diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d551308 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/cryptography-3.4.7-vendor.tar.bz2 +SOURCES/cryptography-3.4.7.tar.gz diff --git a/.python-cryptography.metadata b/.python-cryptography.metadata new file mode 100644 index 0000000..dd1bfbd --- /dev/null +++ b/.python-cryptography.metadata @@ -0,0 +1,2 @@ +bbc8da55813a9176b9c9ccf33700903c5f6c107f SOURCES/cryptography-3.4.7-vendor.tar.bz2 +fff48841f1f4b756a6093bdcc376a3c513ba5aaf SOURCES/cryptography-3.4.7.tar.gz diff --git a/SOURCES/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch b/SOURCES/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch new file mode 100644 index 0000000..4cfcdc4 --- /dev/null +++ b/SOURCES/0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch @@ -0,0 +1,130 @@ +From cb1908043d5daa7c5c38945c048c4a2477a46221 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 28 Feb 2021 16:06:11 -0600 +Subject: [PATCH 1/3] fix pkcs12 parse ordering. fixes #5872 (#5879) + +* fix pkcs12 parse ordering. fixes #5872 + +* remove an unneeded print + +* simplify the test a bit more + +* index + +* black + +* Update tests/hazmat/primitives/test_pkcs12.py + +Co-authored-by: Alex Gaynor + +Co-authored-by: Alex Gaynor +--- + .../hazmat/backends/openssl/backend.py | 5 +- + tests/hazmat/primitives/test_pkcs12.py | 58 ++++++++++++++++++- + 2 files changed, 59 insertions(+), 4 deletions(-) + +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index 271873d9..a96d08d8 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -6,6 +6,7 @@ + import collections + import contextlib + import itertools ++import typing + import warnings + from contextlib import contextmanager + +@@ -2562,9 +2563,7 @@ class Backend(object): + sk_x509 = self._lib.sk_X509_new_null() + sk_x509 = self._ffi.gc(sk_x509, self._lib.sk_X509_free) + +- # reverse the list when building the stack so that they're encoded +- # in the order they were originally provided. it is a mystery +- for ca in reversed(cas): ++ for ca in cas: + res = self._lib.sk_X509_push(sk_x509, ca._x509) + backend.openssl_assert(res >= 1) + +diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py +index b5de09f9..b1759a1b 100644 +--- a/tests/hazmat/primitives/test_pkcs12.py ++++ b/tests/hazmat/primitives/test_pkcs12.py +@@ -4,13 +4,15 @@ + + + import os ++from datetime import datetime + + import pytest + + from cryptography import x509 + from cryptography.hazmat.backends.interfaces import DERSerializationBackend + from cryptography.hazmat.backends.openssl.backend import _RC2 +-from cryptography.hazmat.primitives import serialization ++from cryptography.hazmat.primitives import hashes, serialization ++from cryptography.hazmat.primitives.asymmetric import ec + from cryptography.hazmat.primitives.serialization import load_pem_private_key + from cryptography.hazmat.primitives.serialization.pkcs12 import ( + load_key_and_certificates, +@@ -273,3 +275,57 @@ class TestPKCS12Creation(object): + DummyKeySerializationEncryption(), + ) + assert str(exc.value) == "Unsupported key encryption type" ++ ++ ++def test_pkcs12_ordering(): ++ """ ++ In OpenSSL < 3.0.0 PKCS12 parsing reverses the order. However, we ++ accidentally thought it was **encoding** that did it, leading to bug ++ https://github.com/pyca/cryptography/issues/5872 ++ This test ensures our ordering is correct going forward. ++ """ ++ ++ def make_cert(name): ++ key = ec.generate_private_key(ec.SECP256R1()) ++ subject = x509.Name( ++ [ ++ x509.NameAttribute(x509.NameOID.COMMON_NAME, name), ++ ] ++ ) ++ now = datetime.utcnow() ++ cert = ( ++ x509.CertificateBuilder() ++ .subject_name(subject) ++ .issuer_name(subject) ++ .public_key(key.public_key()) ++ .serial_number(x509.random_serial_number()) ++ .not_valid_before(now) ++ .not_valid_after(now) ++ .sign(key, hashes.SHA256()) ++ ) ++ return (key, cert) ++ ++ # Make some certificates with distinct names. ++ a_name = "A" * 20 ++ b_name = "B" * 20 ++ c_name = "C" * 20 ++ a_key, a_cert = make_cert(a_name) ++ _, b_cert = make_cert(b_name) ++ _, c_cert = make_cert(c_name) ++ ++ # Bundle them in a PKCS#12 file in order A, B, C. ++ p12 = serialize_key_and_certificates( ++ b"p12", a_key, a_cert, [b_cert, c_cert], serialization.NoEncryption() ++ ) ++ ++ # Parse them out. The API should report them in the same order. ++ (key, cert, certs) = load_key_and_certificates(p12, None) ++ assert cert == a_cert ++ assert certs == [b_cert, c_cert] ++ ++ # The ordering in the PKCS#12 file itself should also match. ++ a_idx = p12.index(a_name.encode("utf-8")) ++ b_idx = p12.index(b_name.encode("utf-8")) ++ c_idx = p12.index(c_name.encode("utf-8")) ++ ++ assert a_idx < b_idx < c_idx +-- +2.30.2 + diff --git a/SOURCES/0002-WIP-3.0.0-support-5250.patch b/SOURCES/0002-WIP-3.0.0-support-5250.patch new file mode 100644 index 0000000..dcea843 --- /dev/null +++ b/SOURCES/0002-WIP-3.0.0-support-5250.patch @@ -0,0 +1,415 @@ +From a0bece343e38d73d038d4f3a62c2a9638608ac9c Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Thu, 22 Apr 2021 19:16:38 -0500 +Subject: [PATCH 2/3] [WIP] 3.0.0 support (#5250) + +* 3.0.0 support + +* almost...there... + +* make mypy happy +--- + .github/workflows/ci.yml | 7 ++-- + src/_cffi_src/build_openssl.py | 1 + + src/_cffi_src/openssl/cryptography.py | 3 ++ + src/_cffi_src/openssl/err.py | 6 +++ + src/_cffi_src/openssl/fips.py | 2 +- + src/_cffi_src/openssl/provider.py | 40 ++++++++++++++++++ + .../hazmat/backends/openssl/backend.py | 42 ++++++++++++++++--- + .../hazmat/backends/openssl/ciphers.py | 15 ++++++- + .../hazmat/bindings/openssl/_conditional.py | 11 +++++ + .../hazmat/bindings/openssl/binding.py | 20 +++++++++ + tests/hazmat/backends/test_openssl_memleak.py | 6 ++- + tests/hazmat/bindings/test_openssl.py | 4 +- + tests/hazmat/primitives/test_dh.py | 24 ++++++++++- + 13 files changed, 167 insertions(+), 14 deletions(-) + create mode 100644 src/_cffi_src/openssl/provider.py + +diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml +index cd967a3a..747f84c1 100644 +--- a/.github/workflows/ci.yml ++++ b/.github/workflows/ci.yml +@@ -18,9 +18,10 @@ jobs: + - {VERSION: "3.9", TOXENV: "flake,rust,docs", COVERAGE: "false"} + - {VERSION: "pypy3", TOXENV: "pypy3"} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} +- - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}} +- - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} ++ - {VERSION: "3.9", TOXENV: "py39-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}} ++ - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "openssl", VERSION: "3.0.0-alpha15"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "2.9.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.0.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} +diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py +index 08499d66..557296ed 100644 +--- a/src/_cffi_src/build_openssl.py ++++ b/src/_cffi_src/build_openssl.py +@@ -104,6 +104,7 @@ ffi = build_ffi_for_binding( + "osrandom_engine", + "pem", + "pkcs12", ++ "provider", + "rand", + "rsa", + "ssl", +diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py +index e2b5a132..06d1e778 100644 +--- a/src/_cffi_src/openssl/cryptography.py ++++ b/src/_cffi_src/openssl/cryptography.py +@@ -34,6 +34,8 @@ INCLUDES = """ + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ ++ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) +@@ -53,6 +55,7 @@ INCLUDES = """ + + TYPES = """ + static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; ++static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; + + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; +diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py +index 0634b656..8cfeaf5b 100644 +--- a/src/_cffi_src/openssl/err.py ++++ b/src/_cffi_src/openssl/err.py +@@ -18,6 +18,7 @@ static const int EVP_R_UNKNOWN_PBE_ALGORITHM; + + static const int ERR_LIB_EVP; + static const int ERR_LIB_PEM; ++static const int ERR_LIB_PROV; + static const int ERR_LIB_ASN1; + static const int ERR_LIB_PKCS12; + +@@ -45,4 +46,9 @@ int ERR_GET_REASON(unsigned long); + """ + + CUSTOMIZATIONS = """ ++/* This define is tied to provider support and is conditionally ++ removed if Cryptography_HAS_PROVIDERS is false */ ++#ifndef ERR_LIB_PROV ++#define ERR_LIB_PROV 0 ++#endif + """ +diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py +index b9d0d64d..23c10af9 100644 +--- a/src/_cffi_src/openssl/fips.py ++++ b/src/_cffi_src/openssl/fips.py +@@ -17,7 +17,7 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL ++#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + static const long Cryptography_HAS_FIPS = 0; + int (*FIPS_mode_set)(int) = NULL; + int (*FIPS_mode)(void) = NULL; +diff --git a/src/_cffi_src/openssl/provider.py b/src/_cffi_src/openssl/provider.py +new file mode 100644 +index 00000000..d7d659ea +--- /dev/null ++++ b/src/_cffi_src/openssl/provider.py +@@ -0,0 +1,40 @@ ++# This file is dual licensed under the terms of the Apache License, Version ++# 2.0, and the BSD License. See the LICENSE file in the root of this repository ++# for complete details. ++ ++ ++INCLUDES = """ ++#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++#include ++#include ++#endif ++""" ++ ++TYPES = """ ++static const long Cryptography_HAS_PROVIDERS; ++ ++typedef ... OSSL_PROVIDER; ++typedef ... OSSL_LIB_CTX; ++ ++static const long PROV_R_BAD_DECRYPT; ++static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH; ++""" ++ ++FUNCTIONS = """ ++OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *); ++int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov); ++""" ++ ++CUSTOMIZATIONS = """ ++#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++static const long Cryptography_HAS_PROVIDERS = 1; ++#else ++static const long Cryptography_HAS_PROVIDERS = 0; ++typedef void OSSL_PROVIDER; ++typedef void OSSL_LIB_CTX; ++static const long PROV_R_BAD_DECRYPT = 0; ++static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0; ++OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL; ++int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL; ++#endif ++""" +diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py +index a96d08d8..86e8f0a8 100644 +--- a/src/cryptography/hazmat/backends/openssl/backend.py ++++ b/src/cryptography/hazmat/backends/openssl/backend.py +@@ -1281,6 +1281,11 @@ class Backend(object): + def _evp_pkey_from_der_traditional_key(self, bio_data, password): + key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL) + if key != self._ffi.NULL: ++ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will ++ # successfully load but errors are still put on the stack. Tracked ++ # as https://github.com/openssl/openssl/issues/14996 ++ self._consume_errors() ++ + key = self._ffi.gc(key, self._lib.EVP_PKEY_free) + if password is not None: + raise TypeError( +@@ -1448,6 +1453,11 @@ class Backend(object): + else: + self._handle_key_loading_error() + ++ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will ++ # successfully load but errors are still put on the stack. Tracked ++ # as https://github.com/openssl/openssl/issues/14996 ++ self._consume_errors() ++ + evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) + + if password is not None and userdata.called == 0: +@@ -1470,11 +1480,22 @@ class Backend(object): + "incorrect format or it may be encrypted with an unsupported " + "algorithm." + ) +- elif errors[0]._lib_reason_match( +- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT +- ) or errors[0]._lib_reason_match( +- self._lib.ERR_LIB_PKCS12, +- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, ++ ++ elif ( ++ errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT ++ ) ++ or errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_PKCS12, ++ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR, ++ ) ++ or ( ++ self._lib.Cryptography_HAS_PROVIDERS ++ and errors[0]._lib_reason_match( ++ self._lib.ERR_LIB_PROV, ++ self._lib.PROV_R_BAD_DECRYPT, ++ ) ++ ) + ): + raise ValueError("Bad decrypt. Incorrect password?") + +@@ -2520,7 +2541,16 @@ class Backend(object): + if sk_x509_ptr[0] != self._ffi.NULL: + sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free) + num = self._lib.sk_X509_num(sk_x509_ptr[0]) +- for i in range(num): ++ ++ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the ++ # certificates. ++ indices: typing.Iterable[int] ++ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ indices = range(num) ++ else: ++ indices = reversed(range(num)) ++ ++ for i in indices: + x509 = self._lib.sk_X509_value(sk_x509, i) + self.openssl_assert(x509 != self._ffi.NULL) + x509 = self._ffi.gc(x509, self._lib.X509_free) +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 0f96795f..a2dd6894 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -145,7 +145,13 @@ class _CipherContext(object): + res = self._backend._lib.EVP_CipherUpdate( + self._ctx, outbuf, outlen, inbuf, inlen + ) +- self._backend.openssl_assert(res != 0) ++ if res == 0 and isinstance(self._mode, modes.XTS): ++ raise ValueError( ++ "In XTS mode you must supply at least a full block in the " ++ "first update call. For AES this is 16 bytes." ++ ) ++ else: ++ self._backend.openssl_assert(res != 0) + data_processed += inlen + total_out += outlen[0] + +@@ -174,6 +180,13 @@ class _CipherContext(object): + errors[0]._lib_reason_match( + self._backend._lib.ERR_LIB_EVP, + self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, ++ ) ++ or ( ++ self._backend._lib.Cryptography_HAS_PROVIDERS ++ and errors[0]._lib_reason_match( ++ self._backend._lib.ERR_LIB_PROV, ++ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH, ++ ) + ), + errors=errors, + ) +diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py +index 86548357..1f42c7be 100644 +--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py ++++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py +@@ -270,6 +270,16 @@ def cryptography_has_get_proto_version(): + ] + + ++def cryptography_has_providers(): ++ return [ ++ "OSSL_PROVIDER_load", ++ "OSSL_PROVIDER_unload", ++ "ERR_LIB_PROV", ++ "PROV_R_WRONG_FINAL_BLOCK_LENGTH", ++ "PROV_R_BAD_DECRYPT", ++ ] ++ ++ + # This is a mapping of + # {condition: function-returning-names-dependent-on-that-condition} so we can + # loop over them and delete unsupported names at runtime. It will be removed +@@ -318,4 +328,5 @@ CONDITIONAL_NAMES = { + "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, + "Cryptography_HAS_SRTP": cryptography_has_srtp, + "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, ++ "Cryptography_HAS_PROVIDERS": cryptography_has_providers, + } +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index a2bc36a8..6dcec26a 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -113,6 +113,8 @@ class Binding(object): + ffi = ffi + _lib_loaded = False + _init_lock = threading.Lock() ++ _legacy_provider: typing.Any = None ++ _default_provider: typing.Any = None + + def __init__(self): + self._ensure_ffi_initialized() +@@ -140,6 +142,24 @@ class Binding(object): + # adds all ciphers/digests for EVP + cls.lib.OpenSSL_add_all_algorithms() + cls._register_osrandom_engine() ++ # As of OpenSSL 3.0.0 we must register a legacy cipher provider ++ # to get RC2 (needed for junk asymmetric private key ++ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things ++ # are ugly legacy, but we aren't going to get rid of them ++ # any time soon. ++ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"legacy" ++ ) ++ _openssl_assert( ++ cls.lib, cls._legacy_provider != cls.ffi.NULL ++ ) ++ cls._default_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"default" ++ ) ++ _openssl_assert( ++ cls.lib, cls._default_provider != cls.ffi.NULL ++ ) + + @classmethod + def init_static_locks(cls): +diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py +index 0c96516f..0316b5d9 100644 +--- a/tests/hazmat/backends/test_openssl_memleak.py ++++ b/tests/hazmat/backends/test_openssl_memleak.py +@@ -82,7 +82,7 @@ def main(argv): + assert result == 1 + + # Trigger a bunch of initialization stuff. +- import cryptography.hazmat.backends.openssl ++ from cryptography.hazmat.backends.openssl.backend import backend + + start_heap = set(heap) + +@@ -91,6 +91,10 @@ def main(argv): + gc.collect() + gc.collect() + ++ if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: ++ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) ++ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) ++ + if lib.Cryptography_HAS_OPENSSL_CLEANUP: + lib.OPENSSL_cleanup() + +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index fb9a1e36..4d1e3b55 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -91,7 +91,9 @@ class TestOpenSSL(object): + _openssl_assert(b.lib, False) + + error = exc_info.value.err_code[0] +- assert error.code == 101183626 ++ # As of 3.0.0 OpenSSL sets func codes to 0, so the combined ++ # code is a different value ++ assert error.code in (101183626, 50331786) + assert error.lib == b.lib.ERR_LIB_EVP + assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX + assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH +diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py +index 131807fc..bb29919f 100644 +--- a/tests/hazmat/primitives/test_dh.py ++++ b/tests/hazmat/primitives/test_dh.py +@@ -180,7 +180,23 @@ class TestDH(object): + params = dh.DHParameterNumbers(p, int(vector["g"])) + param = params.parameters(backend) + key = param.generate_private_key() +- assert key.private_numbers().public_numbers.parameter_numbers == params ++ # In OpenSSL 3.0.0 OpenSSL maps to known groups. This results in ++ # a scenario where loading a known group with p and g returns a ++ # re-serialized form that has q as well (the Sophie Germain prime of ++ # that group). This makes a naive comparison of the parameter numbers ++ # objects fail, so we have to be a bit smarter ++ serialized_params = ( ++ key.private_numbers().public_numbers.parameter_numbers ++ ) ++ if serialized_params.q is None: ++ # This is the path OpenSSL < 3.0 takes ++ assert serialized_params == params ++ else: ++ assert serialized_params.p == params.p ++ assert serialized_params.g == params.g ++ # p = 2q + 1 since it is a Sophie Germain prime, so we can compute ++ # what we expect OpenSSL to have done here. ++ assert serialized_params.q == (params.p - 1) // 2 + + @pytest.mark.skip_fips(reason="non-FIPS parameters") + @pytest.mark.parametrize( +@@ -382,6 +398,12 @@ class TestDH(object): + assert symkey1 != symkey2 + + @pytest.mark.skip_fips(reason="key_size too small for FIPS") ++ @pytest.mark.supported( ++ only_if=lambda backend: ( ++ not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ++ ), ++ skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", ++ ) + def test_load_256bit_key_from_pkcs8(self, backend): + data = load_vectors_from_file( + os.path.join("asymmetric", "DH", "dh_key_256.pem"), +-- +2.30.2 + diff --git a/SOURCES/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch b/SOURCES/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch new file mode 100644 index 0000000..efc14b0 --- /dev/null +++ b/SOURCES/0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch @@ -0,0 +1,151 @@ +From 29cf9b8d63ef3437ba11aa29502af8773faa17a7 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 14 Apr 2021 13:15:57 -0500 +Subject: [PATCH 3/3] switch to using EVP_PKEY_derive instead of DH_compute_key + in DH (#5972) + +* switch to using EVP_PKEY_derive instead of DH_compute_key in DH + +Where checks are occurring is changing in OpenSSL 3.0 and this makes it +easier to be consistent (and is the API we should be using anyway). The +tests change because EVP_PKEY_derive now verifies that we have shared +parameters, which the test previously only verified by asserting that +the derived keys didn't match + +* review feedback + +* type ignores required for typeerror tests. some day i will remember this +--- + src/_cffi_src/openssl/dh.py | 1 - + .../hazmat/backends/openssl/dh.py | 57 ++++++++++++------- + tests/hazmat/primitives/test_dh.py | 19 ++++--- + 3 files changed, 45 insertions(+), 32 deletions(-) + +diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py +index 979dafa9..50989e45 100644 +--- a/src/_cffi_src/openssl/dh.py ++++ b/src/_cffi_src/openssl/dh.py +@@ -18,7 +18,6 @@ DH *DH_new(void); + void DH_free(DH *); + int DH_size(const DH *); + int DH_generate_key(DH *); +-int DH_compute_key(unsigned char *, const BIGNUM *, DH *); + DH *DHparams_dup(DH *); + + /* added in 1.1.0 when the DH struct was opaqued */ +diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py +index 65ddaeec..b928f024 100644 +--- a/src/cryptography/hazmat/backends/openssl/dh.py ++++ b/src/cryptography/hazmat/backends/openssl/dh.py +@@ -127,35 +127,48 @@ class _DHPrivateKey(dh.DHPrivateKey): + ) + + def exchange(self, peer_public_key: dh.DHPublicKey) -> bytes: +- buf = self._backend._ffi.new("unsigned char[]", self._key_size_bytes) +- pub_key = self._backend._ffi.new("BIGNUM **") +- self._backend._lib.DH_get0_key( +- peer_public_key._dh_cdata, # type: ignore[attr-defined] +- pub_key, +- self._backend._ffi.NULL, ++ if not isinstance(peer_public_key, _DHPublicKey): ++ raise TypeError("peer_public_key must be a DHPublicKey") ++ ++ ctx = self._backend._lib.EVP_PKEY_CTX_new( ++ self._evp_pkey, self._backend._ffi.NULL + ) +- self._backend.openssl_assert(pub_key[0] != self._backend._ffi.NULL) +- res = self._backend._lib.DH_compute_key( +- buf, pub_key[0], self._dh_cdata ++ self._backend.openssl_assert(ctx != self._backend._ffi.NULL) ++ ctx = self._backend._ffi.gc(ctx, self._backend._lib.EVP_PKEY_CTX_free) ++ res = self._backend._lib.EVP_PKEY_derive_init(ctx) ++ self._backend.openssl_assert(res == 1) ++ res = self._backend._lib.EVP_PKEY_derive_set_peer( ++ ctx, peer_public_key._evp_pkey ++ ) ++ # Invalid kex errors here in OpenSSL 3.0 because checks were moved ++ # to EVP_PKEY_derive_set_peer ++ self._exchange_assert(res == 1) ++ keylen = self._backend._ffi.new("size_t *") ++ res = self._backend._lib.EVP_PKEY_derive( ++ ctx, self._backend._ffi.NULL, keylen + ) ++ # Invalid kex errors here in OpenSSL < 3 ++ self._exchange_assert(res == 1) ++ self._backend.openssl_assert(keylen[0] > 0) ++ buf = self._backend._ffi.new("unsigned char[]", keylen[0]) ++ res = self._backend._lib.EVP_PKEY_derive(ctx, buf, keylen) ++ self._backend.openssl_assert(res == 1) + +- if res == -1: ++ key = self._backend._ffi.buffer(buf, keylen[0])[:] ++ pad = self._key_size_bytes - len(key) ++ ++ if pad > 0: ++ key = (b"\x00" * pad) + key ++ ++ return key ++ ++ def _exchange_assert(self, ok): ++ if not ok: + errors_with_text = self._backend._consume_errors_with_text() + raise ValueError( +- "Error computing shared key. Public key is likely invalid " +- "for this exchange.", ++ "Error computing shared key.", + errors_with_text, + ) +- else: +- self._backend.openssl_assert(res >= 1) +- +- key = self._backend._ffi.buffer(buf)[:res] +- pad = self._key_size_bytes - len(key) +- +- if pad > 0: +- key = (b"\x00" * pad) + key +- +- return key + + def public_key(self) -> dh.DHPublicKey: + dh_cdata = _dh_params_dup(self._dh_cdata, self._backend) +diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py +index bb29919f..2914f7e7 100644 +--- a/tests/hazmat/primitives/test_dh.py ++++ b/tests/hazmat/primitives/test_dh.py +@@ -296,6 +296,12 @@ class TestDH(object): + assert isinstance(key.private_numbers(), dh.DHPrivateNumbers) + assert isinstance(key.parameters(), dh.DHParameters) + ++ def test_exchange_wrong_type(self, backend): ++ parameters = FFDH3072_P.parameters(backend) ++ key1 = parameters.generate_private_key() ++ with pytest.raises(TypeError): ++ key1.exchange(b"invalidtype") # type: ignore[arg-type] ++ + def test_exchange(self, backend): + parameters = FFDH3072_P.parameters(backend) + assert isinstance(parameters, dh.DHParameters) +@@ -386,16 +392,11 @@ class TestDH(object): + key2 = private2.private_key(backend) + pub_key2 = key2.public_key() + +- if pub_key2.public_numbers().y >= parameters1.p: +- with pytest.raises(ValueError): +- key1.exchange(pub_key2) +- else: +- symkey1 = key1.exchange(pub_key2) +- assert symkey1 +- +- symkey2 = key2.exchange(pub_key1) ++ with pytest.raises(ValueError): ++ key1.exchange(pub_key2) + +- assert symkey1 != symkey2 ++ with pytest.raises(ValueError): ++ key2.exchange(pub_key1) + + @pytest.mark.skip_fips(reason="key_size too small for FIPS") + @pytest.mark.supported( +-- +2.30.2 + diff --git a/SOURCES/0004-3.0.0-deprecated-func-and-it-isn-t-useful-to-us-in-g.patch b/SOURCES/0004-3.0.0-deprecated-func-and-it-isn-t-useful-to-us-in-g.patch new file mode 100644 index 0000000..454fd74 --- /dev/null +++ b/SOURCES/0004-3.0.0-deprecated-func-and-it-isn-t-useful-to-us-in-g.patch @@ -0,0 +1,84 @@ +From 417984a48106626b5f6a62763113c0ed1f741f5b Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 30 Jun 2021 06:14:42 -0500 +Subject: [PATCH 4/5] 3.0.0 deprecated func and it isn't useful to us in + general (#6148) + +remove it everywhere and assert on the code/lib/reason +--- + src/cryptography/hazmat/bindings/openssl/binding.py | 11 ++++------- + tests/hazmat/bindings/test_openssl.py | 5 ++--- + 2 files changed, 6 insertions(+), 10 deletions(-) + +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index 6dcec26a..f651ab67 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -15,15 +15,14 @@ from cryptography.hazmat.bindings._openssl import ffi, lib + from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES + + _OpenSSLErrorWithText = collections.namedtuple( +- "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"] ++ "_OpenSSLErrorWithText", ["code", "lib", "reason", "reason_text"] + ) + + + class _OpenSSLError(object): +- def __init__(self, code, lib, func, reason): ++ def __init__(self, code, lib, reason): + self._code = code + self._lib = lib +- self._func = func + self._reason = reason + + def _lib_reason_match(self, lib, reason): +@@ -31,7 +30,6 @@ class _OpenSSLError(object): + + code = utils.read_only_property("_code") + lib = utils.read_only_property("_lib") +- func = utils.read_only_property("_func") + reason = utils.read_only_property("_reason") + + +@@ -43,10 +41,9 @@ def _consume_errors(lib): + break + + err_lib = lib.ERR_GET_LIB(code) +- err_func = lib.ERR_GET_FUNC(code) + err_reason = lib.ERR_GET_REASON(code) + +- errors.append(_OpenSSLError(code, err_lib, err_func, err_reason)) ++ errors.append(_OpenSSLError(code, err_lib, err_reason)) + + return errors + +@@ -60,7 +57,7 @@ def _errors_with_text(errors): + + errors_with_text.append( + _OpenSSLErrorWithText( +- err.code, err.lib, err.func, err.reason, err_text_reason ++ err.code, err.lib, err.reason, err_text_reason + ) + ) + +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index 4d1e3b55..1d9b87ba 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -91,11 +91,10 @@ class TestOpenSSL(object): + _openssl_assert(b.lib, False) + + error = exc_info.value.err_code[0] +- # As of 3.0.0 OpenSSL sets func codes to 0, so the combined +- # code is a different value ++ # As of 3.0.0 OpenSSL no longer sets func codes (which we now also ++ # ignore), so the combined code is a different value + assert error.code in (101183626, 50331786) + assert error.lib == b.lib.ERR_LIB_EVP +- assert error.func == b.lib.EVP_F_EVP_ENCRYPTFINAL_EX + assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH + assert b"data not multiple of block length" in error.reason_text + +-- +2.31.1 + diff --git a/SOURCES/0005-remove-unneeded-binding-6150.patch b/SOURCES/0005-remove-unneeded-binding-6150.patch new file mode 100644 index 0000000..5083ccf --- /dev/null +++ b/SOURCES/0005-remove-unneeded-binding-6150.patch @@ -0,0 +1,24 @@ +From 4df2a650e2f8be0dc118128d39aebe6f32d06d43 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Wed, 30 Jun 2021 21:12:46 -0500 +Subject: [PATCH 5/5] remove unneeded binding (#6150) + +--- + src/_cffi_src/openssl/err.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py +index 8cfeaf5b..8d838d4f 100644 +--- a/src/_cffi_src/openssl/err.py ++++ b/src/_cffi_src/openssl/err.py +@@ -40,7 +40,6 @@ void ERR_clear_error(void); + void ERR_put_error(int, int, int, const char *, int); + + int ERR_GET_LIB(unsigned long); +-int ERR_GET_FUNC(unsigned long); + int ERR_GET_REASON(unsigned long); + + """ +-- +2.31.1 + diff --git a/SOURCES/conftest-skipper.py b/SOURCES/conftest-skipper.py new file mode 100644 index 0000000..5a1de83 --- /dev/null +++ b/SOURCES/conftest-skipper.py @@ -0,0 +1,22 @@ + +class Skipper: + """Skip iso8601 and pretend tests + + RHEL buildroot doesn't have python-iso8601 and python-pretend. Skip + all tests that use the excluded modules. + """ + + def parse_date(self, datestring): + pytest.skip(f"iso8601 module is not available.") + + def stub(self, **kwargs): + pytest.skip(f"pretend module is not available.") + + def raiser(self, exc): + pytest.skip(f"pretend module is not available.") + + +import sys + +sys.modules["iso8601"] = sys.modules["pretend"] = Skipper() + diff --git a/SPECS/python-cryptography.spec b/SPECS/python-cryptography.spec new file mode 100644 index 0000000..3c873d0 --- /dev/null +++ b/SPECS/python-cryptography.spec @@ -0,0 +1,278 @@ +%bcond_without tests + +%{!?python3_pkgversion:%global python3_pkgversion 3} + +%global srcname cryptography +%global pyo3_version 0.13.1 + +Name: python-%{srcname} +Version: 3.4.7 +Release: 5%{?dist} +Summary: PyCA's cryptography library + +License: ASL 2.0 or BSD +URL: https://cryptography.io/en/latest/ +Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz + # created by ./vendor_rust.py helper script +Source1: cryptography-%{version}-vendor.tar.bz2 +Source2: conftest-skipper.py + +# OpenSSL 3.0.0 patches +Patch1: 0001-fix-pkcs12-parse-ordering.-fixes-5872-5879.patch +Patch2: 0002-WIP-3.0.0-support-5250.patch +Patch3: 0003-switch-to-using-EVP_PKEY_derive-instead-of-DH_comput.patch +Patch4: 0004-3.0.0-deprecated-func-and-it-isn-t-useful-to-us-in-g.patch +Patch5: 0005-remove-unneeded-binding-6150.patch + +ExclusiveArch: %{rust_arches} + +BuildRequires: openssl-devel +BuildRequires: gcc +BuildRequires: gnupg2 +%if 0%{?fedora} +BuildRequires: rust-packaging +%else +BuildRequires: rust-toolset +%endif + +BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-devel +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 +BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 + +%if %{with tests} +%if 0%{?fedora} +BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 +BuildRequires: python%{python3_pkgversion}-iso8601 +BuildRequires: python%{python3_pkgversion}-pretend +BuildRequires: python%{python3_pkgversion}-pytest-xdist +%endif +BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytz +%endif + +%description +cryptography is a package designed to expose cryptographic primitives and +recipes to Python developers. + +%package -n python%{python3_pkgversion}-%{srcname} +Summary: PyCA's cryptography library +%{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} + +Requires: openssl-libs +Requires: python%{python3_pkgversion}-six >= 1.4.1 +Requires: python%{python3_pkgversion}-cffi >= 1.7 +%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 +# Can be safely removed in Fedora 37 +Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 +%endif + +%description -n python%{python3_pkgversion}-%{srcname} +cryptography is a package designed to expose cryptographic primitives and +recipes to Python developers. + +%prep +%autosetup -p1 -n %{srcname}-%{version} + +%generate_buildrequires + +%if 0%{?fedora} +# Fedora: use cargo macros to make use of RPMified crates +%cargo_prep +cd src/rust +rm -f Cargo.lock +%cargo_generate_buildrequires +cd ../.. +%else +# RHEL: use vendored Rust crates +%cargo_prep -V 1 +%endif + +%build +%py3_build + +%install +# Actually other *.c and *.h are appropriate +# see https://github.com/pyca/cryptography/issues/1463 +find . -name .keep -print -delete +%py3_install + +%check +%if %{with tests} +%if 0%{?rhel} +# skip hypothesis tests on RHEL +rm -rf tests/hypothesis +# append skipper to skip iso8601 and pretend tests +cat < %{SOURCE2} >> tests/conftest.py +%endif + +# see https://github.com/pyca/cryptography/issues/4885 and +# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ + %{__python3} -m pytest \ + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" +%endif + +%files -n python%{python3_pkgversion}-%{srcname} +%doc README.rst docs +%license LICENSE LICENSE.APACHE LICENSE.BSD +%{python3_sitearch}/%{srcname} +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info + +%changelog +* Tue Aug 10 2021 Mohan Boddu - 3.4.7-5 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Sun Aug 08 2021 Christian Heimes - 3.4.7-4 +- Remove bindings to ERR_GET_FUNC, which has been removed in 3.0.0-beta2 +- Resolves: rhbz#1953446 + +* Tue Jun 15 2021 Mohan Boddu - 3.4.7-3 +- Rebuilt for RHEL 9 BETA for openssl 3.0 +- Related: rhbz#1971065 + +* Mon Apr 26 2021 Christian Heimes - 3.4.7-2 +- Add backports of OpenSSL 3.0.0 fixes (upstream PR #6000) +- Resolves: rhbz#1953446 + +* Wed Apr 21 2021 Christian Heimes - 3.4.7-1 +- Update to 3.4.7 +- Remove dependency on python-cryptography-vectors package and use vectors + directly from Github source tar ball. Related: rhbz#1952343 + +* Fri Apr 16 2021 Mohan Boddu - 3.4.6-2 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Wed Mar 03 2021 Christian Heimes - 3.4.6-1 +- Update to 3.4.6 (#1927044) + +* Mon Feb 15 2021 Christian Heimes - 3.4.5-1 +- Update to 3.4.5 (#1927044) + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-3 +- Skip iso8601 and pretend tests on RHEL + +* Fri Feb 12 2021 Christian Heimes - 3.4.4-2 +- Provide RHEL build infrastructure + +* Wed Feb 10 2021 Christian Heimes - 3.4.4-1 +- Update to 3.4.4 (#1927044) + +* Mon Feb 08 2021 Christian Heimes - 3.4.2-1 +- Update to 3.4.2 (#1926339) +- Package no longer depends on Rust (#1926181) + +* Mon Feb 08 2021 Fabio Valentini - 3.4.1-2 +- Use dynamically generated BuildRequires for PyO3 Rust module. +- Drop unnecessary CARGO_NET_OFFLINE environment variable. + +* Sun Feb 07 2021 Christian Heimes - 3.4.1-1 +- Update to 3.4.1 (#1925953) + +* Sun Feb 07 2021 Christian Heimes - 3.4-2 +- Add missing abi3 and pytest dependencies + +* Sun Feb 07 2021 Christian Heimes - 3.4-1 +- Update to 3.4 (#1925953) +- Remove Python 2 support +- Remove unused python-idna dependency +- Add Rust support + +* Wed Jan 27 2021 Fedora Release Engineering - 3.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 2020 Christian Heimes - 3.3.1-1 +- Update to 3.3.1 (#1905756) + +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Update to 3.2.1 (#1892153) + +* Mon Oct 26 2020 Christian Heimes - 3.2-1 +- Update to 3.2 (#1891378) + +* Mon Sep 07 2020 Christian Heimes - 3.1-1 +- Update to 3.1 (#1872978) + +* Wed Jul 29 2020 Fedora Release Engineering - 3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 21 2020 Christian Heimes - 3.0-1 +- Update to 3.0 (#185897) + +* Sat May 23 2020 Miro Hrončok - 2.9-3 +- Rebuilt for Python 3.9 + +* Tue May 12 2020 Felix Schwarz - 2.9-2 +- add source file verification + +* Fri Apr 03 2020 Christian Heimes - 2.9-1 +- Update to 2.9 (#1820348) + +* Thu Jan 30 2020 Fedora Release Engineering - 2.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Christian Heimes - 2.8-2 +- cryptography 2.8+ no longer depends on python-asn1crypto + +* Thu Oct 17 2019 Christian Heimes - 2.8-1 +- Update to 2.8 +- Resolves: rhbz#1762779 + +* Sun Oct 13 2019 Christian Heimes - 2.7-3 +- Skip unit tests that fail with OpenSSL 1.1.1.d +- Resolves: rhbz#1761194 +- Fix and simplify Python 3 packaging + +* Sat Oct 12 2019 Christian Heimes - 2.7-2 +- Drop Python 2 package +- Resolves: rhbz#1761081 + +* Tue Sep 03 2019 Randy Barlow - 2.7-1 +- Update to 2.7 (#1715680). + +* Fri Aug 16 2019 Miro Hrončok - 2.6.1-3 +- Rebuilt for Python 3.8 + +* Fri Jul 26 2019 Fedora Release Engineering - 2.6.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Feb 28 2019 Christian Heimes - 2.6.1-1 +- New upstream release 2.6.1, resolves RHBZ#1683691 + +* Wed Feb 13 2019 Alfredo Moralejo - 2.5-1 +- Updated to 2.5. + +* Sat Feb 02 2019 Fedora Release Engineering - 2.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Aug 13 2018 Christian Heimes - 2.3-2 +- Use TLSv1.2 in test as workaround for RHBZ#1615143 + +* Wed Jul 18 2018 Christian Heimes - 2.3-1 +- New upstream release 2.3 +- Fix AEAD tag truncation bug, RHBZ#1602752 + +* Fri Jul 13 2018 Fedora Release Engineering - 2.2.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Jun 15 2018 Miro Hrončok - 2.2.1-2 +- Rebuilt for Python 3.7 + +* Wed Mar 21 2018 Christian Heimes - 2.2.1-1 +- New upstream release 2.2.1 + +* Sun Feb 18 2018 Christian Heimes - 2.1.4-1 +- New upstream release 2.1.4 + +* Sun Feb 18 2018 Christian Heimes - 2.1.3-4 +- Build requires gcc + +* Mon Feb 12 2018 Iryna Shcherbina - 2.1.3-3 +- Update Python 2 dependency declarations to new packaging standards + (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3) + +* Fri Feb 09 2018 Fedora Release Engineering - 2.1.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild