python/python-cryptography
SHA256
14
0
Fork 0
forked from pool/python-cryptography
Code Pull Requests Activity

Accepting request 343324 from home:tbechtold:branches:devel:languages:python

Browse Source 
- update to 1.1:
  * Added support for Elliptic Curve Diffie-Hellman with
    :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`.
  * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
  * Added support for parsing certificate revocation lists (CRLs) using
    :func:`~cryptography.x509.load_pem_x509_crl` and
    :func:`~cryptography.x509.load_der_x509_crl`.
  * Add support for AES key wrapping with
    :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and
    :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`.
  * Added a ``__hash__`` method to :class:`~cryptography.x509.Name`.
  * Add support for encoding and decoding elliptic curve points to a byte string
    form using
    :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`
    and
    :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
  * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`.
  * :class:`~cryptography.x509.CertificatePolicies` are now supported in the
    :class:`~cryptography.x509.CertificateBuilder`.
  * ``countryName`` is now encoded as a ``PrintableString`` when creating subject
    and issuer distinguished names with the Certificate and CSR builder classes.
  * **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
    of assertions to check response codes where our tests could not trigger a
    failure.  However, when Python is run with ``-O`` these asserts are optimized
    away.  If a user ran Python with this flag and got an invalid response code
    this could result in undefined behavior or worse. Accordingly, all response
    checks from the OpenSSL backend have been converted from ``assert``
    to a true function call. Credit **Emilia Käsper (Google Security Team)**
    for the report.
  * We now ship OS X wheels that statically link OpenSSL by default. When

OBS-URL: https://build.opensuse.org/request/show/343324
OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=23
This commit is contained in:
Todd R
2015-11-11 10:35:45 +00:00
committed by Git OBS Bridge
parent b914a4524b
commit eb54b1a6ae
11 changed files with 76 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
2293.patch
View File

@@ -1,72 +0,0 @@
From 9578e4cadb09f4bca86d66c8f5d7a9370f5bf41e Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Mon, 24 Aug 2015 08:00:10 -0500
Subject: [PATCH 1/2] make engine addition idempotent
Weird threading issues keep cropping up. ENGINE_add already
acquires a lock at the C layer via CRYPTO_w_lock (provided you
have registered the locking callbacks) so let's just use that
---
src/cryptography/hazmat/bindings/openssl/binding.py | 19 ++++++++++++++-----
tests/hazmat/bindings/test_openssl.py | 4 ++--
2 files changed, 16 insertions(+), 7 deletions(-)
Index: cryptography-1.0/src/cryptography/hazmat/bindings/openssl/binding.py
===================================================================
--- cryptography-1.0.orig/src/cryptography/hazmat/bindings/openssl/binding.py
+++ cryptography-1.0/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -65,10 +65,6 @@ class Binding(object):
@classmethod
def _register_osrandom_engine(cls):
assert cls.lib.ERR_peek_error() == 0
- looked_up_engine = cls.lib.ENGINE_by_id(cls._osrandom_engine_id)
- if looked_up_engine != ffi.NULL:
- raise RuntimeError("osrandom engine already registered")
-
cls.lib.ERR_clear_error()
engine = cls.lib.ENGINE_new()
@@ -81,7 +77,20 @@ class Binding(object):
result = cls.lib.ENGINE_set_RAND(engine, cls._osrandom_method)
assert result == 1
result = cls.lib.ENGINE_add(engine)
- assert result == 1
+ if result != 1:
+ # Engine already added. Clear the error stack.
+ errors = []
+ while True:
+ code = cls.lib.ERR_get_error()
+ if code == 0:
+ break
+
+ errors.append(code)
+
+ # the following error code corresponds to "conflicting engine
+ # id" in ENGINE_LIST_ADD
+ assert 638025831 in errors
+
finally:
result = cls.lib.ENGINE_free(engine)
assert result == 1
@@ -133,3 +142,6 @@ class Binding(object):
mode, n, file, line
)
)
+
+# init the static locks so we have a locking callback in C for engine init
+Binding.init_static_locks()
Index: cryptography-1.0/tests/hazmat/bindings/test_openssl.py
===================================================================
--- cryptography-1.0.orig/tests/hazmat/bindings/test_openssl.py
+++ cryptography-1.0/tests/hazmat/bindings/test_openssl.py
@@ -89,8 +89,8 @@ class TestOpenSSL(object):
def test_add_engine_more_than_once(self):
b = Binding()
- with pytest.raises(RuntimeError):
- b._register_osrandom_engine()
+ b._register_osrandom_engine()
+ assert b.lib.ERR_get_error() == 0
def test_ssl_ctx_options(self):
# Test that we're properly handling 32-bit unsigned on all platforms.

3
cryptography-1.0.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:211c02fe77d791d7fc437227ba1c046268d5da665e05d8a53fc19f4f74c21001
size 331438

11
cryptography-1.0.tar.gz.asc
View File

@@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVy0xcAAoJECNa5fEp+e2Y6KsH/iitT57ksgfW8vZCy1pWHRCY
WtETpHyJ3KHS/mCcFnzB0hKVdylk7FHcM/hR3p2B46mnwjOq2H+aHyrVShWjn8nS
Z9YVNp4HFgQxV4njh7A6eyOqLe+F5GyQGiaI4wJxUtD/922JoKRavM0QzVMJ48m7
TC2fI5VHpxlNsmmQlYogKPbr1D6C+mNZ+aPWEePZyHd9nfF4qRtSGl+DpsirQdRG
4HAxTsZLzT9Cqpjdfw71eE0CquY1SiSLP+s3KDiuTU2QsElBjDrYjhrBWl1N7TJb
occigR6GXSl1hw7vXH+6LUZAU0PaQYUS9ac/NFBIJXcvVzdUvVQoGAJjZ2zKz+c=
=m8N9
-----END PGP SIGNATURE-----

3
cryptography-1.1.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:059bc6428b1d0e2317f505698602642f1d8dda5b120ec573a59a430d8cb7a32d
size 348676

11
cryptography-1.1.tar.gz.asc Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJWMUuqAAoJECNa5fEp+e2YzQsIAIHOe9MUZP3X7rm5GH+hxrHI
RSFOXyXdDC7lxGjkPc1MhXOMwFqABWGe6o6y4yjJKewDGyNpFevX2c+7Zi00O8Ka
BtDWTLcuvtS0ycv99gorSsQv1PQohagxO/TTWRO7TgqVHRzChx0rw50rkJuR+bgL
F19lpVm2OfzN0qcPNNo4ED14shPr2OQrQUNZtoGk5dFbarYufOdl4E13MXKGU2iu
H3GznT3tIgpVvkLcfJF/LT+j/QlSVpzxd6hbPob06keBYNoYcbOYvjZ5B1NgmIiC
+LBfE9tfRB1HP/bpW9Cko7Y29Fm0FbHNkr7F5k73axnUnabVmJiRMm09JbqpALU=
=fvVi
-----END PGP SIGNATURE-----

3
cryptography_vectors-1.0.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e7277818b7bd99b502ee79d37cf5b9405577c39171919014756181b947ea0234
size 25003925

11
cryptography_vectors-1.0.tar.gz.asc
View File

@@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJVy0yBAAoJECNa5fEp+e2YeGYH/jGBWd6v/+iiaNHCZsrG/H+c
HVH1c0Z+cx6XcSbLwz/VZ2ioGHqwESMKVS1ArHiv/OkoaSL8ZNeO3Af8Fao/aJb1
+NcJBCjJNSRT3iTdu2hDis+H5sQdfjthQodcpNp2BYRNCsjHVi7KX8CdK3cu8jED
w1yuTJA3hlICqMxUMl2TC/XbYgh3qXIEIAGoY59aAkDujO7ceD73jrHeFYD/KqnI
News1nPfC2AjlX50sSR4X8e6aoR1EMwl0O5nUt/0d8owxR45iR2s62mGwzplDi/t
3XWAnUd1OEgeN9GGS7w82RdtCo45udJ6N7CY+ggxbSNyC6uDuxVfYEmU2VUSHiw=
=a+rm
-----END PGP SIGNATURE-----

3
cryptography_vectors-1.1.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a929fbb0eac391c93c5745451a4d4157a8bc18eb2e69faf3af1d825ceacbf32c
size 25026549

11
cryptography_vectors-1.1.tar.gz.asc Normal file
View File

@@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJWMUylAAoJECNa5fEp+e2Y0NQH/12rUn4ppMIkwf7573iBiX2H
1yieY5/gBAzcBHTodxZixw6sJNfJjw0DagP9zHOa2YFKjvkz2KmAUTK2rNBfgsG9
34Tp/DGaH+q270/jeZG3PXPBi6lqK7JWsL3lS9Pi7gvx5nS+qywZnO7Xxsks0kDD
bi+1SCZuy8igXnteTfYO2isH7ziwKaIf8zGldK4c/8ri1HZ4+zMby6nN3ymMe1SU
6KoYiNteNzE1FXTftOJNr9l7zJNMkTdcQ1I1IvxUfdcXG/QWg4fFrSB40mzIhR20
XJrGf77uo3HXKIHoIEWT57qU5kWciklUSwR4cgPs4JT1YCs7q/ngAetAVa7Y0cY=
=BrnC
-----END PGP SIGNATURE-----

45
python-cryptography.changes
View File

@@ -1,3 +1,48 @@
-------------------------------------------------------------------
Tue Nov 10 04:16:13 UTC 2015 - tbechtold@suse.com
- update to 1.1:
* Added support for Elliptic Curve Diffie-Hellman with
:class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`.
* Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`.
* Added support for parsing certificate revocation lists (CRLs) using
:func:`~cryptography.x509.load_pem_x509_crl` and
:func:`~cryptography.x509.load_der_x509_crl`.
* Add support for AES key wrapping with
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and
:func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`.
* Added a ``__hash__`` method to :class:`~cryptography.x509.Name`.
* Add support for encoding and decoding elliptic curve points to a byte string
form using
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point`
and
:meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`.
* Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`.
* :class:`~cryptography.x509.CertificatePolicies` are now supported in the
:class:`~cryptography.x509.CertificateBuilder`.
* ``countryName`` is now encoded as a ``PrintableString`` when creating subject
and issuer distinguished names with the Certificate and CSR builder classes.
* **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use
of assertions to check response codes where our tests could not trigger a
failure. However, when Python is run with ``-O`` these asserts are optimized
away. If a user ran Python with this flag and got an invalid response code
this could result in undefined behavior or worse. Accordingly, all response
checks from the OpenSSL backend have been converted from ``assert``
to a true function call. Credit **Emilia Käsper (Google Security Team)**
for the report.
* We now ship OS X wheels that statically link OpenSSL by default. When
installing a wheel on OS X 10.10+ (and using a Python compiled against the
10.10 SDK) users will no longer need to compile. See :doc:`/installation` for
alternate installation methods if required.
* Set the default string mask to UTF-8 in the OpenSSL backend to resolve
character encoding issues with older versions of OpenSSL.
* Several new OpenSSL bindings have been added to support a future pyOpenSSL
release.
* Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+.
- Remove 2293.patch . Applied in a different way upstream.
- Add BuildRequires for python-hypothesis and python-pyasn1-modules for running
unittests
-------------------------------------------------------------------
Wed Sep 30 12:01:27 UTC 2015 - dmueller@suse.com

7
python-cryptography.spec
View File

@@ -17,7 +17,7 @@
Name: python-cryptography
Version: 1.0
Version: 1.1
Release: 0
Summary: Python library which exposes cryptographic recipes and primitives
License: Apache-2.0
@@ -30,14 +30,14 @@ Source3: https://pypi.python.org/packages/source/c/cryptography-vectors/c
Source4: https://pypi.python.org/packages/source/c/cryptography-vectors/cryptography_vectors-%{version}.tar.gz.asc
# PATCH-FIX-SLE disable-uneven-sizes-tests.patch bnc#944204
Patch1: disable-uneven-sizes-tests.patch
# PATCH-FIX-UPSTREAM 2293.patch bnc#947679 -- https://github.com/pyca/cryptography/pull/2293
Patch2: 2293.patch
BuildRequires: libopenssl-devel
BuildRequires: python-cffi >= 1.1.0
BuildRequires: python-devel
BuildRequires: python-enum34
BuildRequires: python-hypothesis
BuildRequires: python-idna >= 2.0
BuildRequires: python-ipaddress
BuildRequires: python-pyasn1-modules
BuildRequires: python-setuptools
BuildRequires: python-six >= 1.4.1
BuildRequires: pkgconfig(libffi)
@@ -73,7 +73,6 @@ functions.
tar xvzf %{SOURCE3}
%patch1 -p1
%patch2 -p1
%build
CFLAGS="%{optflags} -fno-strict-aliasing" python setup.py build