptography import x509 - from cryptography.hazmat.backends import _get_backend - from cryptography.hazmat.primitives import hashes, serialization -@@ -35,7 +35,7 @@ _ALLOWED_PRIVATE_KEY_TYPES = typing.Union[ - ] - - --class PKCS7Options(Enum): -+class PKCS7Options(utils.Enum): - Text = "Add text/plain MIME type" - Binary = "Don't translate input data into canonical MIME format" - DetachedSignature = "Don't embed data in the PKCS7 structure" -diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py -index ef0fc443..9e571cfd 100644 ---- a/src/cryptography/utils.py -+++ b/src/cryptography/utils.py -@@ -4,6 +4,7 @@ - - - import abc -+import enum - import inspect - import sys - import typing -@@ -162,3 +163,13 @@ int_from_bytes = deprecated( - "int_from_bytes is deprecated, use int.from_bytes instead", - DeprecatedIn34, - ) -+ -+ -+# Python 3.10 changed representation of enums. We use well-defined object -+# representation and string representation from Python 3.9. -+class Enum(enum.Enum): -+ def __repr__(self): -+ return f"<{self.__class__.__name__}.{self._name_}: {self._value_!r}>" -+ -+ def __str__(self): -+ return f"{self.__class__.__name__}.{self._name_}" -diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py -index 5505fa3b..26ec43d5 100644 ---- a/src/cryptography/x509/base.py -+++ b/src/cryptography/x509/base.py -@@ -7,8 +7,8 @@ import abc - import datetime - import os - import typing --from enum import Enum - -+from cryptography import utils - from cryptography.hazmat._types import _PRIVATE_KEY_TYPES, _PUBLIC_KEY_TYPES - from cryptography.hazmat.backends import _get_backend - from cryptography.hazmat.primitives import hashes, serialization -@@ -66,7 +66,7 @@ def _convert_to_naive_utc_time(time: datetime.datetime) -> datetime.datetime: - return time - - --class Version(Enum): -+class Version(utils.Enum): - v1 = 0 - v3 = 2 - -diff --git a/src/cryptography/x509/certificate_transparency.py b/src/cryptography/x509/certificate_transparency.py -index d51bee92..d80f051a 100644 ---- a/src/cryptography/x509/certificate_transparency.py -+++ b/src/cryptography/x509/certificate_transparency.py -@@ -5,15 +5,16 @@ - - import abc - import datetime --from enum import Enum - -+from cryptography import utils - --class LogEntryType(Enum): -+ -+class LogEntryType(utils.Enum): - X509_CERTIFICATE = 0 - PRE_CERTIFICATE = 1 - - --class Version(Enum): -+class Version(utils.Enum): - v1 = 0 - - -diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py -index 6cae016a..742f1fa2 100644 ---- a/src/cryptography/x509/extensions.py -+++ b/src/cryptography/x509/extensions.py -@@ -8,7 +8,6 @@ import datetime - import hashlib - import ipaddress - import typing --from enum import Enum - - from cryptography import utils - from cryptography.hazmat._der import ( -@@ -634,7 +633,7 @@ class DistributionPoint(object): - crl_issuer = utils.read_only_property("_crl_issuer") - - --class ReasonFlags(Enum): -+class ReasonFlags(utils.Enum): - unspecified = "unspecified" - key_compromise = "keyCompromise" - ca_compromise = "cACompromise" -@@ -978,7 +977,7 @@ class TLSFeature(ExtensionType): - return hash(tuple(self._features)) - - --class TLSFeatureType(Enum): -+class TLSFeatureType(utils.Enum): - # status_request is defined in RFC 6066 and is used for what is commonly - # called OCSP Must-Staple when present in the TLS Feature extension in an - # X.509 certificate. -diff --git a/src/cryptography/x509/name.py b/src/cryptography/x509/name.py -index a579aa21..9069a9f4 100644 ---- a/src/cryptography/x509/name.py -+++ b/src/cryptography/x509/name.py -@@ -3,14 +3,13 @@ - # for complete details. - - import typing --from enum import Enum - - from cryptography import utils - from cryptography.hazmat.backends import _get_backend - from cryptography.x509.oid import NameOID, ObjectIdentifier - - --class _ASN1Type(Enum): -+class _ASN1Type(utils.Enum): - UTF8String = 12 - NumericString = 18 - PrintableString = 19 -diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py -index 1c5de73e..bcf210c1 100644 ---- a/src/cryptography/x509/ocsp.py -+++ b/src/cryptography/x509/ocsp.py -@@ -6,8 +6,8 @@ - import abc - import datetime - import typing --from enum import Enum - -+from cryptography import utils - from cryptography import x509 - from cryptography.hazmat.primitives import hashes, serialization - from cryptography.x509.base import ( -@@ -27,12 +27,12 @@ _OIDS_TO_HASH = { - } - - --class OCSPResponderEncoding(Enum): -+class OCSPResponderEncoding(utils.Enum): - HASH = "By Hash" - NAME = "By Name" - - --class OCSPResponseStatus(Enum): -+class OCSPResponseStatus(utils.Enum): - SUCCESSFUL = 0 - MALFORMED_REQUEST = 1 - INTERNAL_ERROR = 2 -@@ -58,7 +58,7 @@ def _verify_algorithm(algorithm): - ) - - --class OCSPCertStatus(Enum): -+class OCSPCertStatus(utils.Enum): - GOOD = 0 - REVOKED = 1 - UNKNOWN = 2 -diff --git a/tests/test_cryptography_utils.py b/tests/test_cryptography_utils.py -index 6b795e0c..803997ac 100644 ---- a/tests/test_cryptography_utils.py -+++ b/tests/test_cryptography_utils.py -@@ -2,6 +2,7 @@ - # 2.0, and the BSD License. See the LICENSE file in the root of this repository - # for complete details. - -+import enum - import typing - - import pytest -@@ -51,3 +52,13 @@ class TestCachedProperty(object): - assert len(accesses) == 1 - assert t.t == 14 - assert len(accesses) == 1 -+ -+ -+def test_enum(): -+ class TestEnum(utils.Enum): -+ value = "something" -+ -+ assert issubclass(TestEnum, enum.Enum) -+ assert isinstance(TestEnum.value, enum.Enum) -+ assert repr(TestEnum.value) == "" -+ assert str(TestEnum.value) == "TestEnum.value" --- -2.31.1 - diff --git a/changelog b/changelog new file mode 100644 index 0000000..fa06f3e --- /dev/null +++ b/changelog @@ -0,0 +1,248 @@ +* Tue Jul 02 2024 Jeremy Cline - 42.0.8-1 +- Update to 42.0.8, fixes rhbz#2251816 + +* Sat Jun 08 2024 Python Maint - 41.0.7-3 +- Rebuilt for Python 3.13 + +* Fri Jun 07 2024 Python Maint - 41.0.7-2 +- Bootstrap for Python 3.13 + +* Thu Feb 01 2024 Benjamin A. Beasley - 41.0.7-1 +- Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083 + +* Fri Jan 26 2024 Fedora Release Engineering - 41.0.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Mon Jan 22 2024 Fedora Release Engineering - 41.0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Dec 01 2023 Fabio Valentini - 41.0.5-2 +- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072) + +* Thu Oct 26 2023 Christian Heimes - 41.0.5-1 +- Update to 41.0.5, resolves RHBZ#2239707 + +* Mon Aug 14 2023 Christian Heimes - 41.0.3-2 +- Build with ouroboros 0.17, fixes rhbz#2214228 / RUSTSEC-2023-0042 + +* Wed Aug 09 2023 Christian Heimes - 41.0.3-1 +- Update to 41.0.3, resolves rhbz#2211237 +- Use pyo3 0.19 + +* Fri Jul 21 2023 Fedora Release Engineering - 40.0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Mon Jul 10 2023 Python Maint - 40.0.2-4 +- Rebuilt for Python 3.12 + +* Wed Jun 14 2023 Python Maint - 40.0.2-3 +- Bootstrap for Python 3.12 + +* Tue Jun 13 2023 Yaakov Selkowitz - 40.0.2-2 +- Use vendored rust-pem in RHEL builds + +* Tue Apr 18 2023 Christian Heimes - 40.0.2-1 +- Update to 40.0.2, resolves rhbz#2181430 + +* Thu Mar 09 2023 Miro Hrončok - 39.0.2-2 +- Don't run tests requiring pytz on RHEL +- Don't try to run tests of vendored dependencies in %%check + +* Sat Mar 04 2023 Christian Heimes - 39.0.2-1 +- Update to 39.0.2, resolves rhbz#2124729 + +* Tue Feb 28 2023 Fabio Valentini - 37.0.2-9 +- Ensure correct compiler flags are used for Rust code. + +* Wed Feb 22 2023 Christian Heimes - 37.0.2-8 +- Fix CVE-2023-23931: Don't allow update_into to mutate immutable objects, resolves rhbz#2171820 +- Fix FTBFS due to failing test_load_invalid_ec_key_from_pem and test_decrypt_invalid_decrypt, resolves rhbz#2171661 + +* Fri Jan 20 2023 Fedora Release Engineering - 37.0.2-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Dec 09 2022 Christian Heimes - 37.0.2-6 +- Enable SHA1 signatures in test suite (ELN-only) + +* Wed Aug 17 2022 Miro Hrončok - 37.0.2-5 +- Drop unused requirement of python3-six + +* Fri Jul 22 2022 Fedora Release Engineering - 37.0.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jun 14 2022 Python Maint - 37.0.2-3 +- Rebuilt for Python 3.11 + +* Tue Jun 14 2022 Python Maint - 37.0.2-2 +- Bootstrap for Python 3.11 + +* Thu May 05 2022 Christian Heimes - 37.0.2-1 +- Update to 37.0.2, resolves rhbz#2078968 + +* Thu Jan 27 2022 Christian Heimes - 36.0.0-3 +- Skip unstable memleak tests, resolves: RHBZ#2042413 + +* Fri Jan 21 2022 Fedora Release Engineering - 36.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Mon Nov 22 2021 Christian Heimes - 36.0.0-1 +- Update to 36.0.0, fixes RHBZ#2025347 + +* Thu Sep 30 2021 Christian Heimes - 35.0.0-2 +- Require rust-asn1 >= 0.6.4 + +* Thu Sep 30 2021 Christian Heimes - 35.0-1 +- Update to 35.0.0 (#2009117) + +* Tue Sep 14 2021 Sahana Prasad - 3.4.7-6 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 +- Don't conditionalize Source: directives + +* Wed Jun 02 2021 Python Maint - 3.4.7-3 +- Rebuilt for Python 3.10 + +* Tue May 11 2021 Christian Heimes - 3.4.7-2 +- Fix compatibility issue with Python 3.10. Enums now use same + representation as on Python 3.9. (#1952522) +- Backport OpenSSL 3.0.0 compatibility patches. + +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. (#1952024) + +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + +* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 21 2020 Christian Heimes - 3.0-1 +- Update to 3.0 (#185897) + +* Sat May 23 2020 Miro Hrončok - 2.9-3 +- Rebuilt for Python 3.9 + +* Tue May 12 2020 Felix Schwarz - 2.9-2 +- add source file verification + +* Fri Apr 03 2020 Christian Heimes - 2.9-1 +- Update to 2.9 (#1820348) + +* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Christian Heimes - 2.8-2 +- cryptography 2.8+ no longer depends on python-asn1crypto + +* Thu Oct 17 2019 Christian Heimes - 2.8-1 +- Update to 2.8 +- Resolves: rhbz#1762779 + +* Sun Oct 13 2019 Christian Heimes - 2.7-3 +- Skip unit tests that fail with OpenSSL 1.1.1.d +- Resolves: rhbz#1761194 +- Fix and simplify Python 3 packaging + +* Sat Oct 12 2019 Christian Heimes - 2.7-2 +- Drop Python 2 package +- Resolves: rhbz#1761081 + +* Tue Sep 03 2019 Randy Barlow - 2.7-1 +- Update to 2.7 (#1715680). + +* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 +- New upstream release 2.6.1, resolves RHBZ#1683691 + +* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 +- Updated to 2.5. + +* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + +* Wed Jul 18 2018 Christian Heimes - 2.3-1 +- New upstream release 2.3 +- Fix AEAD tag truncation bug, RHBZ#1602752 + +* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 +- Rebuilt for Python 3.7 + +* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 +- New upstream release 2.2.1 + +* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 +- New upstream release 2.1.4 + +* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 +- Build requires gcc + +* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild diff --git a/python-cryptography.spec b/python-cryptography.spec index ee239ed..16b4d7e 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -3,23 +3,27 @@ %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography -%global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 3.4.7 -Release: 5%{?dist} +Version: 45.0.4 +Release: %autorelease Summary: PyCA's cryptography library -License: ASL 2.0 or BSD +# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, +# as well as the Python Software Foundation license for the OS random +# engine derived by CPython. +# Rust crate dependency licenses: +# Apache-2.0 +# Apache-2.0 OR MIT +# BSD-3-Clause +# MIT +# MIT OR Apache-2.0 +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0) URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -Patch0001: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch -Patch0002: 0002-WIP-3.0.0-support-5250.patch -Patch0003: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch -Patch0004: 0004-Use-well-defined-enum-representation.patch ExclusiveArch: %{rust_arches} @@ -32,22 +36,21 @@ BuildRequires: rust-packaging BuildRequires: rust-toolset %endif -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-setuptools -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} %if 0%{?fedora} +BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-xdist %endif -BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 -BuildRequires: python%{python3_pkgversion}-pytz +BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 %endif %description @@ -59,8 +62,6 @@ Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 # Can be safely removed in Fedora 37 Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 @@ -71,200 +72,83 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %prep -%autosetup -p1 -n %{srcname}-%{version} - -%generate_buildrequires - +%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version} %if 0%{?fedora} -# Fedora: use cargo macros to make use of RPMified crates %cargo_prep -cd src/rust -rm -f Cargo.lock -%cargo_generate_buildrequires -cd ../.. +sed -i 's/locked = true//g' pyproject.toml %else # RHEL: use vendored Rust crates -%cargo_prep -V 1 +%cargo_prep -v vendor %endif +%if ! 0%{?fedora} +sed -i 's,--benchmark-disable,,' pyproject.toml +%endif + + +%generate_buildrequires +%pyproject_buildrequires +%if 0%{?fedora} +# Fedora: use RPMified crates +%cargo_generate_buildrequires +%endif + + %build -%py3_build +export RUSTFLAGS="%build_rustflags" +export OPENSSL_NO_VENDOR=1 +export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 " +%pyproject_wheel + +%cargo_license_summary +%{cargo_license} > LICENSE.dependencies +%if ! 0%{?fedora} +%cargo_vendor_manifest +%endif + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%py3_install +find . -name Cargo.toml -print -delete +%pyproject_install +%pyproject_save_files %{srcname} + %check %if %{with tests} %if 0%{?rhel} -# skip hypothesis tests on RHEL -rm -rf tests/hypothesis +# skip benchmark and hypothesis tests on RHEL +rm -rf tests/bench tests/hypothesis # append skipper to skip iso8601 and pretend tests cat < %{SOURCE2} >> tests/conftest.py %endif +# enable SHA-1 signatures for RSA tests +# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 +export OPENSSL_ENABLE_SHA1_SIGNATURES=yes + # see https://github.com/pyca/cryptography/issues/4885 and # see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes +# not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" + --ignore vendor \ + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif -%files -n python%{python3_pkgversion}-%{srcname} + +%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info +%license LICENSE.dependencies +%if ! 0%{?fedora} +%license cargo-vendor.txt +%endif + %changelog -* Fri Jul 23 2021 Fedora Release Engineering - 3.4.7-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Thu Jun 10 2021 Stephen Gallagher - 3.4.7-4 -- Don't conditionalize Source: directives - -* Wed Jun 02 2021 Python Maint - 3.4.7-3 -- Rebuilt for Python 3.10 - -* Tue May 11 2021 Christian Heimes - 3.4.7-2 -- Fix compatibility issue with Python 3.10. Enums now use same - representation as on Python 3.9. (#1952522) -- Backport OpenSSL 3.0.0 compatibility patches. - -* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 -- Update to 3.4.7 -- Remove dependency on python-cryptography-vectors package and use vectors - directly from Github source tar ball. (#1952024) - -* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 -- Update to 3.4.6 (#1927044) - -* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 -- Update to 3.4.5 (#1927044) - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 -- Skip iso8601 and pretend tests on RHEL - -* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 -- Provide RHEL build infrastructure - -* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 -- Update to 3.4.4 (#1927044) - -* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 -- Update to 3.4.2 (#1926339) -- Package no longer depends on Rust (#1926181) - -* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 -- Use dynamically generated BuildRequires for PyO3 Rust module. -- Drop unnecessary CARGO_NET_OFFLINE environment variable. - -* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 -- Update to 3.4.1 (#1925953) - -* Sun Feb 07 2021 Christian Heimes - 3.4-2 -- Add missing abi3 and pytest dependencies - -* Sun Feb 07 2021 Christian Heimes - 3.4-1 -- Update to 3.4 (#1925953) -- Remove Python 2 support -- Remove unused python-idna dependency -- Add Rust support - -* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 -- Update to 3.3.1 (#1905756) - -* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 -- Update to 3.2.1 (#1892153) - -* Mon Oct 26 2020 Christian Heimes - 3.2-1 -- Update to 3.2 (#1891378) - -* Mon Sep 07 2020 Christian Heimes - 3.1-1 -- Update to 3.1 (#1872978) - -* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Tue Jul 21 2020 Christian Heimes - 3.0-1 -- Update to 3.0 (#185897) - -* Sat May 23 2020 Miro Hrončok - 2.9-3 -- Rebuilt for Python 3.9 - -* Tue May 12 2020 Felix Schwarz - 2.9-2 -- add source file verification - -* Fri Apr 03 2020 Christian Heimes - 2.9-1 -- Update to 2.9 (#1820348) - -* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Mon Jan 13 2020 Christian Heimes - 2.8-2 -- cryptography 2.8+ no longer depends on python-asn1crypto - -* Thu Oct 17 2019 Christian Heimes - 2.8-1 -- Update to 2.8 -- Resolves: rhbz#1762779 - -* Sun Oct 13 2019 Christian Heimes - 2.7-3 -- Skip unit tests that fail with OpenSSL 1.1.1.d -- Resolves: rhbz#1761194 -- Fix and simplify Python 3 packaging - -* Sat Oct 12 2019 Christian Heimes - 2.7-2 -- Drop Python 2 package -- Resolves: rhbz#1761081 - -* Tue Sep 03 2019 Randy Barlow - 2.7-1 -- Update to 2.7 (#1715680). - -* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 -- Rebuilt for Python 3.8 - -* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 -- New upstream release 2.6.1, resolves RHBZ#1683691 - -* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 -- Updated to 2.5. - -* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Mon Aug 13 2018 Christian Heimes - 2.3-2 -- Use TLSv1.2 in test as workaround for RHBZ#1615143 - -* Wed Jul 18 2018 Christian Heimes - 2.3-1 -- New upstream release 2.3 -- Fix AEAD tag truncation bug, RHBZ#1602752 - -* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 -- Rebuilt for Python 3.7 - -* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 -- New upstream release 2.2.1 - -* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 -- New upstream release 2.1.4 - -* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 -- Build requires gcc - -* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 -- Update Python 2 dependency declarations to new packaging standards - (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) - -* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild +%autochangelog diff --git a/sources b/sources index 6d1fe84..e79ea50 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (cryptography-3.4.7.tar.gz) = e76d0949fbaca06d2f72805bdce8ea85056ae45b978f51d70d1367bbfb1067e9db76a9f080f890e95ec52c788a3d2fd3ba0a286901f97ee2911ebd7a7a8f71a9 -SHA512 (cryptography-3.4.7-vendor.tar.bz2) = 67060536b5d48e0497290fb3307329d57e9ac56cb9ee13c2fb1b2f93d059872d411d9dbff3f00bece23a8593d667799de86630b3748337b204f8776ef3f0a387 +SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df +SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06 diff --git a/vendor_rust.py b/vendor_rust.py index cd8355e..eb53abd 100755 --- a/vendor_rust.py +++ b/vendor_rust.py @@ -12,7 +12,7 @@ import sys VENDOR_DIR = "vendor" CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") +RE_VERSION = re.compile(r"Version:\s*(.*)") parser = argparse.ArgumentParser(description="Vendor Rust packages") parser.add_argument(