diff --git a/CVE-2023-23931.patch b/CVE-2023-23931.patch deleted file mode 100644 index 085947cfe64e0069e147fadc9c61f5cdbd5db52a..0000000000000000000000000000000000000000 --- a/CVE-2023-23931.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 94a50a9731f35405f0357fa5f3b177d46a726ab3 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 31 Jan 2023 08:33:54 -0500 -Subject: [PATCH] Don't allow update_into to mutate immutable objects - ---- - src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- - tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 286583f9325..075d68fb905 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -156,7 +156,7 @@ def update_into(self, data: bytes, buf: bytes) -> int: - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") -- baseoutbuf = self._backend._ffi.from_buffer(buf) -+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: -diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py -index 02127dd9cab..bf3b047dec2 100644 ---- a/tests/hazmat/primitives/test_ciphers.py -+++ b/tests/hazmat/primitives/test_ciphers.py -@@ -318,6 +318,14 @@ def test_update_into_buffer_too_small(self, backend): - with pytest.raises(ValueError): - encryptor.update_into(b"testing", buf) - -+ def test_update_into_immutable(self, backend): -+ key = b"\x00" * 16 -+ c = ciphers.Cipher(AES(key), modes.ECB(), backend) -+ encryptor = c.encryptor() -+ buf = b"\x00" * 32 -+ with pytest.raises((TypeError, BufferError)): -+ encryptor.update_into(b"testing", buf) -+ - @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) diff --git a/CVE-2023-49083.patch b/CVE-2023-49083.patch deleted file mode 100644 index e4a6ae28320ebad948f724c592262cf67d11beb7..0000000000000000000000000000000000000000 --- a/CVE-2023-49083.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 1e7b4d074e14c4e694d3ce69ad6754a6039fd6ff Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Mon, 27 Nov 2023 13:08:17 -0500 -Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates - (#9926) - ---- - src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++- - tests/hazmat/primitives/test_pkcs7.py | 6 ++++++ - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 7c08862b3..adfd7aefe 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -1111,9 +1111,12 @@ class Backend: - _Reasons.UNSUPPORTED_SERIALIZATION, - ) - -+ certs: list[x509.Certificate] = [] -+ if p7.d.sign == self._ffi.NULL: -+ return certs -+ - sk_x509 = p7.d.sign.cert - num = self._lib.sk_X509_num(sk_x509) -- certs = [] - for i in range(num): - x509 = self._lib.sk_X509_value(sk_x509, i) - self.openssl_assert(x509 != self._ffi.NULL) -diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py -index ceb84e5fb..434a36105 100644 ---- a/tests/hazmat/primitives/test_pkcs7.py -+++ b/tests/hazmat/primitives/test_pkcs7.py -@@ -89,6 +89,12 @@ class TestPKCS7Loading: - mode="rb", - ) - -+ def test_load_pkcs7_empty_certificates(self): -+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02" -+ -+ certificates = pkcs7.load_der_pkcs7_certificates(der) -+ assert certificates == [] -+ - - # We have no public verification API and won't be adding one until we get - # some requirements from users so this function exists to give us basic --- -2.19.1.6.gb485710b - diff --git a/cryptography-39.0.0-vendor.tar.bz2 b/cryptography-41.0.7-vendor.tar.bz2 similarity index 49% rename from cryptography-39.0.0-vendor.tar.bz2 rename to cryptography-41.0.7-vendor.tar.bz2 index 7c62e7e7381ed01f87fd22a7974a9fa3af692e3a..6f7c9decd6c154a9bced697cdc086c29eff937e5 100644 Binary files a/cryptography-39.0.0-vendor.tar.bz2 and b/cryptography-41.0.7-vendor.tar.bz2 differ diff --git a/cryptography-39.0.0.tar.gz b/cryptography-41.0.7.tar.gz similarity index 76% rename from cryptography-39.0.0.tar.gz rename to cryptography-41.0.7.tar.gz index 15d6eaa4bd6b73cc83cc818aba042360ac51bf96..6edd6ce971308243ac99361d25bcf3f2d80dbbb6 100644 Binary files a/cryptography-39.0.0.tar.gz and b/cryptography-41.0.7.tar.gz differ diff --git a/ouroboros-0.17.patch b/ouroboros-0.17.patch new file mode 100644 index 0000000000000000000000000000000000000000..a41a2c3d63464dcedcc08ef0f9f286f9820eb522 --- /dev/null +++ b/ouroboros-0.17.patch @@ -0,0 +1,13 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 9dd060f8b..8004c7e76 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.17" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/pyo3-0.19.patch b/pyo3-0.19.patch new file mode 100644 index 0000000000000000000000000000000000000000..692232acfbf3eef47e1401a4198accbc503abe05 --- /dev/null +++ b/pyo3-0.19.patch @@ -0,0 +1,52 @@ +diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml +index 01fba147e..9dd060f8b 100644 +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -9,7 +9,7 @@ rust-version = "1.56.0" + + [dependencies] + once_cell = "1" +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + asn1 = { version = "0.15.2", default-features = false } + cryptography-cffi = { path = "cryptography-cffi" } + cryptography-x509 = { path = "cryptography-x509" } +diff --git a/src/rust/cryptography-cffi/Cargo.toml b/src/rust/cryptography-cffi/Cargo.toml +index 65051c2a4..24e53991b 100644 +--- a/src/rust/cryptography-cffi/Cargo.toml ++++ b/src/rust/cryptography-cffi/Cargo.toml +@@ -8,7 +8,7 @@ publish = false + rust-version = "1.56.0" + + [dependencies] +-pyo3 = { version = "0.18", features = ["abi3-py37"] } ++pyo3 = { version = "0.19", features = ["abi3-py37"] } + openssl-sys = "0.9.88" + + [build-dependencies] +diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs +index 923015035..1380d6eb8 100644 +--- a/src/rust/src/x509/crl.rs ++++ b/src/rust/src/x509/crl.rs +@@ -145,7 +145,7 @@ impl CertificateRevocationList { + revoked_certs + }); + +- if idx.is_instance_of::()? { ++ if idx.is_instance_of::() { + let indices = idx + .downcast::()? + .indices(self.len().try_into().unwrap())?; +diff --git a/src/rust/src/x509/extensions.rs b/src/rust/src/x509/extensions.rs +index 98d1bd63b..dcf28833f 100644 +--- a/src/rust/src/x509/extensions.rs ++++ b/src/rust/src/x509/extensions.rs +@@ -211,7 +211,7 @@ fn encode_certificate_policies( + let mut qualifiers = vec![]; + for py_qualifier in py_policy_qualifiers.iter()? { + let py_qualifier = py_qualifier?; +- let qualifier = if py_qualifier.is_instance_of::()? { ++ let qualifier = if py_qualifier.is_instance_of::() { + let cps_uri = match asn1::IA5String::new(py_qualifier.extract()?) { + Some(s) => s, + None => { diff --git a/python-cryptography.spec b/python-cryptography.spec index 0b936c1d255e036f0412bf849c6964ad60aa229d..a294d415bc77efb34c57914d8eb013d85e1c9a1b 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,148 +1,107 @@ -%define anolis_release 4 +%define anolis_release 1 %bcond_with tests %{!?python3_pkgversion:%global python3_pkgversion 3} %global srcname cryptography -%global pyo3_version 0.13.1 Name: python-%{srcname} -Version: 39.0.0 +Version: 41.0.7 Release: %{anolis_release}%{?dist} Summary: PyCA's cryptography library -License: ASL 2.0 or BSD +# cryptography is dual licensed under the Apache-2.0 and BSD-3-Clause, +# as well as the Python Software Foundation license for the OS random +# engine derived by CPython. +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 URL: https://cryptography.io/en/latest/ Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz # created by ./vendor_rust.py helper script Source1: cryptography-%{version}-vendor.tar.bz2 Source2: conftest-skipper.py -# https://github.com/pyca/cryptography/pull/8230 -Patch0: CVE-2023-23931.patch -# https://github.com/pyca/cryptography/pull/9926 -Patch1: CVE-2023-49083.patch + +Patch1: pyo3-0.19.patch +Patch2: ouroboros-0.17.patch ExclusiveArch: %{rust_arches} +BuildRequires: openssl-devel BuildRequires: gcc -BuildRequires: rust -BuildRequires: cargo BuildRequires: gnupg2 -BuildRequires: openssl-devel +BuildRequires: rust-toolset +BuildRequires: cargo -BuildRequires: python%{python3_pkgversion}-toml -BuildRequires: python%{python3_pkgversion}-wheel +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-devel -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 -BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.3 +BuildRequires: python%{python3_pkgversion}-setuptools +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 0.11.4 %if %{with tests} -BuildRequires: python%{python3_pkgversion}-pytz -BuildRequires: python%{python3_pkgversion}-iso8601 -BuildRequires: python%{python3_pkgversion}-pretend -BuildRequires: python%{python3_pkgversion}-pytest-xdist -BuildRequires: python%{python3_pkgversion}-pytest >= 6.0 +BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark -BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 -BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.3.2 +BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 %endif %description -Python-cryptography is an open-source library that provides cryptographic algorithms, -primitives, and protocols for Python programmers. The library is built on top of the -PyCA cryptography library and is compatible with both Python 2 and 3 versions. - -The library provides various functionalities such as encryption, decryption, secure -communication, and message digest algorithms. Some of the cryptography algorithms -supported by the library include AES, RSA, DSA, Elliptic Curve Cryptography (ECC), -and many more. - -Python-cryptography also provides support for the transport layer security (TLS) protocol, -which is used to secure communication over the internet. The library supports both -client-side and server-side TLS implementation and also provides support for various -TLS versions such as TLS 1.2, TLS 1.3, etc. - -Python-cryptography provides a simple and easy-to-use interface for programmers to -implement cryptographic functions in their applications. The library provides a high-level -API and a low-level API, which allows programmers to choose the level of abstraction they need. - -The library also provides support for key management, message authentication, digital -signatures, and hashing algorithms. The library is well documented and has an active -community of developers who contribute to its development and maintenance. - -In conclusion, Python-cryptography is a powerful and reliable library for implementing -cryptography in Python applications. Its ease of use, compatibility with different Python -versions, and support for various cryptography algorithms make it a popular choice among -Python developers. +cryptography is a package designed to expose cryptographic primitives and +recipes to Python developers. %package -n python%{python3_pkgversion}-%{srcname} Summary: PyCA's cryptography library %{?python_provide:%python_provide python%{python3_pkgversion}-%{srcname}} Requires: openssl-libs -Requires: python%{python3_pkgversion}-cffi >= 1.7 -Requires: python%{python3_pkgversion}-six >= 1.4.1 - Obsoletes: python%{python3_pkgversion}-cryptography-vectors < 3.4.7 %description -n python%{python3_pkgversion}-%{srcname} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%package -n python%{python3_pkgversion}-%{srcname}-doc -Summary: Documentation files for %{name} -Requires: python%{python3_pkgversion}-%{srcname}-doc = %{version}-%{release} -BuildArch: noarch - -%description -n python%{python3_pkgversion}-%{srcname}-doc -The %{name}-doc package contains documentation files for %{name}. - %prep -%autosetup -n %{srcname}-%{version} -p1 -tar -xjvf %{SOURCE1} -C ./src/rust/ +%autosetup -p1 -N -n %{srcname}-%{version} +%cargo_prep -V 1 -mkdir .cargo -cat >> .cargo/config.toml << EOF -[source.crates-io] -replace-with = "vendored-sources" - -[source.vendored-sources] -directory = "src/rust/vendor" -EOF - -%generate_buildrequires -%pyproject_buildrequires +# Remove cosmetical pytest-subtests 0.10.0 option +sed -i 's,--no-subtests-shortletter,,' pyproject.toml %build -%pyproject_wheel +export RUSTFLAGS="%build_rustflags" +export OPENSSL_NO_VENDOR=1 +%py3_build %install +# Actually other *.c and *.h are appropriate +# see https://github.com/pyca/cryptography/issues/1463 find . -name .keep -print -delete -%pyproject_install - -%generate_compatibility_deps +%py3_install %check %if %{with tests} -# Ignore vendor directory test. +# enable SHA-1 signatures for RSA tests +# also see https://github.com/pyca/cryptography/pull/6931 and rhbz#2060343 +export OPENSSL_ENABLE_SHA1_SIGNATURES=yes + +# see https://github.com/pyca/cryptography/issues/4885 and +# see https://bugzilla.redhat.com/show_bug.cgi?id=1761194 for deselected tests +# see rhbz#2042413 for memleak. It's unstable under Python 3.11 and makes +# not much sense for downstream testing. +# see rhbz#2171661 for test_load_invalid_ec_key_from_pem: error:030000CD:digital envelope routines::keymgmt export failure PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %{__python3} -m pytest \ - -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_openssl_memleak)" \ - --ignore src/rust/vendor + --ignore vendor \ + -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve or test_decrypt_invalid_decrypt or test_openssl_memleak or test_load_invalid_ec_key_from_pem)" %endif %files -n python%{python3_pkgversion}-%{srcname} -%dir %{abidir} +%doc README.rst docs %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{srcname} -%{python3_sitearch}/%{srcname}-%{version}.dist-info/ -%{abidir}/_openssl.abi3.dump -%{abidir}/_rust.abi3.dump - -%files -n python%{python3_pkgversion}-%{srcname}-doc -%doc README.rst docs +%{python3_sitearch}/%{srcname}-%{version}-py*.egg-info %changelog +* Wed Feb 07 2024 mgb01105731 - 41.0.7-1 +- Update to 41.0.7 + * Thu Dec 07 2023 Chunmei Xu - 39.0.0-4 - fix CVE-2023-49083 @@ -160,3 +119,4 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ * Sun Apr 24 2022 Zhongling He - 36.0.2-1 - Init package from upstream v36.0.2 + diff --git a/vendor_rust.py b/vendor_rust.py deleted file mode 100644 index 3f71e839293f5630bf9b95757853ce5b7a51ca56..0000000000000000000000000000000000000000 --- a/vendor_rust.py +++ /dev/null @@ -1,113 +0,0 @@ -#!/usr/bin/python3 -"""Vendor PyCA cryptography's Rust crates -""" -import argparse -import os -import re -import tarfile -import tempfile -import shutil -import subprocess -import sys - -VENDOR_DIR = "vendor" -CARGO_TOML = "src/rust/Cargo.toml" -RE_VERSION = re.compile("Version:\s*(.*)") - -parser = argparse.ArgumentParser(description="Vendor Rust packages") -parser.add_argument( - "--spec", default="python-cryptography.spec", help="cryptography source tar bundle" -) - - -def cargo(cmd, manifest): - args = ["cargo", cmd, f"--manifest-path={manifest}"] - return subprocess.check_call( - args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={} - ) - - -def tar_reset(tarinfo): - """Reset user, group, mtime, and mode to create reproducible tar""" - tarinfo.uid = 0 - tarinfo.gid = 0 - tarinfo.uname = "root" - tarinfo.gname = "root" - tarinfo.mtime = 0 - if tarinfo.type == tarfile.DIRTYPE: - tarinfo.mode = 0o755 - else: - tarinfo.mode = 0o644 - if tarinfo.pax_headers: - raise ValueError(tarinfo.name, tarinfo.pax_headers) - return tarinfo - - -def tar_reproducible(tar, basedir): - """Create reproducible tar file""" - - content = [basedir] - for root, dirs, files in os.walk(basedir): - for directory in dirs: - content.append(os.path.join(root, directory)) - for filename in files: - content.append(os.path.join(root, filename)) - content.sort() - - for fn in content: - tar.add(fn, filter=tar_reset, recursive=False, arcname=fn) - - -def main(): - args = parser.parse_args() - spec = args.spec - - # change cwd to work in bundle directory - here = os.path.dirname(os.path.abspath(spec)) - os.chdir(here) - - # extract version number from bundle name - with open(spec) as f: - for line in f: - mo = RE_VERSION.search(line) - if mo is not None: - version = mo.group(1) - break - else: - raise ValueError(f"Cannot find version in {spec}") - - bundle_file = f"cryptography-{version}.tar.gz" - vendor_file = f"cryptography-{version}-vendor.tar.bz2" - - # remove existing vendor directory and file - if os.path.isdir(VENDOR_DIR): - shutil.rmtree(VENDOR_DIR) - try: - os.unlink(vendor_file) - except FileNotFoundError: - pass - - print(f"Getting crates for {bundle_file}", file=sys.stderr) - - # extract tar file in tempdir - # fetch and vendor Rust crates - with tempfile.TemporaryDirectory(dir=here) as tmp: - with tarfile.open(bundle_file) as tar: - tar.extractall(path=tmp) - manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML) - cargo("fetch", manifest) - cargo("vendor", manifest) - - print("\nCreating tar ball...", file=sys.stderr) - with tarfile.open(vendor_file, "x:bz2") as tar: - tar_reproducible(tar, VENDOR_DIR) - - # remove vendor dir - shutil.rmtree(VENDOR_DIR) - - parser.exit(0, f"Created {vendor_file}\n") - - -if __name__ == "__main__": - main() -