From c3b2765f37530bdc100b69b0876ad419056b597e Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 28 2020 09:42:19 +0000 Subject: import python-cryptography-2.3-3.el8 --- diff --git a/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch b/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch new file mode 100644 index 0000000..9c31191 --- /dev/null +++ b/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch @@ -0,0 +1,168 @@ +From 95e7c4731b797e96c27c97420039f2979fa48041 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 12 Nov 2019 10:56:08 +0100 +Subject: [PATCH] FIPS: Don't active osrandom engine + +Resolves: rhbz#1762667 +--- + .../hazmat/backends/openssl/backend.py | 12 +-- + tests/hazmat/backends/test_openssl.py | 94 +------------------ + 2 files changed, 6 insertions(+), 100 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index af14bfaae..c0a02d10d 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -96,7 +96,7 @@ class Backend(object): + + self._cipher_registry = {} + self._register_default_ciphers() +- self.activate_osrandom_engine() ++ # self.activate_osrandom_engine() + self._dh_types = [self._lib.EVP_PKEY_DH] + if self._lib.Cryptography_HAS_EVP_PKEY_DHX: + self._dh_types.append(self._lib.EVP_PKEY_DHX) +@@ -136,14 +136,8 @@ class Backend(object): + self.openssl_assert(res == 1) + + def activate_osrandom_engine(self): +- # Unregister and free the current engine. +- self.activate_builtin_random() +- with self._get_osurandom_engine() as e: +- # Set the engine as the default RAND provider. +- res = self._lib.ENGINE_set_default_RAND(e) +- self.openssl_assert(res == 1) +- # Reset the RNG to use the new engine. +- self._lib.RAND_cleanup() ++ # osrandom engine is not enabled for FIPS compliance ++ pass + + def osrandom_engine_implementation(self): + buf = self._ffi.new("char[]", 64) +diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py +index 31b34cd06..bcd26b615 100644 +--- a/tests/hazmat/backends/test_openssl.py ++++ b/tests/hazmat/backends/test_openssl.py +@@ -171,63 +171,6 @@ class TestOpenSSL(object): + + + class TestOpenSSLRandomEngine(object): +- def setup(self): +- # The default RAND engine is global and shared between +- # tests. We make sure that the default engine is osrandom +- # before we start each test and restore the global state to +- # that engine in teardown. +- current_default = backend._lib.ENGINE_get_default_RAND() +- name = backend._lib.ENGINE_get_name(current_default) +- assert name == backend._binding._osrandom_engine_name +- +- def teardown(self): +- # we need to reset state to being default. backend is a shared global +- # for all these tests. +- backend.activate_osrandom_engine() +- current_default = backend._lib.ENGINE_get_default_RAND() +- name = backend._lib.ENGINE_get_name(current_default) +- assert name == backend._binding._osrandom_engine_name +- +- @pytest.mark.skipif(sys.executable is None, +- reason="No Python interpreter available.") +- def test_osrandom_engine_is_default(self, tmpdir): +- engine_printer = textwrap.dedent( +- """ +- import sys +- from cryptography.hazmat.backends.openssl.backend import backend +- +- e = backend._lib.ENGINE_get_default_RAND() +- name = backend._lib.ENGINE_get_name(e) +- sys.stdout.write(backend._ffi.string(name).decode('ascii')) +- res = backend._lib.ENGINE_free(e) +- assert res == 1 +- """ +- ) +- engine_name = tmpdir.join('engine_name') +- +- # If we're running tests via ``python setup.py test`` in a clean +- # environment then all of our dependencies are going to be installed +- # into either the current directory or the .eggs directory. However the +- # subprocess won't know to activate these dependencies, so we'll get it +- # to do so by passing our entire sys.path into the subprocess via the +- # PYTHONPATH environment variable. +- env = os.environ.copy() +- env["PYTHONPATH"] = os.pathsep.join(sys.path) +- +- with engine_name.open('w') as out: +- subprocess.check_call( +- [sys.executable, "-c", engine_printer], +- env=env, +- stdout=out, +- stderr=subprocess.PIPE, +- ) +- +- osrandom_engine_name = backend._ffi.string( +- backend._binding._osrandom_engine_name +- ) +- +- assert engine_name.read().encode('ascii') == osrandom_engine_name +- + def test_osrandom_sanity_check(self): + # This test serves as a check against catastrophic failure. + buf = backend._ffi.new("unsigned char[]", 500) +@@ -235,32 +178,14 @@ class TestOpenSSLRandomEngine(object): + assert res == 1 + assert backend._ffi.buffer(buf)[:] != "\x00" * 500 + +- def test_activate_osrandom_no_default(self): +- backend.activate_builtin_random() ++ def test_osrandom_noop(self): + e = backend._lib.ENGINE_get_default_RAND() + assert e == backend._ffi.NULL ++ # noop + backend.activate_osrandom_engine() + e = backend._lib.ENGINE_get_default_RAND() +- name = backend._lib.ENGINE_get_name(e) +- assert name == backend._binding._osrandom_engine_name +- res = backend._lib.ENGINE_free(e) +- assert res == 1 +- +- def test_activate_builtin_random(self): +- e = backend._lib.ENGINE_get_default_RAND() +- assert e != backend._ffi.NULL +- name = backend._lib.ENGINE_get_name(e) +- assert name == backend._binding._osrandom_engine_name +- res = backend._lib.ENGINE_free(e) +- assert res == 1 +- backend.activate_builtin_random() +- e = backend._lib.ENGINE_get_default_RAND() +- assert e == backend._ffi.NULL +- +- def test_activate_builtin_random_already_active(self): +- backend.activate_builtin_random() +- e = backend._lib.ENGINE_get_default_RAND() + assert e == backend._ffi.NULL ++ # noop + backend.activate_builtin_random() + e = backend._lib.ENGINE_get_default_RAND() + assert e == backend._ffi.NULL +@@ -282,19 +207,6 @@ class TestOpenSSLRandomEngine(object): + if sys.platform == 'win32': + assert name == 'CryptGenRandom' + +- def test_activate_osrandom_already_default(self): +- e = backend._lib.ENGINE_get_default_RAND() +- name = backend._lib.ENGINE_get_name(e) +- assert name == backend._binding._osrandom_engine_name +- res = backend._lib.ENGINE_free(e) +- assert res == 1 +- backend.activate_osrandom_engine() +- e = backend._lib.ENGINE_get_default_RAND() +- name = backend._lib.ENGINE_get_name(e) +- assert name == backend._binding._osrandom_engine_name +- res = backend._lib.ENGINE_free(e) +- assert res == 1 +- + + class TestOpenSSLRSA(object): + def test_generate_rsa_parameters_supported(self): +-- +2.23.0 + diff --git a/SPECS/python-cryptography.spec b/SPECS/python-cryptography.spec index 5954cc0..6f7fafb 100644 --- a/SPECS/python-cryptography.spec +++ b/SPECS/python-cryptography.spec @@ -18,7 +18,7 @@ Name: python-%{srcname} Version: 2.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -27,6 +27,7 @@ URL: https://cryptography.io/en/latest/ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch +Patch0002: 0002-FIPS-Dont-active-osrandom-engine.patch BuildRequires: openssl-devel BuildRequires: gcc @@ -161,6 +162,10 @@ rm -f tests/hazmat/primitives/test_padding.py %changelog +* Tue Nov 12 2019 Christian Heimes - 2.3-3 +- Don't activate custom osrandom engine for FIPS compliance +- Resolves: rhbz#1762667 + * Mon Aug 13 2018 Christian Heimes - 2.3-2 - Use TLSv1.2 in test as workaround for RHBZ#1615099 - Resolves: RHBZ#1611738