diff --git a/SOURCES/0001-Drop-minimal-setuptools-and-pytest-version-fron-setu.patch b/SOURCES/0001-Drop-minimal-setuptools-and-pytest-version-fron-setu.patch new file mode 100644 index 0000000..1328393 --- /dev/null +++ b/SOURCES/0001-Drop-minimal-setuptools-and-pytest-version-fron-setu.patch @@ -0,0 +1,34 @@ +From 061a06b4ec5aa942db5b5bdbfe392911d9b949e6 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 14 Aug 2017 13:33:23 +0200 +Subject: [PATCH 1/4] Drop minimal setuptools and pytest version fron setup.py + +--- + setup.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/setup.py b/setup.py +index c5a99be5..0d951bb8 100644 +--- a/setup.py ++++ b/setup.py +@@ -37,7 +37,7 @@ requirements = [ + "idna>=2.0", + "pyasn1>=0.1.8", + "six>=1.4.1", +- "setuptools>=11.3", ++ "setuptools", + ] + setup_requirements = [] + +@@ -58,7 +58,7 @@ else: + setup_requirements.append("cffi>=1.4.1") + + test_requirements = [ +- "pytest>=2.9.0", ++ "pytest", + "pretend", + "iso8601", + "pyasn1_modules", +-- +2.13.5 + diff --git a/SOURCES/0002-Disable-unsupported-tests.patch b/SOURCES/0002-Disable-unsupported-tests.patch new file mode 100644 index 0000000..62337a4 --- /dev/null +++ b/SOURCES/0002-Disable-unsupported-tests.patch @@ -0,0 +1,42 @@ +From da48b31f7d1e247ed6e00ee09b8c80ca0231e507 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 14 Aug 2017 13:34:17 +0200 +Subject: [PATCH 2/4] Disable unsupported tests + +pytest 2.7 does not support context manager for deprecated_call(). +--- + tests/test_x509.py | 3 ++- + tests/test_x509_ext.py | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/tests/test_x509.py b/tests/test_x509.py +index 966cba6f..fce617cc 100644 +--- a/tests/test_x509.py ++++ b/tests/test_x509.py +@@ -527,7 +527,8 @@ class TestRSACertificate(object): + assert cert.serial == 2 + assert cert.serial_number == 2 + +- def test_cert_serial_warning(self, backend): ++ def DISABLED_test_cert_serial_warning(self, backend): ++ # pytest 2.7 does not support context manager for deprecated_call() + cert = _load_cert( + os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), + x509.load_der_x509_certificate, +diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py +index 7104121d..00cf0a6f 100644 +--- a/tests/test_x509_ext.py ++++ b/tests/test_x509_ext.py +@@ -3003,7 +3003,8 @@ class TestDistributionPoint(object): + with pytest.raises(ValueError): + x509.DistributionPoint("data", "notname", None, None) + +- def test_relative_name_name_value_deprecated(self): ++ def DISABLED_test_relative_name_name_value_deprecated(self): ++ # pytest 2.7 does not support context manager for deprecated_call() + with pytest.deprecated_call(): + x509.DistributionPoint( + None, +-- +2.13.5 + diff --git a/SOURCES/0003-Refactor-binding-initialization-to-allow-specified-e.patch b/SOURCES/0003-Refactor-binding-initialization-to-allow-specified-e.patch new file mode 100644 index 0000000..e6a0b31 --- /dev/null +++ b/SOURCES/0003-Refactor-binding-initialization-to-allow-specified-e.patch @@ -0,0 +1,77 @@ +From 53e182c619774669ad4e54d3ed9fc03155cd2741 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 13 Feb 2017 21:28:02 -0600 +Subject: [PATCH 3/4] Refactor binding initialization to allow specified errors + (#3278) + +If pyca/cryptography sees any errors on the error stack during its own +initialization it immediately raises InternalError and refuses to +proceed. This was a safety measure since we weren't sure if it was +safe to proceed. However, reality has intervened and we have to +bow to the god of pragmatism and just clear the error queue. In +practice this is safe since we religiously check the error queue +in operation. + +Fixes RHBZ #1402235 +--- + src/cryptography/hazmat/bindings/openssl/binding.py | 7 ++++++- + tests/hazmat/bindings/test_openssl.py | 16 +++++++++++++++- + 2 files changed, 21 insertions(+), 2 deletions(-) + +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index 39750abc..096faf5c 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -111,7 +111,12 @@ class Binding(object): + + @classmethod + def _register_osrandom_engine(cls): +- _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0) ++ # Clear any errors extant in the queue before we start. In many ++ # scenarios other things may be interacting with OpenSSL in the same ++ # process space and it has proven untenable to assume that they will ++ # reliably clear the error queue. Once we clear it here we will ++ # error on any subsequent unexpected item in the stack. ++ cls.lib.ERR_clear_error() + cls._osrandom_engine_id = cls.lib.Cryptography_osrandom_engine_id + cls._osrandom_engine_name = cls.lib.Cryptography_osrandom_engine_name + result = cls.lib.Cryptography_add_osrandom_engine() +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index 3e01717c..854615f1 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -8,7 +8,8 @@ import pytest + + from cryptography.exceptions import InternalError + from cryptography.hazmat.bindings.openssl.binding import ( +- Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version ++ Binding, _OpenSSLErrorWithText, _consume_errors, _openssl_assert, ++ _verify_openssl_version + ) + + +@@ -108,8 +109,21 @@ class TestOpenSSL(object): + ) + )] + ++ + def test_verify_openssl_version(self, monkeypatch): + monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False) + with pytest.raises(RuntimeError): + # OpenSSL 1.0.0 + _verify_openssl_version(0x100000F) ++ ++ def test_check_startup_errors_are_allowed(self): ++ b = Binding() ++ b.lib.ERR_put_error( ++ b.lib.ERR_LIB_EVP, ++ b.lib.EVP_F_EVP_ENCRYPTFINAL_EX, ++ b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH, ++ b"", ++ -1 ++ ) ++ b._register_osrandom_engine() ++ assert _consume_errors(b.lib) == [] +-- +2.13.5 + diff --git a/SOURCES/0004-Enlarge-_oid2txt-buffer-to-handle-larger-OIDs-3612.patch b/SOURCES/0004-Enlarge-_oid2txt-buffer-to-handle-larger-OIDs-3612.patch new file mode 100644 index 0000000..0857640 --- /dev/null +++ b/SOURCES/0004-Enlarge-_oid2txt-buffer-to-handle-larger-OIDs-3612.patch @@ -0,0 +1,144 @@ +From fb637b7c58e42d7c99558276ffaabec1878bf97d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 29 May 2017 16:33:20 -0500 +Subject: [PATCH 4/4] Enlarge _oid2txt buffer to handle larger OIDs (#3612) + +The OpenSSL manual recommends a buffer size of 80 for OBJ_oid2txt: +https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values. +But OIDs longer than this occur in real life (e.g. Active Directory +makes some very long OIDs). If the length of the stringified OID +exceeds the buffer size, allocate a new buffer that is big enough to +hold the stringified OID, and re-do the conversion into the new +buffer. + +NOTE: bigoid.pem has been moved to tests/. + +Fixes RHBZ #1455755 +--- + docs/development/test-vectors.rst | 3 ++ + .../hazmat/backends/openssl/decode_asn1.py | 14 ++++++++++ + tests/bigoid.pem | 32 ++++++++++++++++++++++ + tests/test_x509_ext.py | 19 +++++++++++++ + 4 files changed, 68 insertions(+) + create mode 100644 tests/bigoid.pem + +diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst +index fb72240d..bc72a470 100644 +--- a/docs/development/test-vectors.rst ++++ b/docs/development/test-vectors.rst +@@ -127,6 +127,9 @@ X.509 + * ``alternate-rsa-sha1-oid.pem`` - A certificate from an + `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for + RSA with SHA1. ++* ``bigoid.pem`` - A certificate with a rather long OID in the ++ Certificate Policies extension. We need to make sure we can parse ++ long OIDs. + + Custom X.509 Vectors + ~~~~~~~~~~~~~~~~~~~~ +diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py +index 2cbc349e..5a23da25 100644 +--- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py ++++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py +@@ -24,9 +24,23 @@ from cryptography.x509.oid import ( + def _obj2txt(backend, obj): + # Set to 80 on the recommendation of + # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values ++ # ++ # But OIDs longer than this occur in real life (e.g. Active ++ # Directory makes some very long OIDs). So we need to detect ++ # and properly handle the case where the default buffer is not ++ # big enough. ++ # + buf_len = 80 + buf = backend._ffi.new("char[]", buf_len) ++ ++ # 'res' is the number of bytes that *would* be written if the ++ # buffer is large enough. If 'res' > buf_len - 1, we need to ++ # alloc a big-enough buffer and go again. + res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1) ++ if res > buf_len - 1: # account for terminating null byte ++ buf_len = res + 1 ++ buf = backend._ffi.new("char[]", buf_len) ++ res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1) + backend.openssl_assert(res > 0) + return backend._ffi.buffer(buf, res)[:].decode() + +diff --git a/tests/bigoid.pem b/tests/bigoid.pem +new file mode 100644 +index 00000000..7bf865bf +--- /dev/null ++++ b/tests/bigoid.pem +@@ -0,0 +1,32 @@ ++-----BEGIN CERTIFICATE----- ++MIIFiTCCBHGgAwIBAgITSAAAAAd1bEC5lsOdnQAAAAAABzANBgkqhkiG9w0BAQsF ++ADBLMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEjAQBgoJkiaJk/IsZAEZFgJhZDEe ++MBwGA1UEAxMVYWQtV0lOLVBQSzAxNUY5TURRLUNBMB4XDTE3MDUyNTIzNDg0NVoX ++DTE5MDUyNTIzNTg0NVowNDESMBAGA1UEChMJSVBBLkxPQ0FMMR4wHAYDVQQDExVD ++ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK ++AoIBAQDyyuty6irlL89hdaSW0UyAGLsOOMgAuJwBAeuRUorR159rsSnUXLcTHIsm ++EszKhwxp3NkkawRWx/s0UN1m2+RUwMl6gvlw+G80Mz0S77C77M+2lO8HRmZGm+Wu ++zBNcc9SANHuDQ1NISfZgLiscMS0+l0T3g6/Iqtg1kPWrq/tMevfh6tJEIedSBGo4 ++3xKEMSDkrvaeTuSVrgn/QT0m+WNccZa0c7X35L/hgR22/l5sr057Ef8F9vL8zUH5 ++TttFBIuiWJo8A8XX9I1zYIFhWjW3OVDZPBUnhGHH6yNyXGxXMRfcrrc74eTw8ivC ++080AQuRtgwvDErB/JPDJ5w5t/ielAgMBAAGjggJ7MIICdzA9BgkrBgEEAYI3FQcE ++MDAuBiYrBgEEAYI3FQiEoqJGhYq1PoGllQqGi+F4nacAgRODs5gfgozzAAIBZAIB ++BTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUnSrC ++yW3CR0e3ilJdN6kL06P3KHMwHwYDVR0jBBgwFoAUj69xtyUNwp8on+NWO+HlxKyg ++X7AwgdgGA1UdHwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049YWQtV0lOLVBQ ++SzAxNUY5TURRLUNBLENOPVdJTi1QUEswMTVGOU1EUSxDTj1DRFAsQ049UHVibGlj ++JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE ++Qz1hZCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq ++ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcQGCCsGAQUFBwEBBIG3MIG0 ++MIGxBggrBgEFBQcwAoaBpGxkYXA6Ly8vQ049YWQtV0lOLVBQSzAxNUY5TURRLUNB ++LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD ++Tj1Db25maWd1cmF0aW9uLERDPWFkLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFz ++ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdIAQsMCow ++KAYmKwYBBAGCNxUIhKKiRoWKtT6BpZUKhovheJ2nAIEThrXzUYabpA4wDQYJKoZI ++hvcNAQELBQADggEBAIsFS+Qc/ufTrkuHbMmzksOpxq+OIi9rot8zy9/1Vmj6d+iP ++kB+vQ1u4/IhdQArJFNhsBzWSY9Pi8ZclovpepFeEZfXPUenyeRCU43HdMXcHXnlP ++YZfyLQWOugdo1WxK6S9qQSOSlC7BSGZWvKkiAPAwr4zNbbS+ROA2w0xaYMv0rr5W ++A4UAyzZAdqaGRJBRvCZ/uFHM5wMw0LzNCL4CqKW9jfZX0Fc2tdGx8zbTYxIdgr2D ++PL25as32r3S/m4uWqoQaK0lxK5Y97eusK2rrmidy32Jctzwl29UWq8kpjRAuD8iR ++CSc7sKqOf+fn3+fKITR2/DcSVvb0SGCr5fVVnjQ= ++-----END CERTIFICATE----- +diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py +index 00cf0a6f..91df35db 100644 +--- a/tests/test_x509_ext.py ++++ b/tests/test_x509_ext.py +@@ -409,6 +409,7 @@ class TestPolicyInformation(object): + assert pi != object() + + ++@pytest.mark.requires_backend_interface(interface=X509Backend) + class TestCertificatePolicies(object): + def test_invalid_policies(self): + pq = [u"string"] +@@ -481,6 +482,24 @@ class TestCertificatePolicies(object): + assert cp[-1] == cp[4] + assert cp[2:6:2] == [cp[2], cp[4]] + ++ def test_long_oid(self, backend): ++ """ ++ Test that parsing a CertificatePolicies ext with ++ a very long OID succeeds. ++ """ ++ here = os.path.dirname(os.path.abspath(__file__)) ++ with open(os.path.join(here, "bigoid.pem"), 'rb') as f: ++ cert = x509.load_pem_x509_certificate(f.read(), backend) ++ ext = cert.extensions.get_extension_for_class( ++ x509.CertificatePolicies) ++ ++ oid = x509.ObjectIdentifier( ++ "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058" ++ ".12775672.480128.147.13466065.13029902" ++ ) ++ ++ assert ext.value[0].policy_identifier == oid ++ + + @pytest.mark.requires_backend_interface(interface=RSABackend) + @pytest.mark.requires_backend_interface(interface=X509Backend) +-- +2.13.5 + diff --git a/SOURCES/python-cryptography-1.7.2-setup.patch b/SOURCES/python-cryptography-1.7.2-setup.patch deleted file mode 100644 index a98902e..0000000 --- a/SOURCES/python-cryptography-1.7.2-setup.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/setup.py b/setup.py ---- a/setup.py -+++ b/setup.py -@@ -37,7 +37,7 @@ requirements = [ - "idna>=2.0", - "pyasn1>=0.1.8", - "six>=1.4.1", -- "setuptools>=11.3", -+ "setuptools", - ] - setup_requirements = [] - -@@ -58,7 +58,7 @@ - setup_requirements.append("cffi>=1.4.1") - - test_requirements = [ -- "pytest>=2.9.0", -+ "pytest", - "pretend", - "iso8601", - "pyasn1_modules", diff --git a/SOURCES/python-cryptography-1.7.2-test.patch b/SOURCES/python-cryptography-1.7.2-test.patch deleted file mode 100644 index 0838882..0000000 --- a/SOURCES/python-cryptography-1.7.2-test.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -ur a/tests/test_x509_ext.py b/tests/test_x509_ext.py ---- a/tests/test_x509_ext.py -+++ b/tests/test_x509_ext.py -@@ -3003,7 +3003,8 @@ - with pytest.raises(ValueError): - x509.DistributionPoint("data", "notname", None, None) - -- def test_relative_name_name_value_deprecated(self): -+ def DISABLED_test_relative_name_name_value_deprecated(self): -+ # pytest 2.7 does not support context manager for deprecated_call() - with pytest.deprecated_call(): - x509.DistributionPoint( - None, -diff -ur a/tests/test_x509.py b/tests/test_x509.py ---- a/tests/test_x509.py -+++ b/tests/test_x509.py -@@ -527,7 +527,8 @@ - assert cert.serial == 2 - assert cert.serial_number == 2 - -- def test_cert_serial_warning(self, backend): -+ def DISABLED_test_cert_serial_warning(self, backend): -+ # pytest 2.7 does not support context manager for deprecated_call() - cert = _load_cert( - os.path.join("x509", "PKITS_data", "certs", "GoodCACert.crt"), - x509.load_der_x509_certificate, diff --git a/SPECS/python-cryptography.spec b/SPECS/python-cryptography.spec index b9c3bd6..9339fb8 100644 --- a/SPECS/python-cryptography.spec +++ b/SPECS/python-cryptography.spec @@ -7,22 +7,25 @@ Name: python-cryptography Version: 1.7.2 -Release: 1%{?dist} +Release: 1%{?dist}.1 Summary: PyCA's cryptography library Group: Development/Libraries License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://files.pythonhosted.org/packages/source/c/cryptography/cryptography-%{version}.tar.gz -Patch0: %{name}-1.7.2-setup.patch -Patch1: %{name}-1.7.2-test.patch +Patch0: 0001-Drop-minimal-setuptools-and-pytest-version-fron-setu.patch +Patch1: 0002-Disable-unsupported-tests.patch +Patch2: 0003-Refactor-binding-initialization-to-allow-specified-e.patch +Patch3: 0004-Enlarge-_oid2txt-buffer-to-handle-larger-OIDs-3612.patch -# This package needs four brew build overrides for RHEL in prder to provide +# This package needs four brew build overrides for RHEL in order to provide # build and test dependencies: # python-pretend # python-hypothesis # python-iso8601 # python-cryptography-vectors +# brew tag-build rhel-7.5-temp-override python-pretend-1.0.8-2.el7 python-hypothesis-3.1.3-1.el7 python-iso8601-0.1.11-2.el7 python-cryptography-vectors-1.7.2-1.el7 BuildRequires: openssl-devel @@ -160,6 +163,10 @@ popd %changelog +* Mon Aug 14 2017 Christian Heimes - 1.7.2-1.1 +- Ignore errors on OpenSSL's error stack when initializing, fixes RHBZ#1485896 +- Fix parsing of long OIDs, fixes RHBZ#1485898 + * Tue Feb 14 2017 Christian Heimes - 1.7.2-1 - Update to 1.7.2 - Disable pytest.deprecated_call() tests