diff --git a/backport-CVE-2020-36242.patch b/backport-CVE-2020-36242.patch deleted file mode 100644 index fbfb2a277a7197559d7b9940702fe5f9e55f96a5..0000000000000000000000000000000000000000 --- a/backport-CVE-2020-36242.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 962eac3925c7184fb5dc174357823223beba0d85 Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Sun, 7 Feb 2021 11:04:43 -0600 -Subject: [PATCH] port changelog and fix back to master for CVE-2020-36242 - ---- - CHANGELOG.rst | 9 +++++++++ - src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- - 2 files changed, 10 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG.rst b/CHANGELOG.rst -index 3cb53d0..4dd7146 100644 ---- a/CHANGELOG.rst -+++ b/CHANGELOG.rst -@@ -1,6 +1,15 @@ - Changelog - ========= - -+.. _v3-3-2: -+ -+3.3.2 - 2021-02-07 -+~~~~~~~~~~~~~~~~~~ -+ -+* **SECURITY ISSUE:** Fixed a bug where certain sequences of ``update()`` calls -+ when symmetrically encrypting very large payloads (>2GB) could result in an -+ integer overflow, leading to buffer overflows. *CVE-2020-36242* -+ - .. _v3-3-1: - - 3.3.1 - 2020-12-09 -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index 1e805d2..ad5dad3 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -17,7 +17,7 @@ from cryptography.hazmat.primitives.ciphers import modes - class _CipherContext(object): - _ENCRYPT = 1 - _DECRYPT = 0 -- _MAX_CHUNK_SIZE = 2 ** 31 - 1 -+ _MAX_CHUNK_SIZE = 2 ** 30 - 1 - - def __init__(self, backend, cipher, mode, operation): - self._backend = backend --- -1.8.3.1 - diff --git a/cargo-vendor-cache b/cargo-vendor-cache new file mode 100644 index 0000000000000000000000000000000000000000..b79753d6f725d7a7cbe48fdf7b80fd6ed3c8433c Binary files /dev/null and b/cargo-vendor-cache differ diff --git a/cryptography-3.3.1.tar.gz b/cryptography-3.3.1.tar.gz deleted file mode 100644 index 4d9671e137977c843779ee4fb70e1315c71f5328..0000000000000000000000000000000000000000 Binary files a/cryptography-3.3.1.tar.gz and /dev/null differ diff --git a/cryptography-45.0.5.tar.gz b/cryptography-45.0.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..57554c75628f3488f26ecb9477c1be310e001ae2 Binary files /dev/null and b/cryptography-45.0.5.tar.gz differ diff --git a/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch new file mode 100644 index 0000000000000000000000000000000000000000..91953fd86353384cb17deb51145070e327f3702a --- /dev/null +++ b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch @@ -0,0 +1,479 @@ +From fe6fe6fac2671a37eba40b4c6b2e8f356605761d Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Tue, 29 Jul 2025 09:55:25 +0800 +Subject: [PATCH] disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + +--- + src/rust/src/backend/rsa.rs | 6 +- + tests/hazmat/primitives/test_pkcs7.py | 304 +++++++++++++------------- + tests/hazmat/primitives/test_rsa.py | 16 +- + 3 files changed, 172 insertions(+), 154 deletions(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index b490e1c..7e65ca2 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -92,7 +92,11 @@ fn setup_encryption_ctx( + } + + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { +- openssl::rsa::Padding::PKCS1 ++ return Err(CryptographyError::from( ++ pyo3::exceptions::PyValueError::new_err( ++ "RSA PKCS#1v1.5 has security problems and it has been banned.", ++ ), ++ )); + } else if padding.is_instance(&types::OAEP.get(py)?)? { + if !padding + .getattr(pyo3::intern!(py, "_mgf"))? +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 1496a23..ec691de 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -982,45 +982,46 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.SMIME, options) +- assert b"MIME-Version: 1.0\n" in enveloped +- assert b"Content-Transfer-Encoding: base64\n" in enveloped +- message = email.parser.BytesParser().parsebytes(enveloped) +- assert message.get_content_disposition() == "attachment" +- assert message.get_filename() == "smime.p7m" +- assert message.get_content_type() == "application/pkcs7-mime" +- assert message.get_param("smime-type") == "enveloped-data" +- assert message.get_param("name") == "smime.p7m" +- +- payload = message.get_payload(decode=True) +- assert isinstance(payload, bytes) +- +- # We want to know if we've serialized something that has the parameters +- # we expect, so we match on specific byte strings of OIDs & DER values. +- # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) +- assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload +- # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) +- assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload +- # cryptography CA (the recipient's Common Name) +- assert ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" +- b"\x20\x43\x41" +- ) in payload ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.SMIME, options) ++ assert b"MIME-Version: 1.0\n" in enveloped ++ assert b"Content-Transfer-Encoding: base64\n" in enveloped ++ message = email.parser.BytesParser().parsebytes(enveloped) ++ assert message.get_content_disposition() == "attachment" ++ assert message.get_filename() == "smime.p7m" ++ assert message.get_content_type() == "application/pkcs7-mime" ++ assert message.get_param("smime-type") == "enveloped-data" ++ assert message.get_param("name") == "smime.p7m" ++ ++ payload = message.get_payload(decode=True) ++ assert isinstance(payload, bytes) ++ ++ # We want to know if we've serialized something that has the parameters ++ # we expect, so we match on specific byte strings of OIDs & DER values. ++ # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) ++ assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload ++ # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) ++ assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload ++ # cryptography CA (the recipient's Common Name) ++ assert ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" ++ b"\x20\x43\x41" ++ ) in payload + +- decrypted_bytes = pkcs7.pkcs7_decrypt_smime( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) ++ decrypted_bytes = pkcs7.pkcs7_decrypt_smime( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) + +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", +@@ -1035,33 +1036,34 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, options) + +- # We want to know if we've serialized something that has the parameters +- # we expect, so we match on specific byte strings of OIDs & DER values. +- # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) +- assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped +- # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) +- assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped +- # cryptography CA (the recipient's Common Name) +- assert ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" +- b"\x20\x43\x41" +- ) in enveloped ++ # We want to know if we've serialized something that has the parameters ++ # we expect, so we match on specific byte strings of OIDs & DER values. ++ # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) ++ assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped ++ # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) ++ assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped ++ # cryptography CA (the recipient's Common Name) ++ assert ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" ++ b"\x20\x43\x41" ++ ) in enveloped + +- decrypted_bytes = pkcs7.pkcs7_decrypt_der( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ decrypted_bytes = pkcs7.pkcs7_decrypt_der( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", +@@ -1076,21 +1078,22 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, options) +- decrypted_bytes = pkcs7.pkcs7_decrypt_pem( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, options) ++ decrypted_bytes = pkcs7.pkcs7_decrypt_pem( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) + +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + def test_smime_encrypt_multiple_recipients(self, backend): + data = b"hello world\n" +@@ -1101,13 +1104,14 @@ class TestPKCS7EnvelopeBuilder: + .add_recipient(cert) + .add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) +- # cryptography CA (the recipient's Common Name) +- common_name_bytes = ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" +- b"\x70\x68\x79\x20\x43\x41" +- ) +- assert enveloped.count(common_name_bytes) == 2 ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ # cryptography CA (the recipient's Common Name) ++ common_name_bytes = ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" ++ b"\x70\x68\x79\x20\x43\x41" ++ ) ++ assert enveloped.count(common_name_bytes) == 2 + + + @pytest.mark.supported( +@@ -1170,14 +1174,15 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, options) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_aes_256_cbc_encrypted_content( + self, backend, data, certificate, private_key +@@ -1189,14 +1194,15 @@ class TestPKCS7Decrypt: + .set_content_encryption_algorithm(algorithms.AES256) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, []) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_pem( +- enveloped, certificate, private_key, [] +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_pem( ++ enveloped, certificate, private_key, [] ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + @pytest.mark.parametrize( + "header", +@@ -1219,15 +1225,16 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt( +- serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] +- ) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt( ++ serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] ++ ) + +- # Test decryption with text option +- decrypted = pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] +- ) +- assert decrypted == base_data.encode() ++ # Test decryption with text option ++ decrypted = pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) ++ assert decrypted == base_data.encode() + + @pytest.mark.parametrize("options", [[], [pkcs7.PKCS7Options.Text]]) + def test_pkcs7_decrypt_pem( +@@ -1239,14 +1246,15 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, options) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_pem( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_pem( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_pem_with_wrong_tag( + self, backend, data, certificate, private_key +@@ -1269,13 +1277,14 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.SMIME, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.SMIME, options) + +- # Test decryption +- decrypted = pkcs7.pkcs7_decrypt_smime( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption ++ decrypted = pkcs7.pkcs7_decrypt_smime( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_no_encrypted_content( + self, backend, data, certificate, private_key +@@ -1299,13 +1308,14 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) + +- # Test decryption with text option +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] +- ) ++ # Test decryption with text option ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) + + def test_pkcs7_decrypt_text_html_content_type( + self, backend, certificate, private_key +@@ -1317,16 +1327,17 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt( +- serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] +- ) +- +- # Test decryption with text option +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt( ++ serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] + ) + ++ # Test decryption with text option ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) ++ + def test_smime_decrypt_no_recipient_match( + self, backend, data, certificate, rsa_key_2048: rsa.RSAPrivateKey + ): +@@ -1336,21 +1347,22 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) + +- # Prepare another RSA chain +- another_private_key = RSA_KEY_2048_ALT.private_key( +- unsafe_skip_rsa_key_validation=True +- ) +- _, another_cert = _generate_ca_and_leaf( +- rsa_key_2048, another_private_key +- ) +- +- # Test decryption with another RSA chain +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, another_cert, another_private_key, [] ++ # Prepare another RSA chain ++ another_private_key = RSA_KEY_2048_ALT.private_key( ++ unsafe_skip_rsa_key_validation=True + ) ++ _, another_cert = _generate_ca_and_leaf( ++ rsa_key_2048, another_private_key ++ ) ++ ++ # Test decryption with another RSA chain ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, another_cert, another_private_key, [] ++ ) + + def test_smime_decrypt_unsupported_key_encryption_algorithm( + self, backend, data, certificate, private_key +@@ -1373,7 +1385,7 @@ class TestPKCS7Decrypt: + mode="rb", + ) + +- with pytest.raises(exceptions.UnsupportedAlgorithm): ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): + pkcs7.pkcs7_decrypt_pem(enveloped, certificate, private_key, []) + + def test_smime_decrypt_not_enveloped( +diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py +index 17c8c7c..7af9899 100644 +--- a/tests/hazmat/primitives/test_rsa.py ++++ b/tests/hazmat/primitives/test_rsa.py +@@ -1710,8 +1710,9 @@ class TestRSADecryption: + ).private_key(backend, unsafe_skip_rsa_key_validation=True) + ciphertext = binascii.unhexlify(example["encryption"]) + assert len(ciphertext) == (skey.key_size + 7) // 8 +- message = skey.decrypt(ciphertext, padding.PKCS1v15()) +- assert message == binascii.unhexlify(example["message"]) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ message = skey.decrypt(ciphertext, padding.PKCS1v15()) ++ assert message == binascii.unhexlify(example["message"]) + + def test_unsupported_padding( + self, rsa_key_2048: rsa.RSAPrivateKey, backend +@@ -2069,11 +2070,12 @@ class TestRSAEncryption: + _check_fips_key_length(backend, private_key) + pt = b"encrypt me!" + public_key = private_key.public_key() +- ct = public_key.encrypt(pt, pad) +- assert ct != pt +- assert len(ct) == (public_key.key_size + 7) // 8 +- recovered_pt = private_key.decrypt(ct, pad) +- assert recovered_pt == pt ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ ct = public_key.encrypt(pt, pad) ++ assert ct != pt ++ assert len(ct) == (public_key.key_size + 7) // 8 ++ recovered_pt = private_key.decrypt(ct, pad) ++ assert recovered_pt == pt + + @pytest.mark.parametrize( + ("key_data", "pad"), +-- +2.27.0 + diff --git a/python-cryptography.spec b/python-cryptography.spec index 07ba4223073f1f22d90532b8bb9d0f7c76ed152d..33cc3d181af6d7bafa7abf76efd4cb6c1576c6e3 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,16 +1,23 @@ -%global srcname cryptography -Name: python-%{srcname} -Version: 3.3.1 -Release: 2 +%global pypi_name cryptography +Name: python-%{pypi_name} +Version: 45.0.5 +Release: 3 Summary: PyCA's cryptography library -License: ASL 2.0 or BSD -URL: https://cryptography.io/en/latest/ -Source0: %{pypi_source} - -Patch6000: backport-CVE-2020-36242.patch - -BuildRequires: openssl-devel +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +URL: https://cryptography.io/en/latest/ +Source0: %{pypi_source %{pypi_name}} +# For Rust offline compile +# Decompress the source code of cryptography, then enter ./src/rust directory, +# execute "cargo vendor" to obtain "vendor" directory (Internet connection required), +# finally, tar -czvf cargo-vendor-cache vendor +# Note: Cargo needs to be consistent with the cargo version in the compile environment. +Source1: cargo-vendor-cache + +Patch9000: disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch + +BuildRequires: openssl-devel cargo BuildRequires: gcc +BuildRequires: rust-packaging rust BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 @@ -18,59 +25,143 @@ BuildRequires: python%{python3_pkgversion}-setuptools BuildRequires: python%{python3_pkgversion}-pretend BuildRequires: python%{python3_pkgversion}-iso8601 BuildRequires: python%{python3_pkgversion}-cryptography-vectors = %{version} -BuildRequires: python%{python3_pkgversion}-asn1crypto >= 0.21 BuildRequires: python%{python3_pkgversion}-hypothesis >= 1.11.4 BuildRequires: python%{python3_pkgversion}-pytz -BuildRequires: python%{python3_pkgversion}-idna >= 2.1 -BuildRequires: python%{python3_pkgversion}-six >= 1.4.1 -BuildRequires: python%{python3_pkgversion}-cffi >= 1.7 +BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 +BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 1.7.0 +BuildRequires: python%{python3_pkgversion}-wheel +BuildRequires: python%{python3_pkgversion}-maturin +BuildRequires: python3-pip +BuildRequires: python3-pytest-subtests +BuildRequires: python3-pytest-benchmark +BuildRequires: python3-certifi +BuildRequires: python3-bcrypt %description cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%package -n python%{python3_pkgversion}-cryptography +%package -n python%{python3_pkgversion}-%{pypi_name} Summary: PyCA's cryptography library Requires: openssl-libs -Requires: python%{python3_pkgversion}-idna >= 2.1 -Requires: python%{python3_pkgversion}-asn1crypto >= 0.21 -Requires: python%{python3_pkgversion}-six >= 1.4.1 -Requires: python%{python3_pkgversion}-cffi >= 1.7 +Requires: python%{python3_pkgversion}-cffi >= 1.12 -%{?python_provide:%python_provide python%{python3_pkgversion}-cryptography} +%{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}} -%description -n python%{python3_pkgversion}-cryptography +%description -n python%{python3_pkgversion}-%{pypi_name} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %package_help %prep -%autosetup -n cryptography-%{version} -p1 +%autosetup -n %{pypi_name}-%{version} -p1 +tar xzvf %{SOURCE1} -C ./src/rust/ +mkdir .cargo +cat >> .cargo/config.toml << EOF +[source.crates-io] +replace-with = "vendored-sources" + +[source.vendored-sources] +directory = "src/rust/vendor" + +[profile.release] +debug = true # https://doc.rust-lang.org/rustc/codegen-options/index.html#debuginfo +EOF + %build -%py3_build +%pyproject_build %install -%py3_install +%pyproject_install %check -PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_buffer_protocol_alternate_modes or test_dh_parameters_supported or test_load_ecdsa_no_named_curve)" +PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendor -%files -n python%{python3_pkgversion}-cryptography +%files -n python%{python3_pkgversion}-%{pypi_name} %defattr(-,root,root) -%doc AUTHORS.rst +#%doc AUTHORS.rst %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/* -%{python3_sitearch}/cryptography-%{version}-py*.egg-info +%{python3_sitearch}/%{pypi_name} +%{python3_sitearch}/%{pypi_name}-%{version}.dist-info +%exclude %{python3_sitearch}/rust/* %files help %defattr(-,root,root) %doc README.rst docs %changelog +*Mon Nov 03 2025 Liu Wang <1823363429@qq.com> - 45.0.5-3 +- Update release to 45.0.5 + +* Thu Jul 24 2025 shixuantong - 45.0.5-2 +- disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + +* Wed Jul 16 2025 Dongxing Wang - 45.0.5-1 +- Upgrade package to 45.0.5 + +* Thu Jan 16 2025 Ge Wang - 44.0.0-1 +- update to version 44.0.0 + +* Fri Jul 26 2024 shixuantong - 42.0.7-2 +- enable check + +* Fri Jul 19 2024 liweigang - 42.0.7-1 +- update to version 42.0.7 +- license compliance rectification + +* Thu Apr 18 2024 shixuantong - 42.0.2-3 +- set debug is true for build debug package +- add rust to BuildRequires + +* Tue Feb 27 2024 shixuantong - 42.0.2-2 +- fix CVE-2024-26130 + +* Thu Feb 01 2024 shixuantong - 42.0.2-1 +- upgrade version to 42.0.2 + +* Sat Dec 23 2023 shixuanttong - 40.0.2-5 +- update author info for Patch6002 + +* Sat Dec 2 2023 liningjie - 40.0.2-4 +- raise an exception instead of returning an empty list for pkcs7 cert loading + +* Wed Nov 29 2023 liningjie - 40.0.2-3 +- Fixed crash when loading a PKCS#7 bundle with no certificates + +* Tue Jul 25 2023 shixuantong - 40.0.2-2 +- fix CVE-2023-38325 + +* Fri May 19 2023 Dongxing Wang - 40.0.2-1 +- Upgrade package to 40.0.2 + +* Tue Feb 14 2023 zhuofeng - 39.0.0-2 +- Type:CVE +- CVE:CVE-2023-23931 +- SUG:NA +- DESC:fix CVE-2023-23931 + +* Fri Feb 3 2023 huangduirong - 39.0.0-1 +- Upgrade package to 39.0.0 + +* Tue Jul 19 2022 huangtianhua - 36.0.1-1 +- Upgrade package to 36.0.1 + +* Fri Jul 01 2022 tianwei -3.3.1-4 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: provide openssl apis related to SM for python + +* Thu Jun 30 2022 tianwei -3.3.1-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: add SM4 symmetric block cipher + * Tue Feb 23 2021 shixuantong - 3.3.1-2 - fix CVE-2020-36242