diff --git a/Revert-Another-sweep-removing-unused-bindings-9671.patch b/Revert-Another-sweep-removing-unused-bindings-9671.patch deleted file mode 100644 index b4ba76ec40cd50a2f4bb5d831a83e991219dc197..0000000000000000000000000000000000000000 --- a/Revert-Another-sweep-removing-unused-bindings-9671.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0b350a4d2d97cbb0ae52e929cfaed1e25bc79845 Mon Sep 17 00:00:00 2001 -From: sxt1001 -Date: Sun, 25 May 2025 05:52:26 +0800 -Subject: [PATCH 3/5] Revert 'Another sweep removing unused bindings (#9671)' - -https://github.com/pyca/cryptography/commit/057241cd302271467a11dd796c41328b50460b0f ---- - src/_cffi_src/openssl/evp.py | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index c304684..f1bf36d 100644 ---- a/src/_cffi_src/openssl/evp.py -+++ b/src/_cffi_src/openssl/evp.py -@@ -61,6 +61,11 @@ int EVP_PKEY_type(int); - int EVP_PKEY_size(EVP_PKEY *); - RSA *EVP_PKEY_get1_RSA(EVP_PKEY *); - -+int EVP_PKEY_encrypt(EVP_PKEY_CTX *, unsigned char *, size_t *, -+ const unsigned char *, size_t); -+int EVP_PKEY_decrypt(EVP_PKEY_CTX *, unsigned char *, size_t *, -+ const unsigned char *, size_t); -+ - int EVP_SignInit(EVP_MD_CTX *, const EVP_MD *); - int EVP_SignUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_SignFinal(EVP_MD_CTX *, unsigned char *, unsigned int *, EVP_PKEY *); -@@ -74,9 +79,25 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - size_t siglen); - -+EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); -+void EVP_PKEY_CTX_free(EVP_PKEY_CTX *); -+int EVP_PKEY_sign_init(EVP_PKEY_CTX *); -+int EVP_PKEY_sign(EVP_PKEY_CTX *, unsigned char *, size_t *, -+ const unsigned char *, size_t); -+int EVP_PKEY_verify_init(EVP_PKEY_CTX *); -+int EVP_PKEY_verify(EVP_PKEY_CTX *, const unsigned char *, size_t, -+ const unsigned char *, size_t); -+int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *); -+int EVP_PKEY_verify_recover(EVP_PKEY_CTX *, unsigned char *, -+ size_t *, const unsigned char *, size_t); -+int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *); -+int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *); -+ - int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); - int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); - -+int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); -+ - int EVP_PKEY_id(const EVP_PKEY *); - - EVP_MD_CTX *EVP_MD_CTX_new(void); -@@ -91,6 +112,8 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); - void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); - const EVP_MD *EVP_sm3(void); - -+int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *, const EVP_MD *); -+ - int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); - """ - --- -2.43.0 - diff --git a/Revert-Remove-now-unused-OpenSSL-password-callback-1.patch b/Revert-Remove-now-unused-OpenSSL-password-callback-1.patch deleted file mode 100644 index 9093bdc5d605aa56327086e9146d048850d4d32e..0000000000000000000000000000000000000000 --- a/Revert-Remove-now-unused-OpenSSL-password-callback-1.patch +++ /dev/null @@ -1,125 +0,0 @@ -From ef16eb7f84e5cdc9e0574092003d7227a9e2a8a5 Mon Sep 17 00:00:00 2001 -From: sxt1001 -Date: Sun, 25 May 2025 05:49:10 +0800 -Subject: [PATCH 2/5] Revert 'Remove now unused OpenSSL password callback - (#10145)' - -https://github.com/pyca/cryptography/commit/efb98b43f89466ff8034b5fe7667980e6cba31fb ---- - src/_cffi_src/build_openssl.py | 1 + - src/_cffi_src/openssl/callbacks.py | 52 +++++++++++++++++++++++++++ - tests/hazmat/backends/test_openssl.py | 27 ++++++++++++++ - 3 files changed, 80 insertions(+) - create mode 100644 src/_cffi_src/openssl/callbacks.py - -diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py -index 6065e7a..5af6762 100644 ---- a/src/_cffi_src/build_openssl.py -+++ b/src/_cffi_src/build_openssl.py -@@ -46,6 +46,7 @@ ffi = build_ffi_for_binding( - "x509v3", - "x509_vfy", - "pkcs7", -+ "callbacks", - ], - ) - -diff --git a/src/_cffi_src/openssl/callbacks.py b/src/_cffi_src/openssl/callbacks.py -new file mode 100644 -index 0000000..ddb7642 ---- /dev/null -+++ b/src/_cffi_src/openssl/callbacks.py -@@ -0,0 +1,52 @@ -+# This file is dual licensed under the terms of the Apache License, Version -+# 2.0, and the BSD License. See the LICENSE file in the root of this repository -+# for complete details. -+ -+from __future__ import annotations -+ -+INCLUDES = """ -+#include -+""" -+ -+TYPES = """ -+typedef struct { -+ char *password; -+ int length; -+ int called; -+ int error; -+ int maxsize; -+} CRYPTOGRAPHY_PASSWORD_DATA; -+""" -+ -+FUNCTIONS = """ -+int Cryptography_pem_password_cb(char *, int, int, void *); -+""" -+ -+CUSTOMIZATIONS = """ -+typedef struct { -+ char *password; -+ int length; -+ int called; -+ int error; -+ int maxsize; -+} CRYPTOGRAPHY_PASSWORD_DATA; -+ -+int Cryptography_pem_password_cb(char *buf, int size, -+ int rwflag, void *userdata) { -+ /* The password cb is only invoked if OpenSSL decides the private -+ key is encrypted. So this path only occurs if it needs a password */ -+ CRYPTOGRAPHY_PASSWORD_DATA *st = (CRYPTOGRAPHY_PASSWORD_DATA *)userdata; -+ st->called += 1; -+ st->maxsize = size; -+ if (st->length == 0) { -+ st->error = -1; -+ return 0; -+ } else if (st->length < size) { -+ memcpy(buf, st->password, (size_t)st->length); -+ return st->length; -+ } else { -+ st->error = -2; -+ return 0; -+ } -+} -+""" -diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py -index a289c5b..5c86731 100644 ---- a/tests/hazmat/backends/test_openssl.py -+++ b/tests/hazmat/backends/test_openssl.py -@@ -238,6 +238,33 @@ class TestOpenSSLRSA: - - - class TestOpenSSLSerializationWithOpenSSL: -+ def test_pem_password_cb(self): -+ userdata = backend._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") -+ pw = b"abcdefg" -+ password = backend._ffi.new("char []", pw) -+ userdata.password = password -+ userdata.length = len(pw) -+ buflen = 10 -+ buf = backend._ffi.new("char []", buflen) -+ res = backend._lib.Cryptography_pem_password_cb( -+ buf, buflen, 0, userdata -+ ) -+ assert res == len(pw) -+ assert userdata.called == 1 -+ assert backend._ffi.buffer(buf, len(pw))[:] == pw -+ assert userdata.maxsize == buflen -+ assert userdata.error == 0 -+ -+ def test_pem_password_cb_no_password(self): -+ userdata = backend._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") -+ buflen = 10 -+ buf = backend._ffi.new("char []", buflen) -+ res = backend._lib.Cryptography_pem_password_cb( -+ buf, buflen, 0, userdata -+ ) -+ assert res == 0 -+ assert userdata.error == -1 -+ - def test_unsupported_evp_pkey_type(self): - key = backend._lib.EVP_PKEY_new() - key = backend._ffi.gc(key, backend._lib.EVP_PKEY_free) --- -2.43.0 - diff --git a/Revert-Remove-now-unused-bindings-8778.patch b/Revert-Remove-now-unused-bindings-8778.patch deleted file mode 100644 index 85e3a047e6c0448648ad6a1ee0cb04237674c1c7..0000000000000000000000000000000000000000 --- a/Revert-Remove-now-unused-bindings-8778.patch +++ /dev/null @@ -1,59 +0,0 @@ -From d07a36b452c23ed3b773bda49ebb811aab730718 Mon Sep 17 00:00:00 2001 -From: sxt1001 -Date: Sun, 25 May 2025 06:05:42 +0800 -Subject: [PATCH 5/5] Revert 'Remove now unused bindings (#8778)' - -https://github.com/pyca/cryptography/commit/c7cbfeccac42e434a5c67578054b9b5df50659bb ---- - src/_cffi_src/openssl/evp.py | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index e01b22f..7306e73 100644 ---- a/src/_cffi_src/openssl/evp.py -+++ b/src/_cffi_src/openssl/evp.py -@@ -53,6 +53,10 @@ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); - void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *); - int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *, int); - -+int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); -+int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, ENGINE *); -+int EVP_DigestUpdate(EVP_MD_CTX *, const void *, size_t); -+int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); - const EVP_MD *EVP_get_digestbyname(const char *); - - EVP_PKEY *EVP_PKEY_new(void); -@@ -83,8 +87,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *); - int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - size_t siglen); -+int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *, -+ ENGINE *, EVP_PKEY *); - - EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); -+EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int, ENGINE *); - void EVP_PKEY_CTX_free(EVP_PKEY_CTX *); - int EVP_PKEY_sign_init(EVP_PKEY_CTX *); - int EVP_PKEY_sign(EVP_PKEY_CTX *, unsigned char *, size_t *, -@@ -103,6 +110,9 @@ int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); - - int EVP_PKEY_cmp(const EVP_PKEY *, const EVP_PKEY *); - -+int EVP_PKEY_keygen_init(EVP_PKEY_CTX *); -+int EVP_PKEY_keygen(EVP_PKEY_CTX *, EVP_PKEY **); -+ - int EVP_PKEY_id(const EVP_PKEY *); - - EVP_MD_CTX *EVP_MD_CTX_new(void); -@@ -110,6 +120,8 @@ void EVP_MD_CTX_free(EVP_MD_CTX *); - - int EVP_DigestSign(EVP_MD_CTX *, unsigned char *, size_t *, - const unsigned char *, size_t); -+int EVP_DigestVerify(EVP_MD_CTX *, const unsigned char *, size_t, -+ const unsigned char *, size_t); - - int EVP_PKEY_bits(const EVP_PKEY *); - --- -2.27.0 - diff --git a/Revert-Remove-unused-bindings-8972.patch b/Revert-Remove-unused-bindings-8972.patch deleted file mode 100644 index 817403bdcb0e1230b03e8003882baabce0a36d9a..0000000000000000000000000000000000000000 --- a/Revert-Remove-unused-bindings-8972.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 985b1b01dfa9976d1b845cd5b24a932c0a30ec48 Mon Sep 17 00:00:00 2001 -From: sxt1001 -Date: Sun, 25 May 2025 06:01:19 +0800 -Subject: [PATCH 4/5] Revert 'Remove unused bindings (#8972)' - -https://github.com/pyca/cryptography/commit/288c302b5041c45dbdb1a567885f50cf953519a7 ---- - src/_cffi_src/openssl/evp.py | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index f1bf36d..e01b22f 100644 ---- a/src/_cffi_src/openssl/evp.py -+++ b/src/_cffi_src/openssl/evp.py -@@ -75,6 +75,11 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, - EVP_PKEY *); - -+int EVP_DigestSignInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *, -+ ENGINE *, EVP_PKEY *); -+int EVP_DigestSignUpdate(EVP_MD_CTX *, const void *, size_t); -+int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *); -+ - int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - size_t siglen); -@@ -103,6 +108,9 @@ int EVP_PKEY_id(const EVP_PKEY *); - EVP_MD_CTX *EVP_MD_CTX_new(void); - void EVP_MD_CTX_free(EVP_MD_CTX *); - -+int EVP_DigestSign(EVP_MD_CTX *, unsigned char *, size_t *, -+ const unsigned char *, size_t); -+ - int EVP_PKEY_bits(const EVP_PKEY *); - - int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); --- -2.43.0 - diff --git a/add-_load_key-function.patch b/add-_load_key-function.patch deleted file mode 100644 index 744e926e15a5d9220f1cc534bc42cdffdaba4728..0000000000000000000000000000000000000000 --- a/add-_load_key-function.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 7dfaeee7c960f1f9ef87219ab1512d9feaa32d4a Mon Sep 17 00:00:00 2001 -From: sxt1001 -Date: Sun, 25 May 2025 04:34:13 +0800 -Subject: [PATCH 1/5] add _load_key() function - -Migrate private key parsing to Rust: -https://github.com/pyca/cryptography/commit/35dce91babab3e3e7553be2bbd10f87e06f25893#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5 (delete _load_key() function) - -add unsafe_skip_rsa_key_validation: -https://github.com/pyca/cryptography/commit/01687d63a5cb4475d84feae959bec6dea5fce3f1#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5 ---- - .../hazmat/backends/openssl/backend.py | 53 +++++++++++++++++++ - 1 file changed, 53 insertions(+) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 12fbebe..7d0769d 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -453,6 +453,59 @@ class Backend: - self.openssl_assert(evp_pkey != self._ffi.NULL) - return self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) - -+ def _load_key(self, openssl_read_func, convert_func, data, password): -+ mem_bio = self._bytes_to_bio(data) -+ -+ userdata = self._ffi.new("CRYPTOGRAPHY_PASSWORD_DATA *") -+ if password is not None: -+ utils._check_byteslike("password", password) -+ password_ptr = self._ffi.from_buffer(password) -+ userdata.password = password_ptr -+ userdata.length = len(password) -+ -+ evp_pkey = openssl_read_func( -+ mem_bio.bio, -+ self._ffi.NULL, -+ self._ffi.addressof( -+ self._lib._original_lib, "Cryptography_pem_password_cb" -+ ), -+ userdata, -+ ) -+ -+ if evp_pkey == self._ffi.NULL: -+ if userdata.error != 0: -+ self._consume_errors() -+ if userdata.error == -1: -+ raise TypeError( -+ "Password was not given but private key is encrypted" -+ ) -+ else: -+ assert userdata.error == -2 -+ raise ValueError( -+ "Passwords longer than {} bytes are not supported " -+ "by this backend.".format(userdata.maxsize - 1) -+ ) -+ else: -+ self._handle_key_loading_error() -+ -+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will -+ # successfully load but errors are still put on the stack. Tracked -+ # as https://github.com/openssl/openssl/issues/14996 -+ self._consume_errors() -+ -+ evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free) -+ -+ if password is not None and userdata.called == 0: -+ raise TypeError( -+ "Password was given but private key is not encrypted." -+ ) -+ -+ assert ( -+ password is not None and userdata.called == 1 -+ ) or password is None -+ -+ return convert_func(evp_pkey) -+ - def _handle_key_loading_error( - self, errors: list[rust_openssl.OpenSSLError] - ) -> typing.NoReturn: --- -2.43.0 - diff --git a/backport-CVE-2024-26130.patch b/backport-CVE-2024-26130.patch deleted file mode 100644 index 9b0d27961d09f02c9255a7d09ae2ecf0eca571f1..0000000000000000000000000000000000000000 --- a/backport-CVE-2024-26130.patch +++ /dev/null @@ -1,63 +0,0 @@ -From fc9611c3260f4d38a87227febf43d758938a8a75 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Mon, 19 Feb 2024 11:50:28 -0500 -Subject: [PATCH] Fixes #10422 -- don't crash when a PKCS#12 key and cert don't - match (#10423) - ---- - .../hazmat/backends/openssl/backend.py | 9 +++++++++ - tests/hazmat/primitives/test_pkcs12.py | 18 ++++++++++++++++++ - 2 files changed, 27 insertions(+) - -diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py -index 5d9eb27..12fbebe 100644 ---- a/src/cryptography/hazmat/backends/openssl/backend.py -+++ b/src/cryptography/hazmat/backends/openssl/backend.py -@@ -826,6 +826,15 @@ class Backend: - mac_iter, - 0, - ) -+ if p12 == self._ffi.NULL: -+ errors = self._consume_errors() -+ raise ValueError( -+ ( -+ "Failed to create PKCS12 (does the key match the " -+ "certificate?)" -+ ), -+ errors, -+ ) - - if ( - self._lib.Cryptography_HAS_PKCS12_SET_MAC -diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py -index cd9c279..cd7bcaf 100644 ---- a/tests/hazmat/primitives/test_pkcs12.py -+++ b/tests/hazmat/primitives/test_pkcs12.py -@@ -657,6 +657,24 @@ class TestPKCS12Creation: - b"name", cakey, cacert, [], algorithm - ) - -+ @pytest.mark.supported( -+ only_if=lambda backend: backend._lib.Cryptography_HAS_PKCS12_SET_MAC, -+ skip_message="Requires OpenSSL with PKCS12_set_mac", -+ ) -+ def test_set_mac_key_certificate_mismatch(self, backend): -+ cacert, _ = _load_ca(backend) -+ key = ec.generate_private_key(ec.SECP256R1()) -+ encryption = ( -+ serialization.PrivateFormat.PKCS12.encryption_builder() -+ .hmac_hash(hashes.SHA256()) -+ .build(b"password") -+ ) -+ -+ with pytest.raises(ValueError): -+ serialize_key_and_certificates( -+ b"name", key, cacert, [], encryption -+ ) -+ - - @pytest.mark.skip_fips( - reason="PKCS12 unsupported in FIPS mode. So much bad crypto in it." --- -2.27.0 - diff --git a/backport-provide-openssl-apis-related-to-SM-for-python.patch b/backport-provide-openssl-apis-related-to-SM-for-python.patch deleted file mode 100644 index 68f469a5e2265c599a56e0e4e1116bcecae6cdca..0000000000000000000000000000000000000000 --- a/backport-provide-openssl-apis-related-to-SM-for-python.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 52325495900f1bd9e1f228f24c81c0746520dc85 Mon Sep 17 00:00:00 2001 -From: hanxinke -Date: Tue, 3 Aug 2021 10:45:22 +0800 -Subject: [PATCH] provide openssl apis related to SM for python - -Signed-off-by: hanxinke ---- - src/_cffi_src/openssl/evp.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index 54f5388..c304684 100644 ---- a/src/_cffi_src/openssl/evp.py -+++ b/src/_cffi_src/openssl/evp.py -@@ -32,6 +32,7 @@ static const int EVP_CTRL_AEAD_SET_TAG; - - static const int Cryptography_HAS_SCRYPT; - static const int Cryptography_HAS_EVP_PKEY_DHX; -+static const int EVP_PKEY_SM2; - static const long Cryptography_HAS_300_FIPS; - static const long Cryptography_HAS_300_EVP_CIPHER; - """ -@@ -69,6 +70,9 @@ int EVP_VerifyUpdate(EVP_MD_CTX *, const void *, size_t); - int EVP_VerifyFinal(EVP_MD_CTX *, const unsigned char *, unsigned int, - EVP_PKEY *); - -+int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t); -+int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, -+ size_t siglen); - - int EVP_PKEY_set1_RSA(EVP_PKEY *, RSA *); - int EVP_PKEY_set1_DSA(EVP_PKEY *, DSA *); -@@ -84,6 +88,9 @@ int EVP_PKEY_assign_RSA(EVP_PKEY *, RSA *); - - int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *, int, int, void *); - -+void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); -+const EVP_MD *EVP_sm3(void); -+ - int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); - """ - --- -2.27.0 - diff --git a/cargo-vendor-cache b/cargo-vendor-cache new file mode 100644 index 0000000000000000000000000000000000000000..b79753d6f725d7a7cbe48fdf7b80fd6ed3c8433c Binary files /dev/null and b/cargo-vendor-cache differ diff --git a/cargo-vendor-cache.tar.gz b/cargo-vendor-cache.tar.gz deleted file mode 100644 index f1876f8d92316969e6b445be4322040bbd070b57..0000000000000000000000000000000000000000 Binary files a/cargo-vendor-cache.tar.gz and /dev/null differ diff --git a/cryptography-42.0.2.tar.gz b/cryptography-42.0.2.tar.gz deleted file mode 100644 index b68881182ef1eede839a433ca3a3999b3f8366d2..0000000000000000000000000000000000000000 Binary files a/cryptography-42.0.2.tar.gz and /dev/null differ diff --git a/cryptography-45.0.5.tar.gz b/cryptography-45.0.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..57554c75628f3488f26ecb9477c1be310e001ae2 Binary files /dev/null and b/cryptography-45.0.5.tar.gz differ diff --git a/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch new file mode 100644 index 0000000000000000000000000000000000000000..91953fd86353384cb17deb51145070e327f3702a --- /dev/null +++ b/disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch @@ -0,0 +1,479 @@ +From fe6fe6fac2671a37eba40b4c6b2e8f356605761d Mon Sep 17 00:00:00 2001 +From: shixuantong +Date: Tue, 29 Jul 2025 09:55:25 +0800 +Subject: [PATCH] disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 + +--- + src/rust/src/backend/rsa.rs | 6 +- + tests/hazmat/primitives/test_pkcs7.py | 304 +++++++++++++------------- + tests/hazmat/primitives/test_rsa.py | 16 +- + 3 files changed, 172 insertions(+), 154 deletions(-) + +diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs +index b490e1c..7e65ca2 100644 +--- a/src/rust/src/backend/rsa.rs ++++ b/src/rust/src/backend/rsa.rs +@@ -92,7 +92,11 @@ fn setup_encryption_ctx( + } + + let padding_enum = if padding.is_instance(&types::PKCS1V15.get(py)?)? { +- openssl::rsa::Padding::PKCS1 ++ return Err(CryptographyError::from( ++ pyo3::exceptions::PyValueError::new_err( ++ "RSA PKCS#1v1.5 has security problems and it has been banned.", ++ ), ++ )); + } else if padding.is_instance(&types::OAEP.get(py)?)? { + if !padding + .getattr(pyo3::intern!(py, "_mgf"))? +diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py +index 1496a23..ec691de 100644 +--- a/tests/hazmat/primitives/test_pkcs7.py ++++ b/tests/hazmat/primitives/test_pkcs7.py +@@ -982,45 +982,46 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.SMIME, options) +- assert b"MIME-Version: 1.0\n" in enveloped +- assert b"Content-Transfer-Encoding: base64\n" in enveloped +- message = email.parser.BytesParser().parsebytes(enveloped) +- assert message.get_content_disposition() == "attachment" +- assert message.get_filename() == "smime.p7m" +- assert message.get_content_type() == "application/pkcs7-mime" +- assert message.get_param("smime-type") == "enveloped-data" +- assert message.get_param("name") == "smime.p7m" +- +- payload = message.get_payload(decode=True) +- assert isinstance(payload, bytes) +- +- # We want to know if we've serialized something that has the parameters +- # we expect, so we match on specific byte strings of OIDs & DER values. +- # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) +- assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload +- # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) +- assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload +- # cryptography CA (the recipient's Common Name) +- assert ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" +- b"\x20\x43\x41" +- ) in payload ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.SMIME, options) ++ assert b"MIME-Version: 1.0\n" in enveloped ++ assert b"Content-Transfer-Encoding: base64\n" in enveloped ++ message = email.parser.BytesParser().parsebytes(enveloped) ++ assert message.get_content_disposition() == "attachment" ++ assert message.get_filename() == "smime.p7m" ++ assert message.get_content_type() == "application/pkcs7-mime" ++ assert message.get_param("smime-type") == "enveloped-data" ++ assert message.get_param("name") == "smime.p7m" ++ ++ payload = message.get_payload(decode=True) ++ assert isinstance(payload, bytes) ++ ++ # We want to know if we've serialized something that has the parameters ++ # we expect, so we match on specific byte strings of OIDs & DER values. ++ # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) ++ assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in payload ++ # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) ++ assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in payload ++ # cryptography CA (the recipient's Common Name) ++ assert ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" ++ b"\x20\x43\x41" ++ ) in payload + +- decrypted_bytes = pkcs7.pkcs7_decrypt_smime( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) ++ decrypted_bytes = pkcs7.pkcs7_decrypt_smime( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) + +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", +@@ -1035,33 +1036,34 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, options) + +- # We want to know if we've serialized something that has the parameters +- # we expect, so we match on specific byte strings of OIDs & DER values. +- # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) +- assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped +- # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) +- assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped +- # cryptography CA (the recipient's Common Name) +- assert ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" +- b"\x20\x43\x41" +- ) in enveloped ++ # We want to know if we've serialized something that has the parameters ++ # we expect, so we match on specific byte strings of OIDs & DER values. ++ # OID 2.16.840.1.101.3.4.1.2 (aes128-CBC) ++ assert b"\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x02" in enveloped ++ # OID 1.2.840.113549.1.1.1 (rsaEncryption (PKCS #1)) ++ assert b"\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x01\x01" in enveloped ++ # cryptography CA (the recipient's Common Name) ++ assert ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61\x70\x68\x79" ++ b"\x20\x43\x41" ++ ) in enveloped + +- decrypted_bytes = pkcs7.pkcs7_decrypt_der( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ decrypted_bytes = pkcs7.pkcs7_decrypt_der( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + @pytest.mark.parametrize( + "options", +@@ -1076,21 +1078,22 @@ class TestPKCS7EnvelopeBuilder: + builder = ( + pkcs7.PKCS7EnvelopeBuilder().set_data(data).add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, options) +- decrypted_bytes = pkcs7.pkcs7_decrypt_pem( +- enveloped, +- cert, +- private_key, +- [o for o in options if o != pkcs7.PKCS7Options.Binary], +- ) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, options) ++ decrypted_bytes = pkcs7.pkcs7_decrypt_pem( ++ enveloped, ++ cert, ++ private_key, ++ [o for o in options if o != pkcs7.PKCS7Options.Binary], ++ ) + +- # New lines are canonicalized to '\r\n' when not using Binary +- expected_data = ( +- data +- if pkcs7.PKCS7Options.Binary in options +- else data.replace(b"\n", b"\r\n") +- ) +- assert decrypted_bytes == expected_data ++ # New lines are canonicalized to '\r\n' when not using Binary ++ expected_data = ( ++ data ++ if pkcs7.PKCS7Options.Binary in options ++ else data.replace(b"\n", b"\r\n") ++ ) ++ assert decrypted_bytes == expected_data + + def test_smime_encrypt_multiple_recipients(self, backend): + data = b"hello world\n" +@@ -1101,13 +1104,14 @@ class TestPKCS7EnvelopeBuilder: + .add_recipient(cert) + .add_recipient(cert) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) +- # cryptography CA (the recipient's Common Name) +- common_name_bytes = ( +- b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" +- b"\x70\x68\x79\x20\x43\x41" +- ) +- assert enveloped.count(common_name_bytes) == 2 ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ # cryptography CA (the recipient's Common Name) ++ common_name_bytes = ( ++ b"\x0c\x0f\x63\x72\x79\x70\x74\x6f\x67\x72\x61" ++ b"\x70\x68\x79\x20\x43\x41" ++ ) ++ assert enveloped.count(common_name_bytes) == 2 + + + @pytest.mark.supported( +@@ -1170,14 +1174,15 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, options) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_aes_256_cbc_encrypted_content( + self, backend, data, certificate, private_key +@@ -1189,14 +1194,15 @@ class TestPKCS7Decrypt: + .set_content_encryption_algorithm(algorithms.AES256) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, []) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_pem( +- enveloped, certificate, private_key, [] +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_pem( ++ enveloped, certificate, private_key, [] ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + @pytest.mark.parametrize( + "header", +@@ -1219,15 +1225,16 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt( +- serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] +- ) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt( ++ serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] ++ ) + +- # Test decryption with text option +- decrypted = pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] +- ) +- assert decrypted == base_data.encode() ++ # Test decryption with text option ++ decrypted = pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) ++ assert decrypted == base_data.encode() + + @pytest.mark.parametrize("options", [[], [pkcs7.PKCS7Options.Text]]) + def test_pkcs7_decrypt_pem( +@@ -1239,14 +1246,15 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.PEM, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.PEM, options) + +- # Test decryption: new lines are canonicalized to '\r\n' when +- # encryption has no Binary option +- decrypted = pkcs7.pkcs7_decrypt_pem( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption: new lines are canonicalized to '\r\n' when ++ # encryption has no Binary option ++ decrypted = pkcs7.pkcs7_decrypt_pem( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_pem_with_wrong_tag( + self, backend, data, certificate, private_key +@@ -1269,13 +1277,14 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.SMIME, options) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.SMIME, options) + +- # Test decryption +- decrypted = pkcs7.pkcs7_decrypt_smime( +- enveloped, certificate, private_key, options +- ) +- assert decrypted == data.replace(b"\n", b"\r\n") ++ # Test decryption ++ decrypted = pkcs7.pkcs7_decrypt_smime( ++ enveloped, certificate, private_key, options ++ ) ++ assert decrypted == data.replace(b"\n", b"\r\n") + + def test_pkcs7_decrypt_no_encrypted_content( + self, backend, data, certificate, private_key +@@ -1299,13 +1308,14 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) + +- # Test decryption with text option +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] +- ) ++ # Test decryption with text option ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) + + def test_pkcs7_decrypt_text_html_content_type( + self, backend, certificate, private_key +@@ -1317,16 +1327,17 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt( +- serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] +- ) +- +- # Test decryption with text option +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt( ++ serialization.Encoding.DER, [pkcs7.PKCS7Options.Binary] + ) + ++ # Test decryption with text option ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, certificate, private_key, [pkcs7.PKCS7Options.Text] ++ ) ++ + def test_smime_decrypt_no_recipient_match( + self, backend, data, certificate, rsa_key_2048: rsa.RSAPrivateKey + ): +@@ -1336,21 +1347,22 @@ class TestPKCS7Decrypt: + .set_data(data) + .add_recipient(certificate) + ) +- enveloped = builder.encrypt(serialization.Encoding.DER, []) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ enveloped = builder.encrypt(serialization.Encoding.DER, []) + +- # Prepare another RSA chain +- another_private_key = RSA_KEY_2048_ALT.private_key( +- unsafe_skip_rsa_key_validation=True +- ) +- _, another_cert = _generate_ca_and_leaf( +- rsa_key_2048, another_private_key +- ) +- +- # Test decryption with another RSA chain +- with pytest.raises(ValueError): +- pkcs7.pkcs7_decrypt_der( +- enveloped, another_cert, another_private_key, [] ++ # Prepare another RSA chain ++ another_private_key = RSA_KEY_2048_ALT.private_key( ++ unsafe_skip_rsa_key_validation=True + ) ++ _, another_cert = _generate_ca_and_leaf( ++ rsa_key_2048, another_private_key ++ ) ++ ++ # Test decryption with another RSA chain ++ with pytest.raises(ValueError): ++ pkcs7.pkcs7_decrypt_der( ++ enveloped, another_cert, another_private_key, [] ++ ) + + def test_smime_decrypt_unsupported_key_encryption_algorithm( + self, backend, data, certificate, private_key +@@ -1373,7 +1385,7 @@ class TestPKCS7Decrypt: + mode="rb", + ) + +- with pytest.raises(exceptions.UnsupportedAlgorithm): ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): + pkcs7.pkcs7_decrypt_pem(enveloped, certificate, private_key, []) + + def test_smime_decrypt_not_enveloped( +diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py +index 17c8c7c..7af9899 100644 +--- a/tests/hazmat/primitives/test_rsa.py ++++ b/tests/hazmat/primitives/test_rsa.py +@@ -1710,8 +1710,9 @@ class TestRSADecryption: + ).private_key(backend, unsafe_skip_rsa_key_validation=True) + ciphertext = binascii.unhexlify(example["encryption"]) + assert len(ciphertext) == (skey.key_size + 7) // 8 +- message = skey.decrypt(ciphertext, padding.PKCS1v15()) +- assert message == binascii.unhexlify(example["message"]) ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ message = skey.decrypt(ciphertext, padding.PKCS1v15()) ++ assert message == binascii.unhexlify(example["message"]) + + def test_unsupported_padding( + self, rsa_key_2048: rsa.RSAPrivateKey, backend +@@ -2069,11 +2070,12 @@ class TestRSAEncryption: + _check_fips_key_length(backend, private_key) + pt = b"encrypt me!" + public_key = private_key.public_key() +- ct = public_key.encrypt(pt, pad) +- assert ct != pt +- assert len(ct) == (public_key.key_size + 7) // 8 +- recovered_pt = private_key.decrypt(ct, pad) +- assert recovered_pt == pt ++ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): ++ ct = public_key.encrypt(pt, pad) ++ assert ct != pt ++ assert len(ct) == (public_key.key_size + 7) // 8 ++ recovered_pt = private_key.decrypt(ct, pad) ++ assert recovered_pt == pt + + @pytest.mark.parametrize( + ("key_data", "pad"), +-- +2.27.0 + diff --git a/disable-RSA-PKCS-1v1.5-padding.patch b/disable-RSA-PKCS-1v1.5-padding.patch deleted file mode 100644 index eefceb6e8295af1d21bde700c8641789b4a69c13..0000000000000000000000000000000000000000 --- a/disable-RSA-PKCS-1v1.5-padding.patch +++ /dev/null @@ -1,80 +0,0 @@ -From edf2c74db67eb0f2e0d4cf02bba429d9f398c676 Mon Sep 17 00:00:00 2001 -From: shixuantong -Date: Wed, 2 Jul 2025 10:08:40 +0800 -Subject: [PATCH] disable RSA PKCS#1v1.5 padding - ---- - src/rust/src/backend/rsa.rs | 15 +++++++++++++++ - tests/hazmat/primitives/test_rsa.py | 16 +++++++++------- - 2 files changed, 24 insertions(+), 7 deletions(-) - -diff --git a/src/rust/src/backend/rsa.rs b/src/rust/src/backend/rsa.rs -index 662f30a..dddd08d 100644 ---- a/src/rust/src/backend/rsa.rs -+++ b/src/rust/src/backend/rsa.rs -@@ -326,6 +326,13 @@ impl RsaPrivateKey { - let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; - ctx.decrypt_init()?; - -+ if padding.is_instance(types::PKCS1V15.get(py)?)? { -+ return Err(CryptographyError::from( -+ pyo3::exceptions::PyValueError::new_err( -+ "RSA PKCS#1v1.5 has security problems and it has been banned.", -+ ), -+ )); -+ } - setup_encryption_ctx(py, &mut ctx, padding)?; - - // Everything from this line onwards is written with the goal of being -@@ -452,6 +459,14 @@ impl RsaPublicKey { - let mut ctx = openssl::pkey_ctx::PkeyCtx::new(&self.pkey)?; - ctx.encrypt_init()?; - -+ if padding.is_instance(types::PKCS1V15.get(py)?)? { -+ return Err(CryptographyError::from( -+ pyo3::exceptions::PyValueError::new_err( -+ "RSA PKCS#1v1.5 has security problems and it has been banned.", -+ ), -+ )); -+ } -+ - setup_encryption_ctx(py, &mut ctx, padding)?; - - let length = ctx.encrypt(plaintext, None)?; -diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py -index 8810f0f..0261542 100644 ---- a/tests/hazmat/primitives/test_rsa.py -+++ b/tests/hazmat/primitives/test_rsa.py -@@ -1771,8 +1771,9 @@ class TestRSADecryption: - ).private_key(backend, unsafe_skip_rsa_key_validation=True) - ciphertext = binascii.unhexlify(example["encryption"]) - assert len(ciphertext) == (skey.key_size + 7) // 8 -- message = skey.decrypt(ciphertext, padding.PKCS1v15()) -- assert message == binascii.unhexlify(example["message"]) -+ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): -+ message = skey.decrypt(ciphertext, padding.PKCS1v15()) -+ assert message == binascii.unhexlify(example["message"]) - - def test_unsupported_padding( - self, rsa_key_2048: rsa.RSAPrivateKey, backend -@@ -2130,11 +2131,12 @@ class TestRSAEncryption: - _check_fips_key_length(backend, private_key) - pt = b"encrypt me!" - public_key = private_key.public_key() -- ct = public_key.encrypt(pt, pad) -- assert ct != pt -- assert len(ct) == (public_key.key_size + 7) // 8 -- recovered_pt = private_key.decrypt(ct, pad) -- assert recovered_pt == pt -+ with pytest.raises(ValueError, match="RSA PKCS#1v1.5 has security problems and it has been banned."): -+ ct = public_key.encrypt(pt, pad) -+ assert ct != pt -+ assert len(ct) == (public_key.key_size + 7) // 8 -+ recovered_pt = private_key.decrypt(ct, pad) -+ assert recovered_pt == pt - - @pytest.mark.parametrize( - ("key_data", "pad"), --- -2.27.0 - diff --git a/python-cryptography.spec b/python-cryptography.spec index 3d7e60eac5278c0454577bcc3dfb5b128c73f74c..d831bbc2150aeec8dac6116776986f4f4c62ae85 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,28 +1,19 @@ %global pypi_name cryptography Name: python-%{pypi_name} -Version: 42.0.2 -Release: 8 +Version: 45.0.5 +Release: 2 Summary: PyCA's cryptography library -License: ASL 2.0 or BSD -URL: https://cryptography.io/en/latest/ -Source0: %{pypi_source %{pypi_name}} +License: (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0 +URL: https://cryptography.io/en/latest/ +Source0: %{pypi_source %{pypi_name}} # For Rust offline compile # Decompress the source code of cryptography, then enter ./src/rust directory, # execute "cargo vendor" to obtain "vendor" directory (Internet connection required), -# finally, tar -czvf cargo-vendor-cache.tar.gz vendor +# finally, tar -czvf cargo-vendor-cache vendor # Note: Cargo needs to be consistent with the cargo version in the compile environment. -Source1: cargo-vendor-cache.tar.gz -Source2: sw64-vendor.tar.gz +Source1: cargo-vendor-cache -Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch -Patch6003: backport-CVE-2024-26130.patch - -Patch9000: add-_load_key-function.patch -Patch9001: Revert-Remove-now-unused-OpenSSL-password-callback-1.patch -Patch9002: Revert-Another-sweep-removing-unused-bindings-9671.patch -Patch9003: Revert-Remove-unused-bindings-8972.patch -Patch9004: Revert-Remove-now-unused-bindings-8778.patch -Patch9005: disable-RSA-PKCS-1v1.5-padding.patch +Patch9000: disable-RSA-PKCS-1v1.5-padding-to-fix-CVE-2023-50782.patch BuildRequires: openssl-devel cargo BuildRequires: gcc @@ -39,6 +30,7 @@ BuildRequires: python%{python3_pkgversion}-pytz BuildRequires: python%{python3_pkgversion}-cffi >= 1.12 BuildRequires: python%{python3_pkgversion}-setuptools-rust >= 1.7.0 BuildRequires: python%{python3_pkgversion}-wheel +BuildRequires: python%{python3_pkgversion}-maturin BuildRequires: python3-pip BuildRequires: python3-pytest-subtests BuildRequires: python3-pytest-benchmark @@ -101,27 +93,29 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendo %license LICENSE LICENSE.APACHE LICENSE.BSD %{python3_sitearch}/%{pypi_name} %{python3_sitearch}/%{pypi_name}-%{version}.dist-info +%exclude %{python3_sitearch}/rust/* %files help %defattr(-,root,root) %doc README.rst docs %changelog -* Wed Jul 02 2025 shixuantong - 42.0.2-8 +* Thu Jul 24 2025 shixuantong - 45.0.5-2 - disable RSA PKCS#1v1.5 padding to fix CVE-2023-50782 -* Wed Jun 11 2025 shixuantong - 42.0.2-7 -- add EVP_PKEY_keygen_init and EVP_PKEY_keygen - -* Tue Jun 10 2025 shixuantong - 42.0.2-6 -- Revert bound openssl symbols to support sm2 for python +* Wed Jul 16 2025 Dongxing Wang - 45.0.5-1 +- Upgrade package to 45.0.5 -* Mon May 12 2025 mahailiang - 42.0.2-5 -- add sw_64 support +* Thu Jan 16 2025 Ge Wang - 44.0.0-1 +- update to version 44.0.0 -* Fri Jul 26 2024 shixuantong - 42.0.2-4 +* Fri Jul 26 2024 shixuantong - 42.0.7-2 - enable check +* Fri Jul 19 2024 liweigang - 42.0.7-1 +- update to version 42.0.7 +- license compliance rectification + * Thu Apr 18 2024 shixuantong - 42.0.2-3 - set debug is true for build debug package - add rust to BuildRequires diff --git a/sw64-vendor.tar.gz b/sw64-vendor.tar.gz deleted file mode 100644 index bf68af311efa70d307cc5fc0bb57cf9fded9f3fa..0000000000000000000000000000000000000000 Binary files a/sw64-vendor.tar.gz and /dev/null differ