- From 061a06b4ec5aa942db5b5bdbfe392911d9b949e6 Mon Sep 17 00:00:00 2001

- From: Christian Heimes <cheimes@redhat.com>

- Date: Mon, 14 Aug 2017 13:33:23 +0200

- Subject: [PATCH 1/4] Drop minimal setuptools and pytest version fron setup.py

- 

- ---

-  setup.py | 4 ++--

-  1 file changed, 2 insertions(+), 2 deletions(-)

- 

- diff --git a/setup.py b/setup.py

- index c5a99be5..0d951bb8 100644

- --- a/setup.py

- +++ b/setup.py

- @@ -37,7 +37,7 @@ requirements = [

-      "idna>=2.0",

-      "pyasn1>=0.1.8",

-      "six>=1.4.1",

- -    "setuptools>=11.3",

- +    "setuptools",

-  ]

-  setup_requirements = []

-  

- @@ -58,7 +58,7 @@ else:

-      setup_requirements.append("cffi>=1.4.1")

-  

-  test_requirements = [

- -    "pytest>=2.9.0",

- +    "pytest",

-      "pretend",

-      "iso8601",

-      "pyasn1_modules",

- -- 

- 2.13.5

- 

- From da48b31f7d1e247ed6e00ee09b8c80ca0231e507 Mon Sep 17 00:00:00 2001

- From: Christian Heimes <cheimes@redhat.com>

- Date: Mon, 14 Aug 2017 13:34:17 +0200

- Subject: [PATCH 2/4] Disable unsupported tests

- pytest 2.7 does not support context manager for deprecated_call().

-  tests/test_x509.py     | 3 ++-

-  tests/test_x509_ext.py | 3 ++-

-  2 files changed, 4 insertions(+), 2 deletions(-)

- index 966cba6f..fce617cc 100644

- @@ -527,7 +527,8 @@ class TestRSACertificate(object):

- +        # pytest 2.7 does not support context manager for deprecated_call()

- diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py

- index 7104121d..00cf0a6f 100644

- --- a/tests/test_x509_ext.py

- +++ b/tests/test_x509_ext.py

- @@ -3003,7 +3003,8 @@ class TestDistributionPoint(object):

-          with pytest.raises(ValueError):

-              x509.DistributionPoint("data", "notname", None, None)

-  

- -    def test_relative_name_name_value_deprecated(self):

- +    def DISABLED_test_relative_name_name_value_deprecated(self):

- +        # pytest 2.7 does not support context manager for deprecated_call()

-          with pytest.deprecated_call():

-              x509.DistributionPoint(

-                  None,

- 2.13.5

- From 53e182c619774669ad4e54d3ed9fc03155cd2741 Mon Sep 17 00:00:00 2001

- From: Christian Heimes <cheimes@redhat.com>

- Date: Mon, 13 Feb 2017 21:28:02 -0600

- Subject: [PATCH 3/4] Refactor binding initialization to allow specified errors

-  (#3278)

- 

- If pyca/cryptography sees any errors on the error stack during its own

- initialization it immediately raises InternalError and refuses to

- proceed. This was a safety measure since we weren't sure if it was

- safe to proceed. However, reality has intervened and we have to

- bow to the god of pragmatism and just clear the error queue. In

- practice this is safe since we religiously check the error queue

- in operation.

- 

- Fixes RHBZ #1402235

- ---

-  src/cryptography/hazmat/bindings/openssl/binding.py |  7 ++++++-

-  tests/hazmat/bindings/test_openssl.py               | 16 +++++++++++++++-

-  2 files changed, 21 insertions(+), 2 deletions(-)

- 

- diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py

- index 39750abc..096faf5c 100644

- --- a/src/cryptography/hazmat/bindings/openssl/binding.py

- +++ b/src/cryptography/hazmat/bindings/openssl/binding.py

- @@ -111,7 +111,12 @@ class Binding(object):

-  

-      @classmethod

-      def _register_osrandom_engine(cls):

- -        _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0)

- +        # Clear any errors extant in the queue before we start. In many

- +        # scenarios other things may be interacting with OpenSSL in the same

- +        # process space and it has proven untenable to assume that they will

- +        # reliably clear the error queue. Once we clear it here we will

- +        # error on any subsequent unexpected item in the stack.

- +        cls.lib.ERR_clear_error()

-          cls._osrandom_engine_id = cls.lib.Cryptography_osrandom_engine_id

-          cls._osrandom_engine_name = cls.lib.Cryptography_osrandom_engine_name

-          result = cls.lib.Cryptography_add_osrandom_engine()

- diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py

- index 3e01717c..854615f1 100644

- --- a/tests/hazmat/bindings/test_openssl.py

- +++ b/tests/hazmat/bindings/test_openssl.py

- @@ -8,7 +8,8 @@ import pytest

-  

-  from cryptography.exceptions import InternalError

-  from cryptography.hazmat.bindings.openssl.binding import (

- -    Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version

- +    Binding, _OpenSSLErrorWithText, _consume_errors, _openssl_assert,

- +    _verify_openssl_version

-  )

-  

-  

- @@ -108,8 +109,21 @@ class TestOpenSSL(object):

-              )

-          )]

-  

- +

-      def test_verify_openssl_version(self, monkeypatch):

-          monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False)

-          with pytest.raises(RuntimeError):

-              # OpenSSL 1.0.0

-              _verify_openssl_version(0x100000F)

- +

- +    def test_check_startup_errors_are_allowed(self):

- +        b = Binding()

- +        b.lib.ERR_put_error(

- +            b.lib.ERR_LIB_EVP,

- +            b.lib.EVP_F_EVP_ENCRYPTFINAL_EX,

- +            b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH,

- +            b"",

- +            -1

- +        )

- +        b._register_osrandom_engine()

- +        assert _consume_errors(b.lib) == []

- -- 

- 2.13.5

- 

- From fb637b7c58e42d7c99558276ffaabec1878bf97d Mon Sep 17 00:00:00 2001

- From: Christian Heimes <cheimes@redhat.com>

- Date: Mon, 29 May 2017 16:33:20 -0500

- Subject: [PATCH 4/4] Enlarge _oid2txt buffer to handle larger OIDs (#3612)

- 

- The OpenSSL manual recommends a buffer size of 80 for OBJ_oid2txt:

- https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values.

- But OIDs longer than this occur in real life (e.g. Active Directory

- makes some very long OIDs).  If the length of the stringified OID

- exceeds the buffer size, allocate a new buffer that is big enough to

- hold the stringified OID, and re-do the conversion into the new

- buffer.

- 

- NOTE: bigoid.pem has been moved to tests/.

- 

- Fixes RHBZ #1455755

- ---

-  docs/development/test-vectors.rst                  |  3 ++

-  .../hazmat/backends/openssl/decode_asn1.py         | 14 ++++++++++

-  tests/bigoid.pem                                   | 32 ++++++++++++++++++++++

-  tests/test_x509_ext.py                             | 19 +++++++++++++

-  4 files changed, 68 insertions(+)

-  create mode 100644 tests/bigoid.pem

- 

- diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst

- index fb72240d..bc72a470 100644

- --- a/docs/development/test-vectors.rst

- +++ b/docs/development/test-vectors.rst

- @@ -127,6 +127,9 @@ X.509

-  * ``alternate-rsa-sha1-oid.pem`` - A certificate from an

-    `unknown signature OID`_ Mozilla bug that uses an alternate signature OID for

-    RSA with SHA1.

- +* ``bigoid.pem`` - A certificate with a rather long OID in the

- +  Certificate Policies extension.  We need to make sure we can parse

- +  long OIDs.

-  

-  Custom X.509 Vectors

-  ~~~~~~~~~~~~~~~~~~~~

- diff --git a/src/cryptography/hazmat/backends/openssl/decode_asn1.py b/src/cryptography/hazmat/backends/openssl/decode_asn1.py

- index 2cbc349e..5a23da25 100644

- --- a/src/cryptography/hazmat/backends/openssl/decode_asn1.py

- +++ b/src/cryptography/hazmat/backends/openssl/decode_asn1.py

- @@ -24,9 +24,23 @@ from cryptography.x509.oid import (

-  def _obj2txt(backend, obj):

-      # Set to 80 on the recommendation of

-      # https://www.openssl.org/docs/crypto/OBJ_nid2ln.html#return_values

- +    #

- +    # But OIDs longer than this occur in real life (e.g. Active

- +    # Directory makes some very long OIDs).  So we need to detect

- +    # and properly handle the case where the default buffer is not

- +    # big enough.

- +    #

-      buf_len = 80

-      buf = backend._ffi.new("char[]", buf_len)

- +

- +    # 'res' is the number of bytes that *would* be written if the

- +    # buffer is large enough.  If 'res' > buf_len - 1, we need to

- +    # alloc a big-enough buffer and go again.

-      res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1)

- +    if res > buf_len - 1:  # account for terminating null byte

- +        buf_len = res + 1

- +        buf = backend._ffi.new("char[]", buf_len)

- +        res = backend._lib.OBJ_obj2txt(buf, buf_len, obj, 1)

-      backend.openssl_assert(res > 0)

-      return backend._ffi.buffer(buf, res)[:].decode()

-  

- diff --git a/tests/bigoid.pem b/tests/bigoid.pem

- new file mode 100644

- index 00000000..7bf865bf

- --- /dev/null

- +++ b/tests/bigoid.pem

- @@ -0,0 +1,32 @@

- +-----BEGIN CERTIFICATE-----

- +MIIFiTCCBHGgAwIBAgITSAAAAAd1bEC5lsOdnQAAAAAABzANBgkqhkiG9w0BAQsF

- +ADBLMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEjAQBgoJkiaJk/IsZAEZFgJhZDEe

- +MBwGA1UEAxMVYWQtV0lOLVBQSzAxNUY5TURRLUNBMB4XDTE3MDUyNTIzNDg0NVoX

- +DTE5MDUyNTIzNTg0NVowNDESMBAGA1UEChMJSVBBLkxPQ0FMMR4wHAYDVQQDExVD

- +ZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

- +AoIBAQDyyuty6irlL89hdaSW0UyAGLsOOMgAuJwBAeuRUorR159rsSnUXLcTHIsm

- +EszKhwxp3NkkawRWx/s0UN1m2+RUwMl6gvlw+G80Mz0S77C77M+2lO8HRmZGm+Wu

- +zBNcc9SANHuDQ1NISfZgLiscMS0+l0T3g6/Iqtg1kPWrq/tMevfh6tJEIedSBGo4

- +3xKEMSDkrvaeTuSVrgn/QT0m+WNccZa0c7X35L/hgR22/l5sr057Ef8F9vL8zUH5

- +TttFBIuiWJo8A8XX9I1zYIFhWjW3OVDZPBUnhGHH6yNyXGxXMRfcrrc74eTw8ivC

- +080AQuRtgwvDErB/JPDJ5w5t/ielAgMBAAGjggJ7MIICdzA9BgkrBgEEAYI3FQcE

- +MDAuBiYrBgEEAYI3FQiEoqJGhYq1PoGllQqGi+F4nacAgRODs5gfgozzAAIBZAIB

- +BTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUnSrC

- +yW3CR0e3ilJdN6kL06P3KHMwHwYDVR0jBBgwFoAUj69xtyUNwp8on+NWO+HlxKyg

- +X7AwgdgGA1UdHwSB0DCBzTCByqCBx6CBxIaBwWxkYXA6Ly8vQ049YWQtV0lOLVBQ

- +SzAxNUY5TURRLUNBLENOPVdJTi1QUEswMTVGOU1EUSxDTj1DRFAsQ049UHVibGlj

- +JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE

- +Qz1hZCxEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq

- +ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgcQGCCsGAQUFBwEBBIG3MIG0

- +MIGxBggrBgEFBQcwAoaBpGxkYXA6Ly8vQ049YWQtV0lOLVBQSzAxNUY5TURRLUNB

- +LENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD

- +Tj1Db25maWd1cmF0aW9uLERDPWFkLERDPWxvY2FsP2NBQ2VydGlmaWNhdGU/YmFz

- +ZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDMGA1UdIAQsMCow

- +KAYmKwYBBAGCNxUIhKKiRoWKtT6BpZUKhovheJ2nAIEThrXzUYabpA4wDQYJKoZI

- +hvcNAQELBQADggEBAIsFS+Qc/ufTrkuHbMmzksOpxq+OIi9rot8zy9/1Vmj6d+iP

- +kB+vQ1u4/IhdQArJFNhsBzWSY9Pi8ZclovpepFeEZfXPUenyeRCU43HdMXcHXnlP

- +YZfyLQWOugdo1WxK6S9qQSOSlC7BSGZWvKkiAPAwr4zNbbS+ROA2w0xaYMv0rr5W

- +A4UAyzZAdqaGRJBRvCZ/uFHM5wMw0LzNCL4CqKW9jfZX0Fc2tdGx8zbTYxIdgr2D

- +PL25as32r3S/m4uWqoQaK0lxK5Y97eusK2rrmidy32Jctzwl29UWq8kpjRAuD8iR

- +CSc7sKqOf+fn3+fKITR2/DcSVvb0SGCr5fVVnjQ=

- +-----END CERTIFICATE-----

- diff --git a/tests/test_x509_ext.py b/tests/test_x509_ext.py

- index 00cf0a6f..91df35db 100644

- --- a/tests/test_x509_ext.py

- +++ b/tests/test_x509_ext.py

- @@ -409,6 +409,7 @@ class TestPolicyInformation(object):

-          assert pi != object()

-  

-  

- +@pytest.mark.requires_backend_interface(interface=X509Backend)

-  class TestCertificatePolicies(object):

-      def test_invalid_policies(self):

-          pq = [u"string"]

- @@ -481,6 +482,24 @@ class TestCertificatePolicies(object):

-          assert cp[-1] == cp[4]

-          assert cp[2:6:2] == [cp[2], cp[4]]

-  

- +    def test_long_oid(self, backend):

- +        """

- +        Test that parsing a CertificatePolicies ext with

- +        a very long OID succeeds.

- +        """

- +        here = os.path.dirname(os.path.abspath(__file__))

- +        with open(os.path.join(here, "bigoid.pem"), 'rb') as f:

- +            cert = x509.load_pem_x509_certificate(f.read(), backend)

- +        ext = cert.extensions.get_extension_for_class(

- +            x509.CertificatePolicies)

- +

- +        oid = x509.ObjectIdentifier(

- +            "1.3.6.1.4.1.311.21.8.8950086.10656446.2706058"

- +            ".12775672.480128.147.13466065.13029902"

- +        )

- +

- +        assert ext.value[0].policy_identifier == oid

- +

-  

-  @pytest.mark.requires_backend_interface(interface=RSABackend)

-  @pytest.mark.requires_backend_interface(interface=X509Backend)

- -- 

- 2.13.5

- 

- --- a/src/cryptography/hazmat/backends/openssl/backend.py

- +++ b/src/cryptography/hazmat/backends/openssl/backend.py

- @@ -9,7 +9,6 @@ import calendar

-  import collections

-  import contextlib

-  import itertools

- -import sys

-  from contextlib import contextmanager

-  

-  import six

- @@ -61,6 +60,7 @@ from cryptography.hazmat.primitives.ciph

-  from cryptography.hazmat.primitives.ciphers.modes import (

-      CBC, CFB, CFB8, CTR, ECB, GCM, OFB

-  )

- +from cryptography.hazmat.primitives.kdf import scrypt

-  

-  

-  _MemoryBIO = collections.namedtuple("_MemoryBIO", ["bio", "char_ptr"])

- @@ -1894,9 +1894,10 @@ class Backend(object):

-  

-      def derive_scrypt(self, key_material, salt, length, n, r, p):

-          buf = self._ffi.new("unsigned char[]", length)

- -        res = self._lib.EVP_PBE_scrypt(key_material, len(key_material), salt,

- -                                       len(salt), n, r, p, sys.maxsize // 2,

- -                                       buf, length)

- +        res = self._lib.EVP_PBE_scrypt(

- +            key_material, len(key_material), salt, len(salt), n, r, p,

- +            scrypt._MEM_LIMIT, buf, length

- +        )

-          self.openssl_assert(res == 1)

-          return self._ffi.buffer(buf)[:]

-  

- --- a/src/cryptography/hazmat/primitives/kdf/scrypt.py

- +++ b/src/cryptography/hazmat/primitives/kdf/scrypt.py

- @@ -4,6 +4,8 @@

-  

-  from __future__ import absolute_import, division, print_function

-  

- +import sys

- +

-  from cryptography import utils

-  from cryptography.exceptions import (

-      AlreadyFinalized, InvalidKey, UnsupportedAlgorithm, _Reasons

- @@ -13,6 +15,11 @@ from cryptography.hazmat.primitives impo

-  from cryptography.hazmat.primitives.kdf import KeyDerivationFunction

-  

-  

- +# This is used by the scrypt tests to skip tests that require more memory

- +# than the MEM_LIMIT

- +_MEM_LIMIT = sys.maxsize // 2

- +

- +

-  @utils.register_interface(KeyDerivationFunction)

-  class Scrypt(object):

-      def __init__(self, salt, length, n, r, p, backend):

- --- a/tests/hazmat/primitives/test_scrypt.py

- +++ b/tests/hazmat/primitives/test_scrypt.py

- @@ -14,7 +14,7 @@ from cryptography.exceptions import (

-      AlreadyFinalized, InvalidKey, UnsupportedAlgorithm

-  )

-  from cryptography.hazmat.backends.interfaces import ScryptBackend

- -from cryptography.hazmat.primitives.kdf.scrypt import Scrypt

- +from cryptography.hazmat.primitives.kdf.scrypt import Scrypt, _MEM_LIMIT

-  

-  from tests.utils import load_nist_vectors, load_vectors_from_file

-  

- @@ -22,10 +22,30 @@ vectors = load_vectors_from_file(

-      os.path.join("KDF", "scrypt.txt"), load_nist_vectors)

-  

-  

- +def _skip_if_memory_limited(memory_limit, params):

- +    # Memory calc adapted from OpenSSL (URL split over 2 lines, thanks PEP8)

- +    # https://github.com/openssl/openssl/blob/6286757141a8c6e14d647ec733634a

- +    # e0c83d9887/crypto/evp/scrypt.c#L189-L221

- +    blen = int(params["p"]) * 128 * int(params["r"])

- +    vlen = 32 * int(params["r"]) * (int(params["n"]) + 2) * 4

- +    memory_required = blen + vlen

- +    if memory_limit < memory_required:

- +        pytest.skip("Test exceeds Scrypt memory limit. "

- +                    "This is likely a 32-bit platform.")

- +

- +

- +def test_memory_limit_skip():

- +    with pytest.raises(pytest.skip.Exception):

- +        _skip_if_memory_limited(1000, {"p": 16, "r": 64, "n": 1024})

- +

- +    _skip_if_memory_limited(2 ** 31, {"p": 16, "r": 64, "n": 1024})

- +

- +

-  @pytest.mark.requires_backend_interface(interface=ScryptBackend)

-  class TestScrypt(object):

-      @pytest.mark.parametrize("params", vectors)

-      def test_derive(self, backend, params):

- +        _skip_if_memory_limited(_MEM_LIMIT, params)

-          password = params["password"]

-          work_factor = int(params["n"])

-          block_size = int(params["r"])

- @@ -77,6 +97,7 @@ class TestScrypt(object):

-  

-      @pytest.mark.parametrize("params", vectors)

-      def test_verify(self, backend, params):

- +        _skip_if_memory_limited(_MEM_LIMIT, params)

-          password = params["password"]

-          work_factor = int(params["n"])

-          block_size = int(params["r"])

- Version:        1.7.2

- Release:        4%{?dist}

- Patch0:         0001-Drop-minimal-setuptools-and-pytest-version-fron-setu.patch

- Patch2:         0003-Refactor-binding-initialization-to-allow-specified-e.patch

- Patch3:         0004-Enlarge-_oid2txt-buffer-to-handle-larger-OIDs-3612.patch

- 

- # Patch from https://github.com/pyca/cryptography/pull/3328

- Patch10:        add_memory_limit.patch

- BuildRequires:  python%{python3_pkgversion}-pyasn1-modules >= 0.1.8

- BuildRequires:  python%{python3_pkgversion}-pyasn1 >= 0.1.8

- Requires:       python%{python3_pkgversion}-pyasn1 >= 0.1.8

- BuildRequires:  python%{python3_other_pkgversion}-pyasn1-modules >= 0.1.8

- BuildRequires:  python%{python3_other_pkgversion}-pyasn1 >= 0.1.8

- Requires:       python%{python3_other_pkgversion}-pyasn1 >= 0.1.8

- SHA512 (cryptography-1.7.2.tar.gz) = 8ddd119385064e1f8288ff318ec16f500b5c125a3811ccb306aeb2664fac495fcdd3cb5a7cbacd10156505c9526b9cdbd66860b35bbcd2f9a6bb285dd6cba8c5