From 24e9fcc67f2a32454e3f590bb97ed9ea6afade60 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Wed, 4 Sep 2024 11:41:44 +0200
Subject: [PATCH 1/2] allow sha1 in OAEP

In FIPS mode, RSA OAEP padding is refused with an error message:
"This combination of padding and hash algorithm is not supported
by this backend."

It picks up the patch in https://github.com/pyca/cryptography/pull/11536
to allow sha1 in OAEP.

Fixes: https://github.com/pyca/cryptography/issues/11512
Related: https://issues.redhat.com/browse/RHEL-40210
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
---
 11536.patch              | 26 ++++++++++++++++++++++++++
 python-cryptography.spec |  1 +
 2 files changed, 27 insertions(+)
 create mode 100644 11536.patch

diff --git a/11536.patch b/11536.patch
new file mode 100644
index 0000000..b18f149
--- /dev/null
+++ b/11536.patch
@@ -0,0 +1,26 @@
+From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 3 Sep 2024 20:19:02 -0400
+Subject: [PATCH] allow sha1 in OAEP (#11536)
+
+fixes #11512
+---
+ src/rust/src/backend/rsa.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs
+index 3c01e7421..066b1412a 100644
+--- a/src/rust/src/backend/rsa.rs
++++ b/src/rust/src/backend/rsa.rs
+@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu
+ }
+ 
+ fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool {
+-    (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1())
++    md == &openssl::hash::MessageDigest::sha1()
+         || md == &openssl::hash::MessageDigest::sha224()
+         || md == &openssl::hash::MessageDigest::sha256()
+         || md == &openssl::hash::MessageDigest::sha384()
+-- 
+2.46.0
+
diff --git a/python-cryptography.spec b/python-cryptography.spec
index d83d2b1..eff8c1c 100644
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@@ -20,6 +20,7 @@ Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 
 Patch:          11328.patch
+Patch:          11536.patch
 
 ExclusiveArch:  %{rust_arches}
 

From 0c8e9c2bd77a6aceab3075cdd7ed7870e9e1e1f4 Mon Sep 17 00:00:00 2001
From: Fabio Valentini <decathorpe@gmail.com>
Date: Thu, 6 Feb 2025 13:47:30 +0100
Subject: [PATCH 2/2] Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004)