Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004)

resolves: rhbz#2251816
resolves: rhbz#2269618, CVE-2024-26130

Signed-off-by: Christian Heimes <cheimes@redhat.com>

.gitignore

@@ -61,3 +61,5 @@
 /cryptography-41.0.5.tar.gz
 /cryptography-41.0.7.tar.gz
 /cryptography-41.0.7-vendor.tar.bz2
+/cryptography-42.0.5.tar.gz
+/cryptography-42.0.5-vendor.tar.bz2

ouroboros-0.17.patch

@@ -1,13 +0,0 @@
-diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
-index 9dd060f8b..8004c7e76 100644
---- a/src/rust/Cargo.toml
-+++ b/src/rust/Cargo.toml
-@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" }
- cryptography-x509 = { path = "cryptography-x509" }
- cryptography-openssl = { path = "cryptography-openssl" }
- pem = "1.1"
--ouroboros = "0.15"
-+ouroboros = "0.17"
- openssl = "0.10.54"
- openssl-sys = "0.9.88"
- foreign-types-shared = "0.1"

pyo3-0.19.patch

@@ -1,52 +0,0 @@
-diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml
-index 01fba147e..9dd060f8b 100644
---- a/src/rust/Cargo.toml
-+++ b/src/rust/Cargo.toml
-@@ -9,7 +9,7 @@ rust-version = "1.56.0"
- 
- [dependencies]
- once_cell = "1"
--pyo3 = { version = "0.18", features = ["abi3-py37"] }
-+pyo3 = { version = "0.19", features = ["abi3-py37"] }
- asn1 = { version = "0.15.2", default-features = false }
- cryptography-cffi = { path = "cryptography-cffi" }
- cryptography-x509 = { path = "cryptography-x509" }
-diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml
-index 65051c2a4..24e53991b 100644
---- a/src/rust/cryptography-cffi/Cargo.toml
-+++ b/src/rust/cryptography-cffi/Cargo.toml
-@@ -8,7 +8,7 @@ publish = false
- rust-version = "1.56.0"
- 
- [dependencies]
--pyo3 = { version = "0.18", features = ["abi3-py37"] }
-+pyo3 = { version = "0.19", features = ["abi3-py37"] }
- openssl-sys = "0.9.88"
- 
- [build-dependencies]
-diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs
-index 923015035..1380d6eb8 100644
---- a/src/rust/src/x509/crl.rs
-+++ b/src/rust/src/x509/crl.rs
-@@ -145,7 +145,7 @@ impl CertificateRevocationList {
-             revoked_certs
-         });
- 
--        if idx.is_instance_of::<pyo3::types::PySlice>()? {
-+        if idx.is_instance_of::<pyo3::types::PySlice>() {
-             let indices = idx
-                 .downcast::<pyo3::types::PySlice>()?
-                 .indices(self.len().try_into().unwrap())?;
-diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs
-index 98d1bd63b..dcf28833f 100644
---- a/src/rust/src/x509/extensions.rs
-+++ b/src/rust/src/x509/extensions.rs
-@@ -211,7 +211,7 @@ fn encode_certificate_policies(
-             let mut qualifiers = vec![];
-             for py_qualifier in py_policy_qualifiers.iter()? {
-                 let py_qualifier = py_qualifier?;
--                let qualifier = if py_qualifier.is_instance_of::<pyo3::types::PyString>()? {
-+                let qualifier = if py_qualifier.is_instance_of::<pyo3::types::PyString>() {
-                     let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) {
-                         Some(s) => s,
-                         None => {

python-cryptography.spec

@@ -5,7 +5,7 @@
 %global srcname cryptography
 
 Name:           python-%{srcname}
-Version:        41.0.7
+Version:        42.0.5
 Release:        1%{?dist}
 Summary:        PyCA's cryptography library
 
@@ -19,8 +19,7 @@ Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcnam
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py
 
-Patch1:         pyo3-0.19.patch
+Patch1:         skip-overflow-tests-32bit.patch
-Patch2:         ouroboros-0.17.patch
 
 ExclusiveArch:  %{rust_arches}
 
@@ -29,8 +28,6 @@ BuildRequires:  gcc
 BuildRequires:  gnupg2
 %if 0%{?fedora}
 BuildRequires:  rust-packaging
-# test_load_with_other_sections in 40.0 fails with pem 1.1.0
-BuildRequires:  rust-pem-devel >= 1.1.1
 %else
 BuildRequires:  rust-toolset
 %endif
@@ -48,6 +45,7 @@ BuildRequires:  python%{python3_pkgversion}-pretend
 BuildRequires:  python%{python3_pkgversion}-pytest-xdist
 BuildRequires:  python%{python3_pkgversion}-pytz
 %endif
+BuildRequires:  python%{python3_pkgversion}-certifi
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
 BuildRequires:  python%{python3_pkgversion}-pytest-subtests >= 0.5.0
@@ -73,10 +71,8 @@ recipes to Python developers.
 
 %prep
 %autosetup -p1 -N -n %{srcname}-%{version}
-%if 0%{?fedora}
-# patch pyo3 and ouroboros depedency
 %autopatch -p1 1
-%autopatch -p1 2
+%if 0%{?fedora}
 %cargo_prep
 rm src/rust/Cargo.lock
 %else
@@ -84,27 +80,33 @@ rm src/rust/Cargo.lock
 %cargo_prep -V 1
 %endif
 
-%if 0%{?fedora}
+# Remove cosmetical pytest-subtests 0.10.0 option
+sed -i 's,--no-subtests-shortletter,,' pyproject.toml
+
+
 %generate_buildrequires
+%pyproject_buildrequires -t
+%if 0%{?fedora}
 # Fedora: use RPMified crates
 cd src/rust
 %cargo_generate_buildrequires
 cd ../..
 %endif
 
-# Remove cosmetical pytest-subtests 0.10.0 option
-sed -i 's,--no-subtests-shortletter,,' pyproject.toml
 
 %build
 export RUSTFLAGS="%build_rustflags"
 export OPENSSL_NO_VENDOR=1
-%py3_build
+%pyproject_wheel
+
 
 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
-%py3_install
+%pyproject_install
+%pyproject_save_files %{srcname}
+
 
 %check
 %if %{with tests}
@@ -130,13 +132,18 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
     -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)"
 %endif
 
-%files -n python%{python3_pkgversion}-%{srcname}
+
+%files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
-%{python3_sitearch}/%{srcname}
+
-%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info
 
 %changelog
+* Wed Mar 06 2024 Christian Heimes <cheimes@redhat.com> - 42.0.1-5
+- Update to 42.0.5, resolves RHBZ#2251816
+- fixes rhbz#2269618, CVE-2024-26130
+- Modernize spec file to use pyproject RPM macros
+
 * Thu Feb 01 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 41.0.7-1
 - Update to 41.0.7, fixes rhbz#2255351, CVE-2023-49083
 

skip-overflow-tests-32bit.patch

@@ -0,0 +1,73 @@
+From d741901dddd731895346636c0d3556c6fa51fbe6 Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Thu, 8 Feb 2024 09:11:21 -0600
+Subject: [PATCH] skip overflow aead tests on 32-bit systems
+
+---
+ tests/hazmat/primitives/test_aead.py | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py
+index a1f99ab815ed..2f0d52d82682 100644
+--- a/tests/hazmat/primitives/test_aead.py
++++ b/tests/hazmat/primitives/test_aead.py
+@@ -56,7 +56,8 @@ def test_chacha20poly1305_unsupported_on_older_openssl(backend):
+ )
+ class TestChaCha20Poly1305:
+     @pytest.mark.skipif(
+-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
++        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
++        reason="mmap and 64-bit platform required",
+     )
+     def test_data_too_large(self):
+         key = ChaCha20Poly1305.generate_key()
+@@ -197,7 +198,8 @@ def test_buffer_protocol(self, backend):
+ )
+ class TestAESCCM:
+     @pytest.mark.skipif(
+-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
++        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
++        reason="mmap and 64-bit platform required",
+     )
+     def test_data_too_large(self):
+         key = AESCCM.generate_key(128)
+@@ -378,7 +380,8 @@ def _load_gcm_vectors():
+ 
+ class TestAESGCM:
+     @pytest.mark.skipif(
+-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
++        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
++        reason="mmap and 64-bit platform required",
+     )
+     def test_data_too_large(self):
+         key = AESGCM.generate_key(128)
+@@ -525,7 +528,8 @@ def test_aesocb3_unsupported_on_older_openssl(backend):
+ )
+ class TestAESOCB3:
+     @pytest.mark.skipif(
+-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
++        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
++        reason="mmap and 64-bit platform required",
+     )
+     def test_data_too_large(self):
+         key = AESOCB3.generate_key(128)
+@@ -700,7 +704,8 @@ def test_buffer_protocol(self, backend):
+ )
+ class TestAESSIV:
+     @pytest.mark.skipif(
+-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
++        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
++        reason="mmap and 64-bit platform required",
+     )
+     def test_data_too_large(self):
+         key = AESSIV.generate_key(256)
+@@ -844,7 +849,8 @@ def test_buffer_protocol(self, backend):
+ )
+ class TestAESGCMSIV:
+     @pytest.mark.skipif(
+-        sys.platform not in {"linux", "darwin"}, reason="mmap required"
++        sys.platform not in {"linux", "darwin"} or sys.maxsize < 2**31,
++        reason="mmap and 64-bit platform required",
+     )
+     def test_data_too_large(self):
+         key = AESGCMSIV.generate_key(256)

sources

@@ -1,2 +1,2 @@
-SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307
+SHA512 (cryptography-42.0.5.tar.gz) = 112a1f6395e0c9bf646118100c6285684eabf021d7c8912bbdbc165d5c27fbf9f9f2fffb144d63453b21f8461a172ab49d2b79ed2b80f409489a07d5ddc54bc9
-SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e
+SHA512 (cryptography-42.0.5-vendor.tar.bz2) = 5c8da064f28183d759f0e39077f671297abedd43b40461a6e9fe2390e142945dc5ee54cdf4cfbbc33d9973a9bd95f33312dd5888e2422569f18b4a17ff75f6c4

vendor_rust.py

@@ -12,7 +12,7 @@ import sys
 
 VENDOR_DIR = "vendor"
 CARGO_TOML = "src/rust/Cargo.toml"
-RE_VERSION = re.compile("Version:\s*(.*)")
+RE_VERSION = re.compile(r"Version:\s*(.*)")
 
 parser = argparse.ArgumentParser(description="Vendor Rust packages")
 parser.add_argument(