Rebuild for openssl crate >= v0.10.70 (RUSTSEC-2025-0004)

allow sha1 in OAEP
In FIPS mode, RSA OAEP padding is refused with an error message: "This combination of padding and hash algorithm is not supported by this backend." It picks up the patch in https://github.com/pyca/cryptography/pull/11536 to allow sha1 in OAEP. Fixes: https://github.com/pyca/cryptography/issues/11512 Related: https://issues.redhat.com/browse/RHEL-40210 Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
2025-02-06 14:47:14 +01:00 · 2025-01-20 12:13:05 +01:00
5 changed files with 77 additions and 33 deletions
--- a/.gitignore
+++ b/.gitignore
@ -67,11 +67,3 @@
 /cryptography-42.0.8-vendor.tar.bz2
 /cryptography-43.0.0.tar.gz
 /cryptography-43.0.0-vendor.tar.bz2
-/cryptography-44.0.0.tar.gz
-/cryptography-44.0.0-vendor.tar.bz2
-/cryptography-45.0.2.tar.gz
-/cryptography-45.0.2-vendor.tar.bz2
-/cryptography-45.0.3.tar.gz
-/cryptography-45.0.3-vendor.tar.bz2
-/cryptography-45.0.4.tar.gz
-/cryptography-45.0.4-vendor.tar.bz2
--- a/11328.patch
+++ b/11328.patch
@ -0,0 +1,36 @@
+From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Mon, 22 Jul 2024 09:09:05 +0200
+Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined
+
+Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE
+support. Downstream has moved `openssl/engine.h` into a separate RPM
+package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The
+compiler flag disables PyCA cryptography's ENGINE support successfully.
+We also like to build the downstream package without the `engine.h`
+header file present.
+
+This commit makes the include conditional. The `ENGINE` type is
+defined in `openssl/types.h`.
+
+See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide
+See: https://issues.redhat.com/browse/RHEL-33747
+Signed-off-by: Christian Heimes <christian@python.org>
+---
+ src/_cffi_src/openssl/engine.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
+index 9629a2c8f929..f47e20327003 100644
+--- a/src/_cffi_src/openssl/engine.py
+++ b/src/_cffi_src/openssl/engine.py
+@@ -5,7 +5,9 @@
+ from __future__ import annotations
+ 
+ INCLUDES = """
+#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL
+ #include <openssl/engine.h>
+#endif
+ """
+ 
+ TYPES = """
--- a/11536.patch
+++ b/11536.patch
@ -0,0 +1,26 @@
+From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 3 Sep 2024 20:19:02 -0400
+Subject: [PATCH] allow sha1 in OAEP (#11536)
+
+fixes #11512
+---
+ src/rust/src/backend/rsa.rs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs
+index 3c01e7421..066b1412a 100644
+--- a/src/rust/src/backend/rsa.rs
+++ b/src/rust/src/backend/rsa.rs
+@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu
+ }
+ 
+ fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool {
+-    (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1())
+    md == &openssl::hash::MessageDigest::sha1()
+         || md == &openssl::hash::MessageDigest::sha224()
+         || md == &openssl::hash::MessageDigest::sha256()
+         || md == &openssl::hash::MessageDigest::sha384()
+-- 
+2.46.0
+
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -5,26 +5,23 @@
 %global srcname cryptography

 Name:           python-%{srcname}
-Version:        45.0.4
+Version:        43.0.0
 Release:        %autorelease
 Summary:        PyCA's cryptography library

 # cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause,
 # as well as the Python Software Foundation license for the OS random
 # engine derived by CPython.
-# Rust crate dependency licenses:
-# Apache-2.0
-# Apache-2.0 OR MIT
-# BSD-3-Clause
-# MIT
-# MIT OR Apache-2.0
-License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 AND Apache-2.0 AND BSD-3-Clause AND MIT AND (MIT OR Apache-2.0)
+License:        (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
 URL:            https://cryptography.io/en/latest/
 Source0:        https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz
                # created by ./vendor_rust.py helper script
 Source1:        cryptography-%{version}-vendor.tar.bz2
 Source2:        conftest-skipper.py

+Patch:          11328.patch
+Patch:          11536.patch
+
 ExclusiveArch:  %{rust_arches}

 BuildRequires:  openssl-devel
@ -49,6 +46,7 @@ BuildRequires:  python%{python3_pkgversion}-iso8601
 BuildRequires:  python%{python3_pkgversion}-pretend
 BuildRequires:  python%{python3_pkgversion}-pytest-benchmark
 BuildRequires:  python%{python3_pkgversion}-pytest-xdist
+BuildRequires:  python%{python3_pkgversion}-pytz
 %endif
 BuildRequires:  python%{python3_pkgversion}-pytest >= 6.2.0
 %endif
@ -72,13 +70,14 @@ cryptography is a package designed to expose cryptographic primitives and
 recipes to Python developers.

 %prep
-%autosetup -p1 %{!?fedora:-a1} -n %{srcname}-%{version}
+%autosetup -p1 -n %{srcname}-%{version}
 %if 0%{?fedora}
 %cargo_prep
 sed -i 's/locked = true//g' pyproject.toml
+rm src/rust/Cargo.lock
 %else
 # RHEL: use vendored Rust crates
-%cargo_prep -v vendor
+%cargo_prep -V 1
 %endif

 %if ! 0%{?fedora}
@ -90,7 +89,9 @@ sed -i 's,--benchmark-disable,,' pyproject.toml
 %pyproject_buildrequires
 %if 0%{?fedora}
 # Fedora: use RPMified crates
+cd src/rust
 %cargo_generate_buildrequires
+cd ../..
 %endif


@ -100,18 +101,11 @@ export OPENSSL_NO_VENDOR=1
 export CFLAGS="${CFLAGS} -DOPENSSL_NO_ENGINE=1 "
 %pyproject_wheel

-%cargo_license_summary
-%{cargo_license} > LICENSE.dependencies
-%if ! 0%{?fedora}
-%cargo_vendor_manifest
-%endif
-

 %install
 # Actually other *.c and *.h are appropriate
 # see https://github.com/pyca/cryptography/issues/1463
 find . -name .keep -print -delete
-find . -name Cargo.toml -print -delete
 %pyproject_install
 %pyproject_save_files %{srcname}

@ -119,8 +113,8 @@ find . -name Cargo.toml -print -delete
 %check
 %if %{with tests}
 %if 0%{?rhel}
-# skip benchmark and hypothesis tests on RHEL
-rm -rf tests/bench tests/hypothesis
+# skip benchmark, hypothesis, and pytz tests on RHEL
+rm -rf tests/bench tests/hypothesis tests/x509
 # append skipper to skip iso8601 and pretend tests
 cat < %{SOURCE2} >> tests/conftest.py
 %endif
@ -144,10 +138,6 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \
 %files -n python%{python3_pkgversion}-%{srcname} -f %{pyproject_files}
 %doc README.rst docs
 %license LICENSE LICENSE.APACHE LICENSE.BSD
-%license LICENSE.dependencies
-%if ! 0%{?fedora}
-%license cargo-vendor.txt
-%endif


 %changelog
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (cryptography-45.0.4.tar.gz) = 08b35f414d81f83ee242f5d208f8aabc12dc53f1a0cbffc5be1ed7f9173e9c9863225a7eb5cff4e9f3dacf5e9fcb3e8701e33c441e1562ee13f9e3927fafb3df
-SHA512 (cryptography-45.0.4-vendor.tar.bz2) = 5ff616412e65bd342d2b98110d0b058aaa1719ddf0d1a1164b49451b8f5bc49def81cf4913b6b4c2917f28a33cef28a74ad4391b303c2e36752b81f491a4da06
+SHA512 (cryptography-43.0.0.tar.gz) = 3a65539b2f1639d789ea732c6d24d55293c0ca6943c5182d00411fbd1668ab6cac7865f8148bd5f6d4ba676b89780187b77c49da34f4ed34705c94c074037ee7
+SHA512 (cryptography-43.0.0-vendor.tar.bz2) = e3111e086690b28068cc639be8d3c441bb9ffc2a826e3350fff35f746016c5affdf2481df1e6b1f1e5e566ea76e4c20092a3d11aeeaa5b036dc0929a55c80924