diff --git a/11328.patch b/11328.patch new file mode 100644 index 0000000000000000000000000000000000000000..3dd1aeed7979d831e6c3d729bb64c9fe54cb09a6 --- /dev/null +++ b/11328.patch @@ -0,0 +1,36 @@ +From 7a1927b07343ee0e873017c3f5d58c56ea9e9ab1 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 22 Jul 2024 09:09:05 +0200 +Subject: [PATCH] Don't include engine.h when OPENSSL_NO_ENGINE is defined + +Fedora 41 and RHEL 10 are deprecating and phasing out OpenSSL ENGINE +support. Downstream has moved `openssl/engine.h` into a separate RPM +package and is recompiling packages with `-DOPENSSL_NO_ENGINE=1`. The +compiler flag disables PyCA cryptography's ENGINE support successfully. +We also like to build the downstream package without the `engine.h` +header file present. + +This commit makes the include conditional. The `ENGINE` type is +defined in `openssl/types.h`. + +See: https://src.fedoraproject.org/rpms/openssl/c/e67e9d9c40cd2cb9547e539c658e2b63f2736762?branch=rawhide +See: https://issues.redhat.com/browse/RHEL-33747 +Signed-off-by: Christian Heimes +--- + src/_cffi_src/openssl/engine.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py +index 9629a2c8f929..f47e20327003 100644 +--- a/src/_cffi_src/openssl/engine.py ++++ b/src/_cffi_src/openssl/engine.py +@@ -5,7 +5,9 @@ + from __future__ import annotations + + INCLUDES = """ ++#if !defined(OPENSSL_NO_ENGINE) || CRYPTOGRAPHY_IS_LIBRESSL + #include ++#endif + """ + + TYPES = """ diff --git a/11536.patch b/11536.patch new file mode 100644 index 0000000000000000000000000000000000000000..b18f1491c0fea31665f8880b2facb9be338a3e60 --- /dev/null +++ b/11536.patch @@ -0,0 +1,26 @@ +From aa3e70e086b1f36f55d58a0d84eae0b51dbe7dc6 Mon Sep 17 00:00:00 2001 +From: Alex Gaynor +Date: Tue, 3 Sep 2024 20:19:02 -0400 +Subject: [PATCH] allow sha1 in OAEP (#11536) + +fixes #11512 +--- + src/rust/src/backend/rsa.rs | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index 3c01e7421..066b1412a 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -70,7 +70,7 @@ fn generate_private_key(public_exponent: u32, key_size: u32) -> CryptographyResu + } + + fn oaep_hash_supported(md: &openssl::hash::MessageDigest) -> bool { +- (!cryptography_openssl::fips::is_enabled() && md == &openssl::hash::MessageDigest::sha1()) ++ md == &openssl::hash::MessageDigest::sha1() + || md == &openssl::hash::MessageDigest::sha224() + || md == &openssl::hash::MessageDigest::sha256() + || md == &openssl::hash::MessageDigest::sha384() +-- +2.46.0 + diff --git a/cryptography-42.0.5-vendor.tar.bz2 b/cryptography-42.0.5-vendor.tar.bz2 deleted file mode 100644 index a3602153e0839d8cd2f4c5050207cd7ce52e38d9..0000000000000000000000000000000000000000 Binary files a/cryptography-42.0.5-vendor.tar.bz2 and /dev/null differ diff --git a/cryptography-43.0.0-vendor.tar.bz2 b/cryptography-43.0.0-vendor.tar.bz2 new file mode 100644 index 0000000000000000000000000000000000000000..559114e0b0f8cf55c333da59884700201f1f4672 Binary files /dev/null and b/cryptography-43.0.0-vendor.tar.bz2 differ diff --git a/cryptography-42.0.5.tar.gz b/cryptography-43.0.0.tar.gz similarity index 76% rename from cryptography-42.0.5.tar.gz rename to cryptography-43.0.0.tar.gz index 3b9814068a44eb47245523815ff4a384eb8643b9..fd43f484f0628209de12d2a9dbe3703360016f53 100644 Binary files a/cryptography-42.0.5.tar.gz and b/cryptography-43.0.0.tar.gz differ diff --git a/python-cryptography.spec b/python-cryptography.spec index fe65ae74988d8b154b652afed72d0ddc8014d4ce..2065f0f8ff606b2efd7c5dd89ea25c522f0e8ae3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,4 +1,4 @@ -%define anolis_release 2 +%define anolis_release 1 %bcond_with tests %{!?python3_pkgversion:%global python3_pkgversion 3} @@ -6,7 +6,7 @@ %global srcname cryptography Name: python-%{srcname} -Version: 42.0.5 +Version: 43.0.0 Release: %{anolis_release}%{?dist} Summary: PyCA's cryptography library @@ -15,12 +15,14 @@ Summary: PyCA's cryptography library # engine derived by CPython. License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 URL: https://cryptography.io/en/latest/ -Source0: https://github.com/pyca/cryptography/archive/%{version}/%{srcname}-%{version}.tar.gz +Source0: https://github.com/pyca/cryptography/archive/43.0.0/cryptography-43.0.0.tar.gz +Source1: cryptography-43.0.0-vendor.tar.bz2 +Source2: conftest-skipper.py # created by ./vendor_rust.py helper script -Source1: cryptography-%{version}-vendor.tar.bz2 -Source2: conftest-skipper.py Patch1: skip-overflow-tests-32bit.patch +Patch2: 11536.patch +Patch3: 11328.patch BuildRequires: openssl-devel BuildRequires: gcc @@ -37,6 +39,8 @@ BuildRequires: python%{python3_pkgversion}-certifi BuildRequires: python%{python3_pkgversion}-pytest >= 6.2.0 BuildRequires: python%{python3_pkgversion}-pytest-benchmark BuildRequires: python%{python3_pkgversion}-pytest-subtests >= 0.5.0 +BuildRequires: python3-pytest >= 6.2.0 +BuildRequires: rust-toolset %endif %description @@ -105,6 +109,10 @@ PYTHONPATH=${PWD}/vectors:%{buildroot}%{python3_sitearch} \ %changelog +* Thu Sep 18 2025 wenyuzifang - 43.0.0-1 +- Updated to version 43.0.0 to fix xxxxxx +- Ensure compatibility with OpenSSL builds without ENGINE support by conditionally including engine.h + * Wed May 31 2024 mgb01105731 - 42.0.5-2 - rebuild for loongarch64