diff --git a/backport-CVE-2023-23931.patch b/backport-CVE-2023-23931.patch deleted file mode 100644 index d1661defaa32d9827202fcba5e3120cda0847d19..0000000000000000000000000000000000000000 --- a/backport-CVE-2023-23931.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor -Date: Tue, 7 Feb 2023 11:34:18 -0500 -Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230) - ---- - src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +- - tests/hazmat/primitives/test_ciphers.py | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py -index d5b6010..a5737dc 100644 ---- a/src/cryptography/hazmat/backends/openssl/ciphers.py -+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py -@@ -155,7 +155,7 @@ class _CipherContext(object): - data_processed = 0 - total_out = 0 - outlen = self._backend._ffi.new("int *") -- baseoutbuf = self._backend._ffi.from_buffer(buf) -+ baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True) - baseinbuf = self._backend._ffi.from_buffer(data) - - while data_processed != total_data_len: -diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py -index ef57790..977f148 100644 ---- a/tests/hazmat/primitives/test_ciphers.py -+++ b/tests/hazmat/primitives/test_ciphers.py -@@ -306,6 +306,14 @@ class TestCipherUpdateInto(object): - with pytest.raises(ValueError): - encryptor.update_into(b"testing", buf) - -+ def test_update_into_immutable(self, backend): -+ key = b"\x00" * 16 -+ c = ciphers.Cipher(AES(key), modes.ECB(), backend) -+ encryptor = c.encryptor() -+ buf = b"\x00" * 32 -+ with pytest.raises((TypeError, BufferError)): -+ encryptor.update_into(b"testing", buf) -+ - @pytest.mark.supported( - only_if=lambda backend: backend.cipher_supported( - AES(b"\x00" * 16), modes.GCM(b"\x00" * 12) --- -2.33.0 - diff --git a/backport-provide-openssl-apis-related-to-SM-for-python.patch b/backport-provide-openssl-apis-related-to-SM-for-python.patch index db3c9d798e3020da71aeabc1d51768243e04e88d..6a31547f889164c75c489a4c6093a7128d5a105d 100644 --- a/backport-provide-openssl-apis-related-to-SM-for-python.patch +++ b/backport-provide-openssl-apis-related-to-SM-for-python.patch @@ -1,16 +1,25 @@ +From 71b6df9392d424efcdc422b175e3737f33c36c6e Mon Sep 17 00:00:00 2001 +From: desert-sailor +Date: Mon, 22 May 2023 03:47:32 +0800 +Subject: [PATCH] provide openssl apis related to SM for python + +--- + src/_cffi_src/openssl/evp.py | 7 +++++++ + 1 file changed, 7 insertions(+) + diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py -index ad7a0e7..13069dc 100644 +index b8a3899..0797d59 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py -@@ -36,6 +36,7 @@ static const int Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint; - static const int Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY; +@@ -35,6 +35,7 @@ static const int Cryptography_HAS_SCRYPT; + static const int Cryptography_HAS_EVP_PKEY_DHX; static const long Cryptography_HAS_RAW_KEY; static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF; +static const int EVP_PKEY_SM2; static const long Cryptography_HAS_300_FIPS; + static const long Cryptography_HAS_300_EVP_CIPHER; static const long Cryptography_HAS_EVP_PKEY_DH; - """ -@@ -89,6 +90,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *); +@@ -93,6 +94,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *); int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *, ENGINE *, EVP_PKEY *); @@ -20,14 +29,16 @@ index ad7a0e7..13069dc 100644 EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *); -@@ -165,6 +169,10 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, +@@ -158,6 +162,9 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *, int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *); int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *); -+int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type); +void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); +const EVP_MD *EVP_sm3(void); + int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *); int EVP_default_properties_enable_fips(OSSL_LIB_CTX *, int); """ +-- +2.33.0 + diff --git a/cryptography-39.0.0.tar.gz b/cargo-vendor-cache.tar.gz similarity index 38% rename from cryptography-39.0.0.tar.gz rename to cargo-vendor-cache.tar.gz index e743ea76e84b39f1942f7afe125655e54b73b60e..efb208c6b575447eceee5554d10a5b72343403a2 100644 Binary files a/cryptography-39.0.0.tar.gz and b/cargo-vendor-cache.tar.gz differ diff --git a/cryptography-40.0.2.tar.gz b/cryptography-40.0.2.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..bbae52070584452ddd2a2168c9b28219f529fc6f Binary files /dev/null and b/cryptography-40.0.2.tar.gz differ diff --git a/python-cryptography.spec b/python-cryptography.spec index f3fb1edaa74d4d61e502b78626dd4e53fb315d15..835dcb8f21652f67fb572fc7d7ba37ea211ab16f 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -1,16 +1,18 @@ -%global srcname cryptography -Name: python-%{srcname} -Version: 39.0.0 -Release: 2 +%global pypi_name cryptography +Name: python-%{pypi_name} +Version: 40.0.2 +Release: 1 Summary: PyCA's cryptography library License: ASL 2.0 or BSD URL: https://cryptography.io/en/latest/ -Source0: %{srcname}-%{version}.tar.gz +Source0: %{pypi_source %{pypi_name}} +Source1: cargo-vendor-cache.tar.gz -Patch6001: backport-CVE-2023-23931.patch +Patch6002: backport-provide-openssl-apis-related-to-SM-for-python.patch BuildRequires: openssl-devel cargo BuildRequires: gcc +BuildRequires: rust-packaging BuildRequires: python%{python3_pkgversion}-devel BuildRequires: python%{python3_pkgversion}-pytest >= 3.2.1 @@ -32,7 +34,7 @@ cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. -%package -n python%{python3_pkgversion}-cryptography +%package -n python%{python3_pkgversion}-%{pypi_name} Summary: PyCA's cryptography library Requires: openssl-libs @@ -41,16 +43,17 @@ Requires: python%{python3_pkgversion}-asn1crypto >= 0.21 Requires: python%{python3_pkgversion}-six >= 1.4.1 Requires: python%{python3_pkgversion}-cffi >= 1.7 -%{?python_provide:%python_provide python%{python3_pkgversion}-cryptography} +%{?python_provide:%python_provide python%{python3_pkgversion}-%{pypi_name}} -%description -n python%{python3_pkgversion}-cryptography +%description -n python%{python3_pkgversion}-%{pypi_name} cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. %package_help %prep -%autosetup -n cryptography-%{version} -p1 +%autosetup -n %{pypi_name}-%{version} -p1 +tar xzvf %{SOURCE1} -C ./src/rust/ mkdir .cargo cat >> .cargo/config.toml << EOF [source.crates-io] @@ -68,20 +71,23 @@ EOF %py3_install %check -#PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest +#PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest --ignore vendor -%files -n python%{python3_pkgversion}-cryptography +%files -n python%{python3_pkgversion}-%{pypi_name} %defattr(-,root,root) #%doc AUTHORS.rst %license LICENSE LICENSE.APACHE LICENSE.BSD -%{python3_sitearch}/* -%{python3_sitearch}/cryptography-%{version}-py*.egg-info +%{python3_sitearch}/%{pypi_name} +%{python3_sitearch}/%{pypi_name}-%{version}-py*.egg-info %files help %defattr(-,root,root) %doc README.rst docs %changelog +* Fri May 19 2023 Dongxing Wang - 40.0.2-1 +- Upgrade package to 40.0.2 + * Tue Feb 14 2023 zhuofeng - 39.0.0-2 - Type:CVE - CVE:CVE-2023-23931