diff --git a/.gitignore b/.gitignore index 7063429..617462f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cryptography-2.3.tar.gz +SOURCES/cryptography-3.2.1.tar.gz diff --git a/.python-cryptography.metadata b/.python-cryptography.metadata index cc83427..5035b80 100644 --- a/.python-cryptography.metadata +++ b/.python-cryptography.metadata @@ -1 +1 @@ -2bb0184cab9ac1f78e011d243fbcb039028e79e6 SOURCES/cryptography-2.3.tar.gz +20708a4955dcf7e2bb53d05418273d2bc0f80ab4 SOURCES/cryptography-3.2.1.tar.gz diff --git a/SOURCES/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch b/SOURCES/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch deleted file mode 100644 index 288d3fb..0000000 --- a/SOURCES/0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 2716cd2fa55cc867656a3e797797f5a1386afd69 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Sun, 12 Aug 2018 15:48:24 -0400 -Subject: [PATCH] Fixed #4380 -- do not assume TLSv1 is available in OpenSSL - (#4389) - -* Fixed #4380 -- do not assume TLSv1 is available in OpenSSL - -Hallelujah! It's starting to become the case that some OpenSSLs are disabling it. - -* cover this file as well ---- - tests/hazmat/backends/test_openssl.py | 2 +- - tests/hazmat/bindings/test_openssl.py | 9 ++++++--- - 2 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py -index 31b34cd0..e77f5dc3 100644 ---- a/tests/hazmat/backends/test_openssl.py -+++ b/tests/hazmat/backends/test_openssl.py -@@ -115,7 +115,7 @@ class TestOpenSSL(object): - assert len(errors) == 10 - - def test_ssl_ciphers_registered(self): -- meth = backend._lib.TLSv1_method() -+ meth = backend._lib.SSLv23_method() - ctx = backend._lib.SSL_CTX_new(meth) - assert ctx != backend._ffi.NULL - backend._lib.SSL_CTX_free(ctx) -diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py -index 488f64e1..f317f07f 100644 ---- a/tests/hazmat/bindings/test_openssl.py -+++ b/tests/hazmat/bindings/test_openssl.py -@@ -37,7 +37,8 @@ class TestOpenSSL(object): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 -- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) -+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) -+ assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - current_options = b.lib.SSL_CTX_get_options(ctx) - resp = b.lib.SSL_CTX_set_options(ctx, b.lib.SSL_OP_ALL) -@@ -49,7 +50,8 @@ class TestOpenSSL(object): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 -- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) -+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) -+ assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - ssl = b.lib.SSL_new(ctx) - ssl = b.ffi.gc(ssl, b.lib.SSL_free) -@@ -63,7 +65,8 @@ class TestOpenSSL(object): - # Test that we're properly handling 32-bit unsigned on all platforms. - b = Binding() - assert b.lib.SSL_OP_ALL > 0 -- ctx = b.lib.SSL_CTX_new(b.lib.TLSv1_method()) -+ ctx = b.lib.SSL_CTX_new(b.lib.SSLv23_method()) -+ assert ctx != b.ffi.NULL - ctx = b.ffi.gc(ctx, b.lib.SSL_CTX_free) - ssl = b.lib.SSL_new(ctx) - ssl = b.ffi.gc(ssl, b.lib.SSL_free) --- -2.17.1 - diff --git a/SOURCES/0001-Re-add-deprecated-and-removed-features.patch b/SOURCES/0001-Re-add-deprecated-and-removed-features.patch new file mode 100644 index 0000000..149b43e --- /dev/null +++ b/SOURCES/0001-Re-add-deprecated-and-removed-features.patch @@ -0,0 +1,254 @@ +From e3e043ab363387033ddfdcaf3c15d8cf8dda17ed Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Tue, 27 Oct 2020 16:42:15 +0100 +Subject: [PATCH 1] Re-add deprecated and removed features + +* encode_rfc6979_signature() +* decode_rfc6979_signature() +* Certificate.serial property +* MACContext +* osrandom engine is disabled + +Signed-off-by: Christian Heimes +--- + .../hazmat/backends/openssl/cmac.py | 3 +- + .../hazmat/backends/openssl/hmac.py | 3 +- + .../hazmat/backends/openssl/x509.py | 4 ++ + .../hazmat/primitives/asymmetric/utils.py | 8 ++++ + src/cryptography/hazmat/primitives/cmac.py | 3 +- + src/cryptography/hazmat/primitives/hmac.py | 3 +- + src/cryptography/hazmat/primitives/mac.py | 37 +++++++++++++++++++ + src/cryptography/x509/extensions.py | 6 ++- + tests/hazmat/backends/test_openssl.py | 3 ++ + tests/hazmat/primitives/test_asym_utils.py | 9 +++++ + tests/x509/test_x509.py | 1 + + tests/x509/test_x509_ext.py | 5 +++ + 12 files changed, 80 insertions(+), 5 deletions(-) + create mode 100644 src/cryptography/hazmat/primitives/mac.py + +diff --git a/src/cryptography/hazmat/backends/openssl/cmac.py b/src/cryptography/hazmat/backends/openssl/cmac.py +index 195fc230f..5281f634d 100644 +--- a/src/cryptography/hazmat/backends/openssl/cmac.py ++++ b/src/cryptography/hazmat/backends/openssl/cmac.py +@@ -11,10 +11,11 @@ from cryptography.exceptions import ( + UnsupportedAlgorithm, + _Reasons, + ) +-from cryptography.hazmat.primitives import constant_time ++from cryptography.hazmat.primitives import constant_time, mac + from cryptography.hazmat.primitives.ciphers.modes import CBC + + ++@utils.register_interface(mac.MACContext) + class _CMACContext(object): + def __init__(self, backend, algorithm, ctx=None): + if not backend.cmac_algorithm_supported(algorithm): +diff --git a/src/cryptography/hazmat/backends/openssl/hmac.py b/src/cryptography/hazmat/backends/openssl/hmac.py +index 5024223b2..11c850e10 100644 +--- a/src/cryptography/hazmat/backends/openssl/hmac.py ++++ b/src/cryptography/hazmat/backends/openssl/hmac.py +@@ -11,9 +11,10 @@ from cryptography.exceptions import ( + UnsupportedAlgorithm, + _Reasons, + ) +-from cryptography.hazmat.primitives import constant_time, hashes ++from cryptography.hazmat.primitives import constant_time, hashes, mac + + ++@utils.register_interface(mac.MACContext) + @utils.register_interface(hashes.HashContext) + class _HMACContext(object): + def __init__(self, backend, key, algorithm, ctx=None): +diff --git a/src/cryptography/hazmat/backends/openssl/x509.py b/src/cryptography/hazmat/backends/openssl/x509.py +index 4d0dac764..c9074f59e 100644 +--- a/src/cryptography/hazmat/backends/openssl/x509.py ++++ b/src/cryptography/hazmat/backends/openssl/x509.py +@@ -73,6 +73,10 @@ class _Certificate(object): + self._backend.openssl_assert(asn1_int != self._backend._ffi.NULL) + return _asn1_integer_to_int(self._backend, asn1_int) + ++ @property ++ def serial(self): ++ return self.serial_number ++ + def public_key(self): + pkey = self._backend._lib.X509_get_pubkey(self._x509) + if pkey == self._backend._ffi.NULL: +diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py +index 5f9b67786..886d7565b 100644 +--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py ++++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py +@@ -39,3 +39,11 @@ class Prehashed(object): + self._digest_size = algorithm.digest_size + + digest_size = utils.read_only_property("_digest_size") ++ ++ ++def decode_rfc6979_signature(signature): ++ return decode_dss_signature(signature) ++ ++ ++def encode_rfc6979_signature(r, s): ++ return encode_dss_signature(r, s) +diff --git a/src/cryptography/hazmat/primitives/cmac.py b/src/cryptography/hazmat/primitives/cmac.py +index bf962c906..7f37f13cc 100644 +--- a/src/cryptography/hazmat/primitives/cmac.py ++++ b/src/cryptography/hazmat/primitives/cmac.py +@@ -12,9 +12,10 @@ from cryptography.exceptions import ( + ) + from cryptography.hazmat.backends import _get_backend + from cryptography.hazmat.backends.interfaces import CMACBackend +-from cryptography.hazmat.primitives import ciphers ++from cryptography.hazmat.primitives import ciphers, mac + + ++@utils.register_interface(mac.MACContext) + class CMAC(object): + def __init__(self, algorithm, backend=None, ctx=None): + backend = _get_backend(backend) +diff --git a/src/cryptography/hazmat/primitives/hmac.py b/src/cryptography/hazmat/primitives/hmac.py +index 8c421dc68..6f03a1071 100644 +--- a/src/cryptography/hazmat/primitives/hmac.py ++++ b/src/cryptography/hazmat/primitives/hmac.py +@@ -12,9 +12,10 @@ from cryptography.exceptions import ( + ) + from cryptography.hazmat.backends import _get_backend + from cryptography.hazmat.backends.interfaces import HMACBackend +-from cryptography.hazmat.primitives import hashes ++from cryptography.hazmat.primitives import hashes, mac + + ++@utils.register_interface(mac.MACContext) + @utils.register_interface(hashes.HashContext) + class HMAC(object): + def __init__(self, key, algorithm, backend=None, ctx=None): +diff --git a/src/cryptography/hazmat/primitives/mac.py b/src/cryptography/hazmat/primitives/mac.py +new file mode 100644 +index 000000000..4c95190ba +--- /dev/null ++++ b/src/cryptography/hazmat/primitives/mac.py +@@ -0,0 +1,37 @@ ++# This file is dual licensed under the terms of the Apache License, Version ++# 2.0, and the BSD License. See the LICENSE file in the root of this repository ++# for complete details. ++ ++from __future__ import absolute_import, division, print_function ++ ++import abc ++ ++import six ++ ++ ++@six.add_metaclass(abc.ABCMeta) ++class MACContext(object): ++ @abc.abstractmethod ++ def update(self, data): ++ """ ++ Processes the provided bytes. ++ """ ++ ++ @abc.abstractmethod ++ def finalize(self): ++ """ ++ Returns the message authentication code as bytes. ++ """ ++ ++ @abc.abstractmethod ++ def copy(self): ++ """ ++ Return a MACContext that is a copy of the current context. ++ """ ++ ++ @abc.abstractmethod ++ def verify(self, signature): ++ """ ++ Checks if the generated message authentication code matches the ++ signature. ++ """ +diff --git a/src/cryptography/x509/extensions.py b/src/cryptography/x509/extensions.py +index 130ba69b8..ddbccdf3b 100644 +--- a/src/cryptography/x509/extensions.py ++++ b/src/cryptography/x509/extensions.py +@@ -218,8 +218,12 @@ class AuthorityKeyIdentifier(object): + + @classmethod + def from_issuer_subject_key_identifier(cls, ski): ++ if isinstance(ski, SubjectKeyIdentifier): ++ digest = ski.digest ++ else: ++ digest = ski.value.digest + return cls( +- key_identifier=ski.digest, ++ key_identifier=digest, + authority_cert_issuer=None, + authority_cert_serial_number=None, + ) +diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py +index 2f7e7bebf..73c17d84f 100644 +--- a/tests/hazmat/backends/test_openssl.py ++++ b/tests/hazmat/backends/test_openssl.py +@@ -301,6 +301,9 @@ class TestOpenSSLRandomEngine(object): + res = backend._lib.ENGINE_free(e) + assert res == 1 + ++ def test_rhel8_no_osrandom(self): ++ pytest.fail("osrandom engine is not FIPS compliant, see RHBZ#1762667") ++ + + @pytest.mark.skipif( + backend._lib.CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE, +diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py +index 70bff012f..334b459b5 100644 +--- a/tests/hazmat/primitives/test_asym_utils.py ++++ b/tests/hazmat/primitives/test_asym_utils.py +@@ -10,6 +10,8 @@ from cryptography.hazmat.primitives.asymmetric.utils import ( + Prehashed, + decode_dss_signature, + encode_dss_signature, ++ encode_rfc6979_signature, ++ decode_rfc6979_signature + ) + + +@@ -75,3 +77,10 @@ def test_decode_dss_invalid_asn1(): + def test_pass_invalid_prehashed_arg(): + with pytest.raises(TypeError): + Prehashed(object()) ++ ++ ++def test_deprecated_rfc6979_signature(): ++ sig = encode_rfc6979_signature(1, 1) ++ assert sig == b"0\x06\x02\x01\x01\x02\x01\x01" ++ decoded = decode_rfc6979_signature(sig) ++ assert decoded == (1, 1) +diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py +index 11c80816c..e5bdf17d4 100644 +--- a/tests/x509/test_x509.py ++++ b/tests/x509/test_x509.py +@@ -685,6 +685,7 @@ class TestRSACertificate(object): + ) + assert isinstance(cert, x509.Certificate) + assert cert.serial_number == 11559813051657483483 ++ assert cert.serial == cert.serial_number + fingerprint = binascii.hexlify(cert.fingerprint(hashes.SHA1())) + assert fingerprint == b"2b619ed04bfc9c3b08eb677d272192286a0947a8" + assert isinstance(cert.signature_hash_algorithm, hashes.SHA1) +diff --git a/tests/x509/test_x509_ext.py b/tests/x509/test_x509_ext.py +index 2cd216fb6..ac2b2c03d 100644 +--- a/tests/x509/test_x509_ext.py ++++ b/tests/x509/test_x509_ext.py +@@ -3442,6 +3442,11 @@ class TestAuthorityKeyIdentifierExtension(object): + ) + assert ext.value == aki + ++ aki = x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier( ++ ski_ext ++ ) ++ assert ext.value == aki ++ + + class TestNameConstraints(object): + def test_ipaddress_wrong_type(self): +-- +2.26.2 + diff --git a/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch b/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch deleted file mode 100644 index 9c31191..0000000 --- a/SOURCES/0002-FIPS-Dont-active-osrandom-engine.patch +++ /dev/null @@ -1,168 +0,0 @@ -From 95e7c4731b797e96c27c97420039f2979fa48041 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 12 Nov 2019 10:56:08 +0100 -Subject: [PATCH] FIPS: Don't active osrandom engine - -Resolves: rhbz#1762667 ---- - .../hazmat/backends/openssl/backend.py | 12 +-- - tests/hazmat/backends/test_openssl.py | 94 +------------------ - 2 files changed, 6 insertions(+), 100 deletions(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index af14bfaae..c0a02d10d 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -96,7 +96,7 @@ class Backend(object): - - self._cipher_registry = {} - self._register_default_ciphers() -- self.activate_osrandom_engine() -+ # self.activate_osrandom_engine() - self._dh_types = [self._lib.EVP_PKEY_DH] - if self._lib.Cryptography_HAS_EVP_PKEY_DHX: - self._dh_types.append(self._lib.EVP_PKEY_DHX) -@@ -136,14 +136,8 @@ class Backend(object): - self.openssl_assert(res == 1) - - def activate_osrandom_engine(self): -- # Unregister and free the current engine. -- self.activate_builtin_random() -- with self._get_osurandom_engine() as e: -- # Set the engine as the default RAND provider. -- res = self._lib.ENGINE_set_default_RAND(e) -- self.openssl_assert(res == 1) -- # Reset the RNG to use the new engine. -- self._lib.RAND_cleanup() -+ # osrandom engine is not enabled for FIPS compliance -+ pass - - def osrandom_engine_implementation(self): - buf = self._ffi.new("char[]", 64) -diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py -index 31b34cd06..bcd26b615 100644 ---- a/tests/hazmat/backends/test_openssl.py -+++ b/tests/hazmat/backends/test_openssl.py -@@ -171,63 +171,6 @@ class TestOpenSSL(object): - - - class TestOpenSSLRandomEngine(object): -- def setup(self): -- # The default RAND engine is global and shared between -- # tests. We make sure that the default engine is osrandom -- # before we start each test and restore the global state to -- # that engine in teardown. -- current_default = backend._lib.ENGINE_get_default_RAND() -- name = backend._lib.ENGINE_get_name(current_default) -- assert name == backend._binding._osrandom_engine_name -- -- def teardown(self): -- # we need to reset state to being default. backend is a shared global -- # for all these tests. -- backend.activate_osrandom_engine() -- current_default = backend._lib.ENGINE_get_default_RAND() -- name = backend._lib.ENGINE_get_name(current_default) -- assert name == backend._binding._osrandom_engine_name -- -- @pytest.mark.skipif(sys.executable is None, -- reason="No Python interpreter available.") -- def test_osrandom_engine_is_default(self, tmpdir): -- engine_printer = textwrap.dedent( -- """ -- import sys -- from cryptography.hazmat.backends.openssl.backend import backend -- -- e = backend._lib.ENGINE_get_default_RAND() -- name = backend._lib.ENGINE_get_name(e) -- sys.stdout.write(backend._ffi.string(name).decode('ascii')) -- res = backend._lib.ENGINE_free(e) -- assert res == 1 -- """ -- ) -- engine_name = tmpdir.join('engine_name') -- -- # If we're running tests via ``python setup.py test`` in a clean -- # environment then all of our dependencies are going to be installed -- # into either the current directory or the .eggs directory. However the -- # subprocess won't know to activate these dependencies, so we'll get it -- # to do so by passing our entire sys.path into the subprocess via the -- # PYTHONPATH environment variable. -- env = os.environ.copy() -- env["PYTHONPATH"] = os.pathsep.join(sys.path) -- -- with engine_name.open('w') as out: -- subprocess.check_call( -- [sys.executable, "-c", engine_printer], -- env=env, -- stdout=out, -- stderr=subprocess.PIPE, -- ) -- -- osrandom_engine_name = backend._ffi.string( -- backend._binding._osrandom_engine_name -- ) -- -- assert engine_name.read().encode('ascii') == osrandom_engine_name -- - def test_osrandom_sanity_check(self): - # This test serves as a check against catastrophic failure. - buf = backend._ffi.new("unsigned char[]", 500) -@@ -235,32 +178,14 @@ class TestOpenSSLRandomEngine(object): - assert res == 1 - assert backend._ffi.buffer(buf)[:] != "\x00" * 500 - -- def test_activate_osrandom_no_default(self): -- backend.activate_builtin_random() -+ def test_osrandom_noop(self): - e = backend._lib.ENGINE_get_default_RAND() - assert e == backend._ffi.NULL -+ # noop - backend.activate_osrandom_engine() - e = backend._lib.ENGINE_get_default_RAND() -- name = backend._lib.ENGINE_get_name(e) -- assert name == backend._binding._osrandom_engine_name -- res = backend._lib.ENGINE_free(e) -- assert res == 1 -- -- def test_activate_builtin_random(self): -- e = backend._lib.ENGINE_get_default_RAND() -- assert e != backend._ffi.NULL -- name = backend._lib.ENGINE_get_name(e) -- assert name == backend._binding._osrandom_engine_name -- res = backend._lib.ENGINE_free(e) -- assert res == 1 -- backend.activate_builtin_random() -- e = backend._lib.ENGINE_get_default_RAND() -- assert e == backend._ffi.NULL -- -- def test_activate_builtin_random_already_active(self): -- backend.activate_builtin_random() -- e = backend._lib.ENGINE_get_default_RAND() - assert e == backend._ffi.NULL -+ # noop - backend.activate_builtin_random() - e = backend._lib.ENGINE_get_default_RAND() - assert e == backend._ffi.NULL -@@ -282,19 +207,6 @@ class TestOpenSSLRandomEngine(object): - if sys.platform == 'win32': - assert name == 'CryptGenRandom' - -- def test_activate_osrandom_already_default(self): -- e = backend._lib.ENGINE_get_default_RAND() -- name = backend._lib.ENGINE_get_name(e) -- assert name == backend._binding._osrandom_engine_name -- res = backend._lib.ENGINE_free(e) -- assert res == 1 -- backend.activate_osrandom_engine() -- e = backend._lib.ENGINE_get_default_RAND() -- name = backend._lib.ENGINE_get_name(e) -- assert name == backend._binding._osrandom_engine_name -- res = backend._lib.ENGINE_free(e) -- assert res == 1 -- - - class TestOpenSSLRSA(object): - def test_generate_rsa_parameters_supported(self): --- -2.23.0 - diff --git a/SOURCES/0002-Support-pytest-3.4.2.patch b/SOURCES/0002-Support-pytest-3.4.2.patch new file mode 100644 index 0000000..66c1344 --- /dev/null +++ b/SOURCES/0002-Support-pytest-3.4.2.patch @@ -0,0 +1,86 @@ +From c1c1b14d359b1360e7d14a7c0687bef9ed6fc17c Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 28 Oct 2020 14:27:55 +0100 +Subject: [PATCH 2] Support pytest 3.4.2 + +--- + setup.py | 3 ++- + tests/conftest.py | 4 ++-- + tests/test_utils.py | 4 ++-- + tests/utils.py | 2 +- + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/setup.py b/setup.py +index 82800a96e..5678db004 100644 +--- a/setup.py ++++ b/setup.py +@@ -93,7 +93,8 @@ setup( + extras_require={ + ":python_version < '3'": ["enum34", "ipaddress"], + "test": [ +- "pytest>=3.6.0,!=3.9.0,!=3.9.1,!=3.9.2", ++ "pytest>=3.4.2,<3.6", ++ "attrs>=17.4.0,<18.0", + "pretend", + "iso8601", + "pytz", +diff --git a/tests/conftest.py b/tests/conftest.py +index 4e3124fa7..53c194830 100644 +--- a/tests/conftest.py ++++ b/tests/conftest.py +@@ -42,7 +42,7 @@ def pytest_generate_tests(metafunc): + + def pytest_runtest_setup(item): + if openssl_backend._fips_enabled: +- for marker in item.iter_markers(name="skip_fips"): ++ for marker in item.get_marker(name="skip_fips") or []: + pytest.skip(marker.kwargs["reason"]) + + +@@ -50,7 +50,7 @@ def pytest_runtest_setup(item): + def backend(request): + required_interfaces = [ + mark.kwargs["interface"] +- for mark in request.node.iter_markers("requires_backend_interface") ++ for mark in request.node.get_marker("requires_backend_interface") or [] + ] + if not all( + isinstance(openssl_backend, iface) for iface in required_interfaces +diff --git a/tests/test_utils.py b/tests/test_utils.py +index d6afa3b34..e0a1be4f5 100644 +--- a/tests/test_utils.py ++++ b/tests/test_utils.py +@@ -43,7 +43,7 @@ def test_check_backend_support_skip(): + supported = pretend.stub( + kwargs={"only_if": lambda backend: False, "skip_message": "Nope"} + ) +- node = pretend.stub(iter_markers=lambda x: [supported]) ++ node = pretend.stub(get_marker=lambda x: [supported]) + item = pretend.stub(node=node) + with pytest.raises(pytest.skip.Exception) as exc_info: + check_backend_support(True, item) +@@ -54,7 +54,7 @@ def test_check_backend_support_no_skip(): + supported = pretend.stub( + kwargs={"only_if": lambda backend: True, "skip_message": "Nope"} + ) +- node = pretend.stub(iter_markers=lambda x: [supported]) ++ node = pretend.stub(get_marker=lambda x: [supported]) + item = pretend.stub(node=node) + assert check_backend_support(None, item) is None + +diff --git a/tests/utils.py b/tests/utils.py +index 5d98af00e..a08f79c34 100644 +--- a/tests/utils.py ++++ b/tests/utils.py +@@ -27,7 +27,7 @@ KeyedHashVector = collections.namedtuple( + + + def check_backend_support(backend, item): +- for mark in item.node.iter_markers("supported"): ++ for mark in item.node.get_marker("supported") or []: + if not mark.kwargs["only_if"](backend): + pytest.skip("{} ({})".format(mark.kwargs["skip_message"], backend)) + +-- +2.26.2 + diff --git a/SOURCES/0003-Skip-iso8601-test-cases.patch b/SOURCES/0003-Skip-iso8601-test-cases.patch new file mode 100644 index 0000000..0131af2 --- /dev/null +++ b/SOURCES/0003-Skip-iso8601-test-cases.patch @@ -0,0 +1,73 @@ +From bea141d25bd2bc4eea7527e2d6ec1d85b2b3806d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Thu, 29 Oct 2020 09:21:06 +0100 +Subject: [PATCH 3] Skip iso8601 test cases + +--- + tests/test_fernet.py | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/tests/test_fernet.py b/tests/test_fernet.py +index 38409b03e..343f3e4ec 100644 +--- a/tests/test_fernet.py ++++ b/tests/test_fernet.py +@@ -10,7 +10,10 @@ import json + import os + import time + +-import iso8601 ++try: ++ import iso8601 ++except ImportError: ++ iso8601 = None + + import pytest + +@@ -24,6 +27,12 @@ from cryptography.hazmat.primitives.ciphers import algorithms, modes + import cryptography_vectors + + ++skip_iso8601 = pytest.mark.skipif( ++ iso8601 is None, ++ reason="is8601 is not available" ++) ++ ++ + def json_parametrize(keys, filename): + vector_file = cryptography_vectors.open_vector_file( + os.path.join("fernet", filename), "r" +@@ -49,6 +58,7 @@ def test_default_backend(): + skip_message="Does not support AES CBC", + ) + class TestFernet(object): ++ @skip_iso8601 + @json_parametrize( + ("secret", "now", "iv", "src", "token"), + "generate.json", +@@ -62,6 +72,7 @@ class TestFernet(object): + ) + assert actual_token == token.encode("ascii") + ++ @skip_iso8601 + @json_parametrize( + ("secret", "now", "src", "ttl_sec", "token"), + "verify.json", +@@ -81,6 +92,7 @@ class TestFernet(object): + payload = f.decrypt(token.encode("ascii"), ttl=ttl_sec) + assert payload == src.encode("ascii") + ++ @skip_iso8601 + @json_parametrize(("secret", "token", "now", "ttl_sec"), "invalid.json") + def test_invalid(self, secret, token, now, ttl_sec, backend, monkeypatch): + f = Fernet(secret.encode("ascii"), backend=backend) +@@ -117,6 +129,7 @@ class TestFernet(object): + with pytest.raises(TypeError): + f.decrypt(u"") + ++ @skip_iso8601 + def test_timestamp_ignored_no_ttl(self, monkeypatch, backend): + f = Fernet(base64.urlsafe_b64encode(b"\x00" * 32), backend=backend) + pt = b"encrypt me" +-- +2.26.2 + diff --git a/SOURCES/0004-Revert-remove-NPN-bindings.patch b/SOURCES/0004-Revert-remove-NPN-bindings.patch new file mode 100644 index 0000000..8a1c31a --- /dev/null +++ b/SOURCES/0004-Revert-remove-NPN-bindings.patch @@ -0,0 +1,75 @@ +From e8ed37e0d24a1cc7482ab816ed5f25243395b2ef Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 14 Dec 2020 14:13:53 +0100 +Subject: [PATCH] Revert "remove NPN bindings -- you should be using ALPN! + (#4765)" + +This reverts commit 99bf4e4605cbe54bad597da1ebe4cc323909083c. +--- + src/_cffi_src/openssl/ssl.py | 20 +++++++++++++++++++- + tests/hazmat/bindings/test_openssl.py | 4 ++++ + 2 files changed, 23 insertions(+), 1 deletion(-) + +diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py +index c38e309a1..fa854f5dd 100644 +--- a/src/_cffi_src/openssl/ssl.py ++++ b/src/_cffi_src/openssl/ssl.py +@@ -138,6 +138,8 @@ static const long SSL3_RANDOM_SIZE; + static const long TLS_ST_BEFORE; + static const long TLS_ST_OK; + ++static const long OPENSSL_NPN_NEGOTIATED; ++ + typedef ... SSL_METHOD; + typedef ... SSL_CTX; + +@@ -401,9 +403,25 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *); + + long SSL_session_reused(SSL *); + ++void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *, ++ int (*)(SSL *, ++ const unsigned char **, ++ unsigned int *, ++ void *), ++ void *); ++void SSL_CTX_set_next_proto_select_cb(SSL_CTX *, ++ int (*)(SSL *, ++ unsigned char **, ++ unsigned char *, ++ const unsigned char *, ++ unsigned int, ++ void *), ++ void *); + int SSL_select_next_proto(unsigned char **, unsigned char *, + const unsigned char *, unsigned int, + const unsigned char *, unsigned int); ++void SSL_get0_next_proto_negotiated(const SSL *, ++ const unsigned char **, unsigned *); + + int sk_SSL_CIPHER_num(Cryptography_STACK_OF_SSL_CIPHER *); + const SSL_CIPHER *sk_SSL_CIPHER_value(Cryptography_STACK_OF_SSL_CIPHER *, int); +@@ -601,7 +619,7 @@ static const long Cryptography_HAS_TLSv1_2 = 1; + static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; + static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1; + static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; +-static const long Cryptography_HAS_NEXTPROTONEG = 0; ++static const long Cryptography_HAS_NEXTPROTONEG = 1; + static const long Cryptography_HAS_ALPN = 1; + + #if CRYPTOGRAPHY_IS_LIBRESSL +diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py +index ecee34091..aeb12a0dc 100644 +--- a/tests/hazmat/bindings/test_openssl.py ++++ b/tests/hazmat/bindings/test_openssl.py +@@ -137,3 +137,7 @@ class TestOpenSSL(object): + ) + with pytest.raises(RuntimeError): + _verify_openssl_version(lib) ++ ++ def test_npn_binding(self): ++ b = Binding() ++ assert b.lib.Cryptography_HAS_NEXTPROTONEG +-- +2.29.2 + diff --git a/SOURCES/0005-CVE-2020-36242.patch b/SOURCES/0005-CVE-2020-36242.patch new file mode 100644 index 0000000..1f2f9c5 --- /dev/null +++ b/SOURCES/0005-CVE-2020-36242.patch @@ -0,0 +1,18 @@ +From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001 +From: Paul Kehrer +Date: Sun, 7 Feb 2021 11:04:43 -0600 +Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242 + +diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py +index 2b10681b31..0f96795fdc 100644 +--- a/src/cryptography/hazmat/backends/openssl/ciphers.py ++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py +@@ -16,7 +16,7 @@ + class _CipherContext(object): + _ENCRYPT = 1 + _DECRYPT = 0 +- _MAX_CHUNK_SIZE = 2 ** 31 - 1 ++ _MAX_CHUNK_SIZE = 2 ** 30 - 1 + + def __init__(self, backend, cipher, mode, operation): + self._backend = backend diff --git a/SPECS/python-cryptography.spec b/SPECS/python-cryptography.spec index 6f7fafb..9d174da 100644 --- a/SPECS/python-cryptography.spec +++ b/SPECS/python-cryptography.spec @@ -1,24 +1,10 @@ -%if 0%{?fedora} || 0%{?rhel} > 7 -# Enable python3 build by default -%bcond_without python3 -%else -%bcond_with python3 -%endif - -%if 0%{?rhel} > 7 -# Disable python2 build by default -%bcond_with python2 -%else -%bcond_without python2 -%endif - %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography Name: python-%{srcname} -Version: 2.3 -Release: 3%{?dist} +Version: 3.2.1 +Release: 4%{?dist} Summary: PyCA's cryptography library Group: Development/Libraries @@ -26,142 +12,95 @@ License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ Source0: https://pypi.io/packages/source/c/%{srcname}/%{srcname}-%{version}.tar.gz -Patch0001: 0001-Fixed-4380-do-not-assume-TLSv1-is-available-in-OpenS.patch -Patch0002: 0002-FIPS-Dont-active-osrandom-engine.patch +Patch0001: 0001-Re-add-deprecated-and-removed-features.patch +Patch0002: 0002-Support-pytest-3.4.2.patch +Patch0003: 0003-Skip-iso8601-test-cases.patch +Patch0004: 0004-Revert-remove-NPN-bindings.patch +Patch0005: 0005-CVE-2020-36242.patch BuildRequires: openssl-devel BuildRequires: gcc -%if 0%{?with_python2} -BuildRequires: python2-devel -BuildRequires: python2-pytest >= 3.2.1 -BuildRequires: python2-setuptools -BuildRequires: python2-pretend -BuildRequires: python2-iso8601 -BuildRequires: python2-cryptography-vectors = %{version} -BuildRequires: python2-asn1crypto >= 0.21 -BuildRequires: python2-hypothesis >= 1.11.4 -BuildRequires: python2-pytz - -BuildRequires: python2-idna >= 2.1 -BuildRequires: python2-six >= 1.4.1 -BuildRequires: python2-cffi >= 1.7 -BuildRequires: python2-enum34 -BuildRequires: python2-ipaddress -%endif - -%if 0%{?with_python3} BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 +BuildRequires: python%{python3_pkgversion}-pytest >= 3.4.2 BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-pretend -BuildRequires: python%{python3_pkgversion}-iso8601 +# BuildRequires: python{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} -BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21 -BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-pytz - -BuildRequires: python%{python3_pkgversion}-idna >= 2.1 BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 -%endif %description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%if 0%{?with_python2} -%package -n python2-%{srcname} -Group: Development/Libraries -Summary: PyCA's cryptography library - -%if 0%{?with_python3} -%{?python_provide:%python_provide python2-%{srcname}} -%else -Provides: python-%{srcname} -%endif - -Requires: openssl-libs -Requires: python2-idna >= 2.1 -Requires: python2-asn1crypto >= 0.21 -Requires: python2-six >= 1.4.1 -Requires: python2-cffi >= 1.7 -Requires: python2-enum34 -Requires: python2-ipaddress - -%description -n python2-%{srcname} -cryptography is a package designed to expose cryptographic primitives and -recipes to Python developers. -%endif - -%if 0%{?with_python3} %package -n python%{python3_pkgversion}-%{srcname} Group: Development/Libraries Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-idna >= 2.1 -Requires: python%{python3_pkgversion}-asn1crypto >= 0.21 Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 +Conflicts: python%{python3_pkgversion}-cryptography-vectors < %{version} +Conflicts: python%{python3_pkgversion}-cryptography-vectors > %{version} %description -n python%{python3_pkgversion}-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%endif + %prep %autosetup -p1 -n %{srcname}-%{version} + %build -%if 0%{?with_python2} -%py2_build -%endif -%if 0%{?with_python3} %py3_build -%endif + %install # Actually other *.c and *.h are appropriate # see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete - -%if 0%{?with_python2} -%py2_install -%endif -%if 0%{?with_python3} %py3_install -%endif %check # workaround for pytest 3.2.0 bug https://github.com/pytest-dev/pytest/issues/2644 rm -f tests/hazmat/primitives/test_padding.py -%if 0%{?with_python2} -%{__python2} setup.py test -%endif -%if 0%{?with_python3} -%{__python3} setup.py test -%endif - -%if 0%{?with_python2} -%files -n python2-%{srcname} -%doc LICENSE LICENSE.APACHE LICENSE.BSD README.rst docs -%{python2_sitearch}/%{srcname} -%{python2_sitearch}/%{srcname}-%{version}-py*.egg-info -%endif - -%if 0%{?with_python3} +# don't run hypothesis tests +rm -rf tests/hypothesis +PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest + + %files -n python%{python3_pkgversion}-%{srcname} %doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{srcname} %{python3_sitearch}/%{srcname}-%{version}-py*.egg-info -%endif %changelog +* Tue Feb 09 2021 Christian Heimes - 3.2.1-4 +- CVE-2020-36242: Fixed a bug where certain sequences of update() calls + when symmetrically encrypting very large payloads (>2GB) could result + in an integer overflow, leading to buffer overflows. +- Resolves: rhbz#1926528 + +* Mon Dec 14 17:24:01 CET 2020 Christian Heimes - 3.2.1-3 +- Conflict with non-matching vector package + +* Mon Dec 14 14:19:42 CET 2020 Christian Heimes - 3.2.1-2 +- Re-add remove NPN bindings, required for pyOpenSSL +- Resolves: rhbz#1907429 + +* Wed Oct 28 2020 Christian Heimes - 3.2.1-1 +- Rebase to upstream release 3.2.1 +- Resolves: rhbz#1873581 +- Resolves: rhbz#1778939 +- Removed dependencies on python-asn1crypto, python-idna + * Tue Nov 12 2019 Christian Heimes - 2.3-3 - Don't activate custom osrandom engine for FIPS compliance - Resolves: rhbz#1762667