6 changed files with 2 additions and 1435 deletions
--- a/1000-add-loongarch64-support-not-upstream-modified-files.patch
+++ b/1000-add-loongarch64-support-not-upstream-modified-files.patch
--- a/backport-CVE-2023-23931.patch
+++ b/backport-CVE-2023-23931.patch
@ -1,45 +0,0 @@
-From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Tue, 7 Feb 2023 11:34:18 -0500
-Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
-
---
- src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
- tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
-index d5b6010..a5737dc 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
-+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
-@@ -155,7 +155,7 @@ class _CipherContext(object):
-         data_processed = 0
-         total_out = 0
-         outlen = self._backend._ffi.new("int *")
-        baseoutbuf = self._backend._ffi.from_buffer(buf)
-+        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
-         baseinbuf = self._backend._ffi.from_buffer(data)
- 
-         while data_processed != total_data_len:
-diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
-index ef57790..977f148 100644
--- a/tests/hazmat/primitives/test_ciphers.py
-+++ b/tests/hazmat/primitives/test_ciphers.py
-@@ -306,6 +306,14 @@ class TestCipherUpdateInto(object):
-         with pytest.raises(ValueError):
-             encryptor.update_into(b"testing", buf)
- 
-+    def test_update_into_immutable(self, backend):
-+        key = b"\x00" * 16
-+        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
-+        encryptor = c.encryptor()
-+        buf = b"\x00" * 32
-+        with pytest.raises((TypeError, BufferError)):
-+            encryptor.update_into(b"testing", buf)
-+
-     @pytest.mark.supported(
-         only_if=lambda backend: backend.cipher_supported(
-             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
-- 
-2.33.0
-
--- a/backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
+++ b/backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
@ -1,49 +0,0 @@
-From a739c81fed3f87effec5bc78400658b666568a3a Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Wed, 29 Nov 2023 10:05:44 +0800
-Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
- (#9926)
-
---
- src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
- tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
- 2 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
-index 7364523..1a1a6d1 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
-+++ b/src/cryptography/hazmat/backends/openssl/backend.py
-@@ -2189,9 +2189,12 @@ class Backend(BackendInterface):
-                 _Reasons.UNSUPPORTED_SERIALIZATION,
-             )
- 
-+        certs: list[x509.Certificate] = []
-+        if p7.d.sign == self._ffi.NULL:
-+            return certs
-+
-         sk_x509 = p7.d.sign.cert
-         num = self._lib.sk_X509_num(sk_x509)
-        certs = []
-         for i in range(num):
-             x509 = self._lib.sk_X509_value(sk_x509, i)
-             self.openssl_assert(x509 != self._ffi.NULL)
-diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
-index 91ac842..e6dcd8e 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
-+++ b/tests/hazmat/primitives/test_pkcs7.py
-@@ -81,6 +81,12 @@ class TestPKCS7Loading(object):
-                 mode="rb",
-             )
- 
-+    def test_load_pkcs7_empty_certificates(self, backend):
-+        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
-+
-+        certificates = pkcs7.load_der_pkcs7_certificates(der)
-+        assert certificates == []
-+
- 
- # We have no public verification API and won't be adding one until we get
- # some requirements from users so this function exists to give us basic
-- 
-2.33.0
-
--- a/backport-provide-openssl-apis-related-to-SM-for-python.patch
+++ b/backport-provide-openssl-apis-related-to-SM-for-python.patch
@ -1,13 +1,3 @@
-From 52325495900f1bd9e1f228f24c81c0746520dc85 Mon Sep 17 00:00:00 2001
-From: hanxinke <hanxinke@huawei.com>
-Date: Tue, 3 Aug 2021 10:45:22 +0800
-Subject: [PATCH] provide openssl apis related to SM for python
-
-Signed-off-by: hanxinke <hanxinke@huawei.com>
---
- src/_cffi_src/openssl/evp.py | 7 +++++++
- 1 file changed, 7 insertions(+)
-
 diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
 index ad7a0e7..13069dc 100644
 --- a/src/_cffi_src/openssl/evp.py
--- a/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch
+++ b/backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch
@ -1,70 +0,0 @@
-From e42162a7f730481642bb063cf72274d002dc8c0b Mon Sep 17 00:00:00 2001
-From: Paul Kehrer <paul.l.kehrer@gmail.com>
-Date: Sun, 5 Nov 2023 19:18:50 +0800
-Subject: [PATCH] raise an exception instead of returning an empty list for
- pkcs7 cert loading (#9947)
-
-* raise an exception instead of returning an empty list
-
-as davidben points out in #9926 we are calling a specific load
-certificates function and an empty value doesn't necessarily mean empty
-because PKCS7 contains multitudes. erroring is more correct.
-
-* changelog
-
-* Update CHANGELOG.rst
-
-Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
-
---------
-
-Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
---
- src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
- tests/hazmat/primitives/test_pkcs7.py               | 6 +++---
- 2 files changed, 8 insertions(+), 5 deletions(-)
-
-diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
-index 1a1a6d1..485cf89 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
-+++ b/src/cryptography/hazmat/backends/openssl/backend.py
-@@ -2189,12 +2189,15 @@ class Backend(BackendInterface):
-                 _Reasons.UNSUPPORTED_SERIALIZATION,
-             )
- 
-        certs: list[x509.Certificate] = []
-         if p7.d.sign == self._ffi.NULL:
-            return certs
-+            raise ValueError(
-+                "The provided PKCS7 has no certificate data, but a cert "
-+                "loading method was called."
-+            )
- 
-         sk_x509 = p7.d.sign.cert
-         num = self._lib.sk_X509_num(sk_x509)
-+        certs: list[x509.Certificate] = []
-         for i in range(num):
-             x509 = self._lib.sk_X509_value(sk_x509, i)
-             self.openssl_assert(x509 != self._ffi.NULL)
-diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
-index e6dcd8e..96aa2f2 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
-+++ b/tests/hazmat/primitives/test_pkcs7.py
-@@ -81,11 +81,11 @@ class TestPKCS7Loading(object):
-                 mode="rb",
-             )
- 
-    def test_load_pkcs7_empty_certificates(self, backend):
-+    def test_load_pkcs7_empty_certificates(self):
-         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
- 
-        certificates = pkcs7.load_der_pkcs7_certificates(der)
-        assert certificates == []
-+        with pytest.raises(ValueError):
-+            pkcs7.load_der_pkcs7_certificates(der)
- 
- 
- # We have no public verification API and won't be adding one until we get
-- 
-2.33.0
-
--- a/python-cryptography.spec
+++ b/python-cryptography.spec
@ -1,18 +1,13 @@
 %global srcname cryptography
 Name:           python-%{srcname}
 Version:        36.0.1
-Release:        7
+Release:        1
 Summary:        PyCA's cryptography library
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/  
 Source0:        %{srcname}-%{version}.tar.gz

-Patch1000:      1000-add-loongarch64-support-not-upstream-modified-files.patch
 Patch6002:      backport-provide-openssl-apis-related-to-SM-for-python.patch
-Patch6003:      backport-CVE-2023-23931.patch
-# CVE-2023-49083
-Patch6004:      backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
-Patch6005:      backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch

 BuildRequires:  openssl-devel cargo
 BuildRequires:  gcc
@ -86,28 +81,7 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 %doc README.rst docs

 %changelog
-* Sat Dec 23 shixuantong <shixuantong1@huawei.com> - 36.0.1-7
- update author info for Patch6002
-
-* Mon Dec 4 2023 liningjie <liningjie@xfusion.com> - 36.0.1-6
- raise an exception instead of returning an empty list for pkcs7 cert loading
-
-* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 36.0.1-5
- Fixed crash when loading a PKCS#7 bundle with no certificates
-
-* Sat Aug 12 2023 panchenbo <panchenbo@kylinsec.com.cn> - 36.0.1-4
- add loongarch64 support
-
-* Thu Apr 06 2023 jichengke<jichengke2011@gmail.com> - 36.0.1-3
- fix bogus date in changelog
-
-* Tue Feb 14 2023 zhuofeng<zhuofeng2@huawei.com> - 36.0.1-2
- Type:CVE
- CVE:CVE-2023-23931
- SUG:NA
- DESC:fix CVE-2023-23931
-
-* Tue Nov 01 2022 Ge Wang <wangge20@h-partners.com> 36.0.1-1
+* Feb Nov 01 2022 Ge Wang <wangge20@h-partners.com> 36.0.1-1
 - Update to version 36.0.1

 * Fri Jul 01 2022 tianwei<tianwei12@h-partners.com> -3.3.1-4