From eb54b1a6ae97370a4370cb1bffdc5e92fb8b09b8d957dadba530634cce36539e Mon Sep 17 00:00:00 2001 From: Todd R Date: Wed, 11 Nov 2015 10:35:45 +0000 Subject: [PATCH] Accepting request 343324 from home:tbechtold:branches:devel:languages:python MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - update to 1.1: * Added support for Elliptic Curve Diffie-Hellman with :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`. * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`. * Added support for parsing certificate revocation lists (CRLs) using :func:`~cryptography.x509.load_pem_x509_crl` and :func:`~cryptography.x509.load_der_x509_crl`. * Add support for AES key wrapping with :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`. * Added a ``__hash__`` method to :class:`~cryptography.x509.Name`. * Add support for encoding and decoding elliptic curve points to a byte string form using :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point` and :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`. * :class:`~cryptography.x509.CertificatePolicies` are now supported in the :class:`~cryptography.x509.CertificateBuilder`. * ``countryName`` is now encoded as a ``PrintableString`` when creating subject and issuer distinguished names with the Certificate and CSR builder classes. * **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use of assertions to check response codes where our tests could not trigger a failure. However, when Python is run with ``-O`` these asserts are optimized away. If a user ran Python with this flag and got an invalid response code this could result in undefined behavior or worse. Accordingly, all response checks from the OpenSSL backend have been converted from ``assert`` to a true function call. Credit **Emilia Käsper (Google Security Team)** for the report. * We now ship OS X wheels that statically link OpenSSL by default. When OBS-URL: https://build.opensuse.org/request/show/343324 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-cryptography?expand=0&rev=23 --- 2293.patch | 72 ----------------------------- cryptography-1.0.tar.gz | 3 -- cryptography-1.0.tar.gz.asc | 11 ----- cryptography-1.1.tar.gz | 3 ++ cryptography-1.1.tar.gz.asc | 11 +++++ cryptography_vectors-1.0.tar.gz | 3 -- cryptography_vectors-1.0.tar.gz.asc | 11 ----- cryptography_vectors-1.1.tar.gz | 3 ++ cryptography_vectors-1.1.tar.gz.asc | 11 +++++ python-cryptography.changes | 45 ++++++++++++++++++ python-cryptography.spec | 7 ++- 11 files changed, 76 insertions(+), 104 deletions(-) delete mode 100644 2293.patch delete mode 100644 cryptography-1.0.tar.gz delete mode 100644 cryptography-1.0.tar.gz.asc create mode 100644 cryptography-1.1.tar.gz create mode 100644 cryptography-1.1.tar.gz.asc delete mode 100644 cryptography_vectors-1.0.tar.gz delete mode 100644 cryptography_vectors-1.0.tar.gz.asc create mode 100644 cryptography_vectors-1.1.tar.gz create mode 100644 cryptography_vectors-1.1.tar.gz.asc diff --git a/2293.patch b/2293.patch deleted file mode 100644 index 891c83f..0000000 --- a/2293.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 9578e4cadb09f4bca86d66c8f5d7a9370f5bf41e Mon Sep 17 00:00:00 2001 -From: Paul Kehrer -Date: Mon, 24 Aug 2015 08:00:10 -0500 -Subject: [PATCH 1/2] make engine addition idempotent - -Weird threading issues keep cropping up. ENGINE_add already -acquires a lock at the C layer via CRYPTO_w_lock (provided you -have registered the locking callbacks) so let's just use that ---- - src/cryptography/hazmat/bindings/openssl/binding.py | 19 ++++++++++++++----- - tests/hazmat/bindings/test_openssl.py | 4 ++-- - 2 files changed, 16 insertions(+), 7 deletions(-) - -Index: cryptography-1.0/src/cryptography/hazmat/bindings/openssl/binding.py -=================================================================== ---- cryptography-1.0.orig/src/cryptography/hazmat/bindings/openssl/binding.py -+++ cryptography-1.0/src/cryptography/hazmat/bindings/openssl/binding.py -@@ -65,10 +65,6 @@ class Binding(object): - @classmethod - def _register_osrandom_engine(cls): - assert cls.lib.ERR_peek_error() == 0 -- looked_up_engine = cls.lib.ENGINE_by_id(cls._osrandom_engine_id) -- if looked_up_engine != ffi.NULL: -- raise RuntimeError("osrandom engine already registered") -- - cls.lib.ERR_clear_error() - - engine = cls.lib.ENGINE_new() -@@ -81,7 +77,20 @@ class Binding(object): - result = cls.lib.ENGINE_set_RAND(engine, cls._osrandom_method) - assert result == 1 - result = cls.lib.ENGINE_add(engine) -- assert result == 1 -+ if result != 1: -+ # Engine already added. Clear the error stack. -+ errors = [] -+ while True: -+ code = cls.lib.ERR_get_error() -+ if code == 0: -+ break -+ -+ errors.append(code) -+ -+ # the following error code corresponds to "conflicting engine -+ # id" in ENGINE_LIST_ADD -+ assert 638025831 in errors -+ - finally: - result = cls.lib.ENGINE_free(engine) - assert result == 1 -@@ -133,3 +142,6 @@ class Binding(object): - mode, n, file, line - ) - ) -+ -+# init the static locks so we have a locking callback in C for engine init -+Binding.init_static_locks() -Index: cryptography-1.0/tests/hazmat/bindings/test_openssl.py -=================================================================== ---- cryptography-1.0.orig/tests/hazmat/bindings/test_openssl.py -+++ cryptography-1.0/tests/hazmat/bindings/test_openssl.py -@@ -89,8 +89,8 @@ class TestOpenSSL(object): - - def test_add_engine_more_than_once(self): - b = Binding() -- with pytest.raises(RuntimeError): -- b._register_osrandom_engine() -+ b._register_osrandom_engine() -+ assert b.lib.ERR_get_error() == 0 - - def test_ssl_ctx_options(self): - # Test that we're properly handling 32-bit unsigned on all platforms. diff --git a/cryptography-1.0.tar.gz b/cryptography-1.0.tar.gz deleted file mode 100644 index 768c5b6..0000000 --- a/cryptography-1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:211c02fe77d791d7fc437227ba1c046268d5da665e05d8a53fc19f4f74c21001 -size 331438 diff --git a/cryptography-1.0.tar.gz.asc b/cryptography-1.0.tar.gz.asc deleted file mode 100644 index 546e7fc..0000000 --- a/cryptography-1.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJVy0xcAAoJECNa5fEp+e2Y6KsH/iitT57ksgfW8vZCy1pWHRCY -WtETpHyJ3KHS/mCcFnzB0hKVdylk7FHcM/hR3p2B46mnwjOq2H+aHyrVShWjn8nS -Z9YVNp4HFgQxV4njh7A6eyOqLe+F5GyQGiaI4wJxUtD/922JoKRavM0QzVMJ48m7 -TC2fI5VHpxlNsmmQlYogKPbr1D6C+mNZ+aPWEePZyHd9nfF4qRtSGl+DpsirQdRG -4HAxTsZLzT9Cqpjdfw71eE0CquY1SiSLP+s3KDiuTU2QsElBjDrYjhrBWl1N7TJb -occigR6GXSl1hw7vXH+6LUZAU0PaQYUS9ac/NFBIJXcvVzdUvVQoGAJjZ2zKz+c= -=m8N9 ------END PGP SIGNATURE----- diff --git a/cryptography-1.1.tar.gz b/cryptography-1.1.tar.gz new file mode 100644 index 0000000..fe1dcfd --- /dev/null +++ b/cryptography-1.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:059bc6428b1d0e2317f505698602642f1d8dda5b120ec573a59a430d8cb7a32d +size 348676 diff --git a/cryptography-1.1.tar.gz.asc b/cryptography-1.1.tar.gz.asc new file mode 100644 index 0000000..a1739ff --- /dev/null +++ b/cryptography-1.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAABAgAGBQJWMUuqAAoJECNa5fEp+e2YzQsIAIHOe9MUZP3X7rm5GH+hxrHI +RSFOXyXdDC7lxGjkPc1MhXOMwFqABWGe6o6y4yjJKewDGyNpFevX2c+7Zi00O8Ka +BtDWTLcuvtS0ycv99gorSsQv1PQohagxO/TTWRO7TgqVHRzChx0rw50rkJuR+bgL +F19lpVm2OfzN0qcPNNo4ED14shPr2OQrQUNZtoGk5dFbarYufOdl4E13MXKGU2iu +H3GznT3tIgpVvkLcfJF/LT+j/QlSVpzxd6hbPob06keBYNoYcbOYvjZ5B1NgmIiC ++LBfE9tfRB1HP/bpW9Cko7Y29Fm0FbHNkr7F5k73axnUnabVmJiRMm09JbqpALU= +=fvVi +-----END PGP SIGNATURE----- diff --git a/cryptography_vectors-1.0.tar.gz b/cryptography_vectors-1.0.tar.gz deleted file mode 100644 index 037004d..0000000 --- a/cryptography_vectors-1.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e7277818b7bd99b502ee79d37cf5b9405577c39171919014756181b947ea0234 -size 25003925 diff --git a/cryptography_vectors-1.0.tar.gz.asc b/cryptography_vectors-1.0.tar.gz.asc deleted file mode 100644 index 22696cd..0000000 --- a/cryptography_vectors-1.0.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQEcBAABAgAGBQJVy0yBAAoJECNa5fEp+e2YeGYH/jGBWd6v/+iiaNHCZsrG/H+c -HVH1c0Z+cx6XcSbLwz/VZ2ioGHqwESMKVS1ArHiv/OkoaSL8ZNeO3Af8Fao/aJb1 -+NcJBCjJNSRT3iTdu2hDis+H5sQdfjthQodcpNp2BYRNCsjHVi7KX8CdK3cu8jED -w1yuTJA3hlICqMxUMl2TC/XbYgh3qXIEIAGoY59aAkDujO7ceD73jrHeFYD/KqnI -News1nPfC2AjlX50sSR4X8e6aoR1EMwl0O5nUt/0d8owxR45iR2s62mGwzplDi/t -3XWAnUd1OEgeN9GGS7w82RdtCo45udJ6N7CY+ggxbSNyC6uDuxVfYEmU2VUSHiw= -=a+rm ------END PGP SIGNATURE----- diff --git a/cryptography_vectors-1.1.tar.gz b/cryptography_vectors-1.1.tar.gz new file mode 100644 index 0000000..2600fce --- /dev/null +++ b/cryptography_vectors-1.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a929fbb0eac391c93c5745451a4d4157a8bc18eb2e69faf3af1d825ceacbf32c +size 25026549 diff --git a/cryptography_vectors-1.1.tar.gz.asc b/cryptography_vectors-1.1.tar.gz.asc new file mode 100644 index 0000000..d507cf8 --- /dev/null +++ b/cryptography_vectors-1.1.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQEcBAABAgAGBQJWMUylAAoJECNa5fEp+e2Y0NQH/12rUn4ppMIkwf7573iBiX2H +1yieY5/gBAzcBHTodxZixw6sJNfJjw0DagP9zHOa2YFKjvkz2KmAUTK2rNBfgsG9 +34Tp/DGaH+q270/jeZG3PXPBi6lqK7JWsL3lS9Pi7gvx5nS+qywZnO7Xxsks0kDD +bi+1SCZuy8igXnteTfYO2isH7ziwKaIf8zGldK4c/8ri1HZ4+zMby6nN3ymMe1SU +6KoYiNteNzE1FXTftOJNr9l7zJNMkTdcQ1I1IvxUfdcXG/QWg4fFrSB40mzIhR20 +XJrGf77uo3HXKIHoIEWT57qU5kWciklUSwR4cgPs4JT1YCs7q/ngAetAVa7Y0cY= +=BrnC +-----END PGP SIGNATURE----- diff --git a/python-cryptography.changes b/python-cryptography.changes index ab9b2b1..c4b7bc7 100644 --- a/python-cryptography.changes +++ b/python-cryptography.changes @@ -1,3 +1,48 @@ +------------------------------------------------------------------- +Tue Nov 10 04:16:13 UTC 2015 - tbechtold@suse.com + +- update to 1.1: + * Added support for Elliptic Curve Diffie-Hellman with + :class:`~cryptography.hazmat.primitives.asymmetric.ec.ECDH`. + * Added :class:`~cryptography.hazmat.primitives.kdf.x963kdf.X963KDF`. + * Added support for parsing certificate revocation lists (CRLs) using + :func:`~cryptography.x509.load_pem_x509_crl` and + :func:`~cryptography.x509.load_der_x509_crl`. + * Add support for AES key wrapping with + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_wrap` and + :func:`~cryptography.hazmat.primitives.keywrap.aes_key_unwrap`. + * Added a ``__hash__`` method to :class:`~cryptography.x509.Name`. + * Add support for encoding and decoding elliptic curve points to a byte string + form using + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.encode_point` + and + :meth:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers.from_encoded_point`. + * Added :meth:`~cryptography.x509.Extensions.get_extension_for_class`. + * :class:`~cryptography.x509.CertificatePolicies` are now supported in the + :class:`~cryptography.x509.CertificateBuilder`. + * ``countryName`` is now encoded as a ``PrintableString`` when creating subject + and issuer distinguished names with the Certificate and CSR builder classes. + * **SECURITY ISSUE**: The OpenSSL backend prior to 1.0.2 made extensive use + of assertions to check response codes where our tests could not trigger a + failure. However, when Python is run with ``-O`` these asserts are optimized + away. If a user ran Python with this flag and got an invalid response code + this could result in undefined behavior or worse. Accordingly, all response + checks from the OpenSSL backend have been converted from ``assert`` + to a true function call. Credit **Emilia Käsper (Google Security Team)** + for the report. + * We now ship OS X wheels that statically link OpenSSL by default. When + installing a wheel on OS X 10.10+ (and using a Python compiled against the + 10.10 SDK) users will no longer need to compile. See :doc:`/installation` for + alternate installation methods if required. + * Set the default string mask to UTF-8 in the OpenSSL backend to resolve + character encoding issues with older versions of OpenSSL. + * Several new OpenSSL bindings have been added to support a future pyOpenSSL + release. + * Raise an error during install on PyPy < 2.6. 1.0+ requires PyPy 2.6+. +- Remove 2293.patch . Applied in a different way upstream. +- Add BuildRequires for python-hypothesis and python-pyasn1-modules for running + unittests + ------------------------------------------------------------------- Wed Sep 30 12:01:27 UTC 2015 - dmueller@suse.com diff --git a/python-cryptography.spec b/python-cryptography.spec index 8616064..ac4b366 100644 --- a/python-cryptography.spec +++ b/python-cryptography.spec @@ -17,7 +17,7 @@ Name: python-cryptography -Version: 1.0 +Version: 1.1 Release: 0 Summary: Python library which exposes cryptographic recipes and primitives License: Apache-2.0 @@ -30,14 +30,14 @@ Source3: https://pypi.python.org/packages/source/c/cryptography-vectors/c Source4: https://pypi.python.org/packages/source/c/cryptography-vectors/cryptography_vectors-%{version}.tar.gz.asc # PATCH-FIX-SLE disable-uneven-sizes-tests.patch bnc#944204 Patch1: disable-uneven-sizes-tests.patch -# PATCH-FIX-UPSTREAM 2293.patch bnc#947679 -- https://github.com/pyca/cryptography/pull/2293 -Patch2: 2293.patch BuildRequires: libopenssl-devel BuildRequires: python-cffi >= 1.1.0 BuildRequires: python-devel BuildRequires: python-enum34 +BuildRequires: python-hypothesis BuildRequires: python-idna >= 2.0 BuildRequires: python-ipaddress +BuildRequires: python-pyasn1-modules BuildRequires: python-setuptools BuildRequires: python-six >= 1.4.1 BuildRequires: pkgconfig(libffi) @@ -73,7 +73,6 @@ functions. tar xvzf %{SOURCE3} %patch1 -p1 -%patch2 -p1 %build CFLAGS="%{optflags} -fno-strict-aliasing" python setup.py build