!71 raise an exception instead of returning an empty list for pkcs7 cert loading

From: @li_ning_jie 
Reviewed-by: @gaoruoshu 
Signed-off-by: @gaoruoshu

backport-CVE-2023-23931.patch

@@ -0,0 +1,45 @@
+From 9fbf84efc861668755ab645530ec7be9cf3c6696 Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Tue, 7 Feb 2023 11:34:18 -0500
+Subject: [PATCH] Don't allow update_into to mutate immutable objects (#8230)
+
+---
+ src/cryptography/hazmat/backends/openssl/ciphers.py | 2 +-
+ tests/hazmat/primitives/test_ciphers.py             | 8 ++++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
+index ad5dad3..020ca25 100644
+--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
++++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
+@@ -135,7 +135,7 @@ class _CipherContext(object):
+         data_processed = 0
+         total_out = 0
+         outlen = self._backend._ffi.new("int *")
+-        baseoutbuf = self._backend._ffi.from_buffer(buf)
++        baseoutbuf = self._backend._ffi.from_buffer(buf, require_writable=True)
+         baseinbuf = self._backend._ffi.from_buffer(data)
+ 
+         while data_processed != total_data_len:
+diff --git a/tests/hazmat/primitives/test_ciphers.py b/tests/hazmat/primitives/test_ciphers.py
+index a9219fe..d5410a6 100644
+--- a/tests/hazmat/primitives/test_ciphers.py
++++ b/tests/hazmat/primitives/test_ciphers.py
+@@ -310,6 +310,14 @@ class TestCipherUpdateInto(object):
+         with pytest.raises(ValueError):
+             encryptor.update_into(b"testing", buf)
+ 
++    def test_update_into_immutable(self, backend):
++        key = b"\x00" * 16
++        c = ciphers.Cipher(AES(key), modes.ECB(), backend)
++        encryptor = c.encryptor()
++        buf = b"\x00" * 32
++        with pytest.raises((TypeError, BufferError)):
++            encryptor.update_into(b"testing", buf)
++
+     @pytest.mark.supported(
+         only_if=lambda backend: backend.cipher_supported(
+             AES(b"\x00" * 16), modes.GCM(b"\x00" * 12)
+-- 
+2.33.0
+

backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch

@@ -0,0 +1,49 @@
+From d91a2bfac268db6093ee1f02443bb1f2e78c74ff Mon Sep 17 00:00:00 2001
+From: Alex Gaynor <alex.gaynor@gmail.com>
+Date: Wed, 29 Nov 2023 10:56:37 +0800
+Subject: [PATCH] Fixed crash when loading a PKCS#7 bundle with no certificates
+ #9926
+
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 5 ++++-
+ tests/hazmat/primitives/test_pkcs7.py               | 6 ++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index ff9c23c..ba0fad0 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2669,9 +2669,12 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
++        certs = []
++        if p7.d.sign == self._ffi.NULL:
++            return certs
++
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
+-        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 8b93cb6..0145a24 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -80,6 +80,12 @@ class TestPKCS7Loading(object):
+                 mode="rb",
+             )
+ 
++    def test_load_pkcs7_empty_certificates(self, backend):
++        der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
++
++        certificates = pkcs7.load_der_pkcs7_certificates(der)
++        assert certificates == []
++
+ 
+ # We have no public verification API and won't be adding one until we get
+ # some requirements from users so this function exists to give us basic
+-- 
+2.33.0
+

backport-add-SM4-symmetric-block-cipher-5834.patch

@@ -0,0 +1,366 @@
+From 1a0c76566944ed09e48f51ce17ff9968cf40c886 Mon Sep 17 00:00:00 2001
+From: tobyp <tobyp@tobyp.net>
+Date: Sun, 28 Feb 2021 20:57:50 +0100
+Subject: [PATCH] Add SM4 symmetric block cipher (#5834)
+
+Reference:https://github.com/pyca/cryptography/commit/f69f27b1dd20ad2d24f48053a72545527e808104
+Conflict:The content of hazmat/primitives/ciphers/algorithms.py and tests/utils.py are adapted.
+hazmat/primitives/ciphers/algorithms.py:
+Community patch:
+    +class SM4(CipherAlgorithm, BlockCipherAlgorithm):
+Adaptation patch:
+    +@utils.register_interface(BlockCipherAlgorithm)
+    +@utils.register_interface(CipherAlgorithm)
+    +class SM4(object):
+tests/utils.py:
+Adaptation patch:
+    +filepath = os.path.join(os.path.dirname(__file__), "../vectors/cryptography_vectors", filename)
+    +if os.path.exists(filepath):
+    +    with open(filepath, mode) as vector_file:
+    +        return loader(vector_file)
+
+Co-authored-by: Tobias Peter <tobias.peter@infineon.com>
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ .../primitives/symmetric-encryption.rst       | 15 +++
+ .../hazmat/backends/openssl/backend.py        |  5 +
+ .../hazmat/primitives/ciphers/algorithms.py   | 14 +++
+ tests/hazmat/primitives/test_sm4.py           | 99 +++++++++++++++++++
+ tests/utils.py                                |  4 +
+ .../SM4/draft-ribose-cfrg-sm4-10-cbc.txt      | 17 ++++
+ .../SM4/draft-ribose-cfrg-sm4-10-cfb.txt      | 17 ++++
+ .../SM4/draft-ribose-cfrg-sm4-10-ctr.txt      | 17 ++++
+ .../SM4/draft-ribose-cfrg-sm4-10-ecb.txt      | 28 ++++++
+ .../SM4/draft-ribose-cfrg-sm4-10-ofb.txt      | 17 ++++
+ 10 files changed, 233 insertions(+)
+ create mode 100644 tests/hazmat/primitives/test_sm4.py
+ create mode 100644 vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cbc.txt
+ create mode 100644 vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cfb.txt
+ create mode 100644 vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ctr.txt
+ create mode 100644 vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ecb.txt
+ create mode 100644 vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ofb.txt
+
+diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
+index 8551acb..6e10d67 100644
+--- a/docs/hazmat/primitives/symmetric-encryption.rst
++++ b/docs/hazmat/primitives/symmetric-encryption.rst
+@@ -196,6 +196,19 @@ Algorithms
+         :term:`bits` in length.
+     :type key: :term:`bytes-like`
+ 
++.. class:: SM4(key)
++
++    .. versionadded:: 35.0.0
++
++    SM4 is a block cipher developed by the Chinese Government and standardized
++    in the `GB/T 32907-2016`_. It is used in the Chinese WAPI
++    (Wired Authentication and Privacy Infrastructure) standard. (An English
++    description is available at `draft-ribose-cfrg-sm4-10`_.)
++
++    :param key: The secret key. This must be kept secret. ``128``
++        :term:`bits` in length.
++    :type key: :term:`bytes-like`
++
+ Weak ciphers
+ ------------
+ 
+@@ -815,3 +828,5 @@ Exceptions
+ .. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
+ .. _`OpenPGP`: https://www.openpgp.org/
+ .. _`disk encryption`: https://en.wikipedia.org/wiki/Disk_encryption_theory#XTS
++.. _`GB/T 32907-2016`: http://www.cnnic.cn/gcjsyj/qyjsyj/mmsfbz/sm4/201312/t20131204_43341.htm
++.. _`draft-ribose-cfrg-sm4-10`: https://tools.ietf.org/html/draft-ribose-cfrg-sm4-10
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index 45d4a1a..ff9c23c 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -139,6 +139,7 @@ from cryptography.hazmat.primitives.ciphers.algorithms import (
+     ChaCha20,
+     IDEA,
+     SEED,
++    SM4,
+     TripleDES,
+ )
+ from cryptography.hazmat.primitives.ciphers.modes import (
+@@ -415,6 +416,10 @@ class Backend(object):
+             ChaCha20, type(None), GetCipherByName("chacha20")
+         )
+         self.register_cipher_adapter(AES, XTS, _get_xts_cipher)
++        for mode_cls in [ECB, CBC, OFB, CFB, CTR]:
++            self.register_cipher_adapter(
++                SM4, mode_cls, GetCipherByName("sm4-{mode.name}")
++            )
+ 
+     def _register_x509_ext_parsers(self):
+         ext_handlers = _EXTENSION_HANDLERS_BASE.copy()
+diff --git a/src/cryptography/hazmat/primitives/ciphers/algorithms.py b/src/cryptography/hazmat/primitives/ciphers/algorithms.py
+index 8072ced..a1db984 100644
+--- a/src/cryptography/hazmat/primitives/ciphers/algorithms.py
++++ b/src/cryptography/hazmat/primitives/ciphers/algorithms.py
+@@ -168,3 +168,17 @@ class ChaCha20(object):
+     @property
+     def key_size(self):
+         return len(self.key) * 8
++
++@utils.register_interface(BlockCipherAlgorithm)
++@utils.register_interface(CipherAlgorithm)
++class SM4(object):
++    name = "SM4"
++    block_size = 128
++    key_sizes = frozenset([128])
++
++    def __init__(self, key):
++        self.key = _verify_key_size(self, key)
++
++    @property
++    def key_size(self):
++        return len(self.key) * 8
+diff --git a/tests/hazmat/primitives/test_sm4.py b/tests/hazmat/primitives/test_sm4.py
+new file mode 100644
+index 0000000..b757344
+--- /dev/null
++++ b/tests/hazmat/primitives/test_sm4.py
+@@ -0,0 +1,99 @@
++# This file is dual licensed under the terms of the Apache License, Version
++# 2.0, and the BSD License. See the LICENSE file in the root of this repository
++# for complete details.
++
++import binascii
++import os
++
++import pytest
++
++from cryptography.hazmat.backends.interfaces import CipherBackend
++from cryptography.hazmat.primitives.ciphers import algorithms, modes
++
++from .utils import generate_encrypt_test
++from ...utils import load_nist_vectors
++
++
++@pytest.mark.supported(
++    only_if=lambda backend: backend.cipher_supported(
++        algorithms.SM4(b"\x00" * 16), modes.ECB()
++    ),
++    skip_message="Does not support SM4 ECB",
++)
++@pytest.mark.requires_backend_interface(interface=CipherBackend)
++class TestSM4ModeECB(object):
++    test_ecb = generate_encrypt_test(
++        load_nist_vectors,
++        os.path.join("ciphers", "SM4"),
++        ["draft-ribose-cfrg-sm4-10-ecb.txt"],
++        lambda key, **kwargs: algorithms.SM4(binascii.unhexlify((key))),
++        lambda **kwargs: modes.ECB(),
++    )
++
++
++@pytest.mark.supported(
++    only_if=lambda backend: backend.cipher_supported(
++        algorithms.SM4(b"\x00" * 16), modes.CBC(b"\x00" * 16)
++    ),
++    skip_message="Does not support SM4 CBC",
++)
++@pytest.mark.requires_backend_interface(interface=CipherBackend)
++class TestSM4ModeCBC(object):
++    test_cbc = generate_encrypt_test(
++        load_nist_vectors,
++        os.path.join("ciphers", "SM4"),
++        ["draft-ribose-cfrg-sm4-10-cbc.txt"],
++        lambda key, **kwargs: algorithms.SM4(binascii.unhexlify((key))),
++        lambda iv, **kwargs: modes.CBC(binascii.unhexlify(iv)),
++    )
++
++
++@pytest.mark.supported(
++    only_if=lambda backend: backend.cipher_supported(
++        algorithms.SM4(b"\x00" * 16), modes.OFB(b"\x00" * 16)
++    ),
++    skip_message="Does not support SM4 OFB",
++)
++@pytest.mark.requires_backend_interface(interface=CipherBackend)
++class TestSM4ModeOFB(object):
++    test_ofb = generate_encrypt_test(
++        load_nist_vectors,
++        os.path.join("ciphers", "SM4"),
++        ["draft-ribose-cfrg-sm4-10-ofb.txt"],
++        lambda key, **kwargs: algorithms.SM4(binascii.unhexlify((key))),
++        lambda iv, **kwargs: modes.OFB(binascii.unhexlify(iv)),
++    )
++
++
++@pytest.mark.supported(
++    only_if=lambda backend: backend.cipher_supported(
++        algorithms.SM4(b"\x00" * 16), modes.CFB(b"\x00" * 16)
++    ),
++    skip_message="Does not support SM4 CFB",
++)
++@pytest.mark.requires_backend_interface(interface=CipherBackend)
++class TestSM4ModeCFB(object):
++    test_cfb = generate_encrypt_test(
++        load_nist_vectors,
++        os.path.join("ciphers", "SM4"),
++        ["draft-ribose-cfrg-sm4-10-cfb.txt"],
++        lambda key, **kwargs: algorithms.SM4(binascii.unhexlify((key))),
++        lambda iv, **kwargs: modes.CFB(binascii.unhexlify(iv)),
++    )
++
++
++@pytest.mark.supported(
++    only_if=lambda backend: backend.cipher_supported(
++        algorithms.SM4(b"\x00" * 16), modes.CTR(b"\x00" * 16)
++    ),
++    skip_message="Does not support SM4 CTR",
++)
++@pytest.mark.requires_backend_interface(interface=CipherBackend)
++class TestSM4ModeCTR(object):
++    test_cfb = generate_encrypt_test(
++        load_nist_vectors,
++        os.path.join("ciphers", "SM4"),
++        ["draft-ribose-cfrg-sm4-10-ctr.txt"],
++        lambda key, **kwargs: algorithms.SM4(binascii.unhexlify((key))),
++        lambda iv, **kwargs: modes.CTR(binascii.unhexlify(iv)),
++    )
+diff --git a/tests/utils.py b/tests/utils.py
+index 497fde8..053ca50 100644
+--- a/tests/utils.py
++++ b/tests/utils.py
+@@ -41,6 +41,10 @@ def raises_unsupported_algorithm(reason):
+ 
+ 
+ def load_vectors_from_file(filename, loader, mode="r"):
++    filepath = os.path.join(os.path.dirname(__file__), "../vectors/cryptography_vectors", filename)
++    if os.path.exists(filepath):
++        with open(filepath, mode) as vector_file:
++            return loader(vector_file)
+     with cryptography_vectors.open_vector_file(filename, mode) as vector_file:
+         return loader(vector_file)
+ 
+diff --git a/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cbc.txt b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cbc.txt
+new file mode 100644
+index 0000000..49c5f85
+--- /dev/null
++++ b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cbc.txt
+@@ -0,0 +1,17 @@
++# Vectors from draft-ribose-cfrg-sm4-10.txt. Reformatted to work with the NIST loader
++# SM4 CBC
++[ENCRYPT]
++
++# A.2.2.1
++COUNT = 0
++KEY = 0123456789abcdeffedcba9876543210
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = 78ebb11cc40b0a48312aaeb2040244cb4cb7016951909226979b0d15dc6a8f6d
++
++# A.2.2.2
++COUNT = 1
++KEY = fedcba98765432100123456789abcdef
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = 0d3a6ddc2d21c698857215587b7bb59a91f2c147911a4144665e1fa1d40bae38
+diff --git a/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cfb.txt b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cfb.txt
+new file mode 100644
+index 0000000..4c2e4ab
+--- /dev/null
++++ b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-cfb.txt
+@@ -0,0 +1,17 @@
++# Vectors from draft-ribose-cfrg-sm4-10.txt. Reformatted to work with the NIST loader
++# SM4 CFB
++[ENCRYPT]
++
++# A.2.4.1
++COUNT = 0
++KEY = 0123456789abcdeffedcba9876543210
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = ac3236cb861dd316e6413b4e3c7524b769d4c54ed433b9a0346009beb37b2b3f
++
++# A.2.4.2
++COUNT = 1
++KEY = fedcba98765432100123456789abcdef
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = 5dcccd25a84ba16560d7f265887068490d9b86ff20c3bfe115ffa02ca6192cc5
+diff --git a/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ctr.txt b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ctr.txt
+new file mode 100644
+index 0000000..0aea157
+--- /dev/null
++++ b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ctr.txt
+@@ -0,0 +1,17 @@
++# Vectors from draft-ribose-cfrg-sm4-10.txt. Reformatted to work with the NIST loader
++# SM4 CTR
++[ENCRYPT]
++
++# A.2.5.1
++COUNT = 0
++KEY = 0123456789abcdeffedcba9876543210
++PLAINTEXT = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = ac3236cb970cc20791364c395a1342d1a3cbc1878c6f30cd074cce385cdd70c7f234bc0e24c11980fd1286310ce37b926e02fcd0faa0baf38b2933851d824514
++
++# A.2.5.2
++COUNT = 1
++KEY = fedcba98765432100123456789abcdef
++PLAINTEXT = aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccddddddddddddddddeeeeeeeeeeeeeeeeffffffffffffffffaaaaaaaaaaaaaaaabbbbbbbbbbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = 5dcccd25b95ab07417a08512ee160e2f8f661521cbbab44cc87138445bc29e5c0ae0297205d62704173b21239b887f6c8cb5b800917a2488284bde9e16ea2906
+diff --git a/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ecb.txt b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ecb.txt
+new file mode 100644
+index 0000000..c9a6874
+--- /dev/null
++++ b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ecb.txt
+@@ -0,0 +1,28 @@
++# Vectors from draft-ribose-cfrg-sm4-10.txt. Reformatted to work with the NIST loader
++# Originally from GB/T 32907-2016 Example 1
++# SM4 ECB
++[ENCRYPT]
++
++# A.1.1/A.1.2
++COUNT = 0
++KEY = 0123456789abcdeffedcba9876543210
++PLAINTEXT = 0123456789abcdeffedcba9876543210
++CIPHERTEXT = 681edf34d206965e86b3e94f536e4246
++
++# A.1.4/A.1.5
++COUNT = 1
++KEY = fedcba98765432100123456789abcdef
++PLAINTEXT = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = f766678f13f01adeac1b3ea955adb594
++
++# A.2.1.1
++COUNT = 2
++KEY = 0123456789abcdeffedcba9876543210
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++CIPHERTEXT = 5ec8143de509cff7b5179f8f474b86192f1d305a7fb17df985f81c8482192304
++
++# A.2.1.2
++COUNT = 3
++KEY = fedcba98765432100123456789abcdef
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++CIPHERTEXT = c5876897e4a59bbba72a10c83872245b12dd90bc2d200692b529a4155ac9e600
+diff --git a/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ofb.txt b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ofb.txt
+new file mode 100644
+index 0000000..27c611d
+--- /dev/null
++++ b/vectors/cryptography_vectors/ciphers/SM4/draft-ribose-cfrg-sm4-10-ofb.txt
+@@ -0,0 +1,17 @@
++# Vectors from draft-ribose-cfrg-sm4-10.txt. Reformatted to work with the NIST loader
++# SM4 OFB
++[ENCRYPT]
++
++# A.2.3.1
++COUNT = 0
++KEY = 0123456789abcdeffedcba9876543210
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = ac3236cb861dd316e6413b4e3c7524b71d01aca2487ca582cbf5463e6698539b
++
++# A.2.3.2
++COUNT = 1
++KEY = fedcba98765432100123456789abcdef
++PLAINTEXT = aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffaaaaaaaabbbbbbbb
++IV = 000102030405060708090a0b0c0d0e0f
++CIPHERTEXT = 5dcccd25a84ba16560d7f2658870684933fa16bd5cd9c856cacaa1e101897a97
+-- 
+2.27.0
+

backport-provide-openssl-apis-related-to-SM-for-python.patch

@@ -0,0 +1,45 @@
+From 52325495900f1bd9e1f228f24c81c0746520dc85 Mon Sep 17 00:00:00 2001
+From: hanxinke <hanxinke@huawei.com>
+Date: Tue, 3 Aug 2021 10:45:22 +0800
+Subject: [PATCH] provide openssl apis related to SM for python
+
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/_cffi_src/openssl/evp.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
+index ab7cfeb..0fa817d 100644
+--- a/src/_cffi_src/openssl/evp.py
++++ b/src/_cffi_src/openssl/evp.py
+@@ -37,6 +37,7 @@ static const int Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint;
+ static const int Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY;
+ static const long Cryptography_HAS_RAW_KEY;
+ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF;
++static const int EVP_PKEY_SM2;
+ """
+ 
+ FUNCTIONS = """
+@@ -89,6 +90,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *, unsigned char *, size_t *);
+ int EVP_DigestVerifyInit(EVP_MD_CTX *, EVP_PKEY_CTX **, const EVP_MD *,
+                          ENGINE *, EVP_PKEY *);
+ 
++int EVP_DigestVerifyUpdate(EVP_MD_CTX *, const void *, size_t);
++int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
++                                 size_t siglen);
+ 
+ 
+ EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *, ENGINE *);
+@@ -165,6 +169,9 @@ EVP_PKEY *EVP_PKEY_new_raw_public_key(int, ENGINE *, const unsigned char *,
+                                       size_t);
+ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *, unsigned char *, size_t *);
+ int EVP_PKEY_get_raw_public_key(const EVP_PKEY *, unsigned char *, size_t *);
++int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type);
++void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
++const EVP_MD *EVP_sm3(void);
+ """
+ 
+ CUSTOMIZATIONS = """
+-- 
+2.27.0
+

backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch

@@ -0,0 +1,70 @@
+From 7ef48ec44ac59fb70180955a9e05312571c923de Mon Sep 17 00:00:00 2001
+From: Paul Kehrer <paul.l.kehrer@gmail.com>
+Date: Sun, 5 Nov 2023 18:47:12 +0800
+Subject: [PATCH] raise an exception instead of returning an empty list for
+ pkcs7 cert loading (#9947)
+
+* raise an exception instead of returning an empty list
+
+as davidben points out in #9926 we are calling a specific load
+certificates function and an empty value doesn't necessarily mean empty
+because PKCS7 contains multitudes. erroring is more correct.
+
+* changelog
+
+* Update CHANGELOG.rst
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+
+---------
+
+Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
+---
+ src/cryptography/hazmat/backends/openssl/backend.py | 7 +++++--
+ tests/hazmat/primitives/test_pkcs7.py               | 6 +++---
+ 2 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
+index ba0fad0..0b5b215 100644
+--- a/src/cryptography/hazmat/backends/openssl/backend.py
++++ b/src/cryptography/hazmat/backends/openssl/backend.py
+@@ -2669,12 +2669,15 @@ class Backend(object):
+                 _Reasons.UNSUPPORTED_SERIALIZATION,
+             )
+ 
+-        certs = []
+         if p7.d.sign == self._ffi.NULL:
+-            return certs
++            raise ValueError(
++                "The provided PKCS7 has no certificate data, but a cert "
++                "loading method was called."
++            )
+ 
+         sk_x509 = p7.d.sign.cert
+         num = self._lib.sk_X509_num(sk_x509)
++        certs = []
+         for i in range(num):
+             x509 = self._lib.sk_X509_value(sk_x509, i)
+             self.openssl_assert(x509 != self._ffi.NULL)
+diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
+index 0145a24..34cbb16 100644
+--- a/tests/hazmat/primitives/test_pkcs7.py
++++ b/tests/hazmat/primitives/test_pkcs7.py
+@@ -80,11 +80,11 @@ class TestPKCS7Loading(object):
+                 mode="rb",
+             )
+ 
+-    def test_load_pkcs7_empty_certificates(self, backend):
++    def test_load_pkcs7_empty_certificates(self):
+         der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+ 
+-        certificates = pkcs7.load_der_pkcs7_certificates(der)
+-        assert certificates == []
++        with pytest.raises(ValueError):
++            pkcs7.load_der_pkcs7_certificates(der)
+ 
+ 
+ # We have no public verification API and won't be adding one until we get
+-- 
+2.33.0
+

python-cryptography.spec

@@ -3,13 +3,19 @@
 %global srcname cryptography
 Name:           python-%{srcname}
 Version:        3.3.1
-Release:        1
+Release:        5
 Summary:        PyCA's cryptography library
 License:        ASL 2.0 or BSD
 URL:            https://cryptography.io/en/latest/  
-Source0:        %{pypi_source}
+Source0:        https://pypi.io/packages/source/c/cryptography/cryptography-%{version}.tar.gz
 
 Patch6000:      backport-CVE-2020-36242.patch
+Patch6001:      backport-add-SM4-symmetric-block-cipher-5834.patch
+Patch6002:      backport-provide-openssl-apis-related-to-SM-for-python.patch
+Patch6003:      backport-CVE-2023-23931.patch
+# CVE-2023-49083
+Patch6004:      backport-Fixed-crash-when-loading-a-PKCS-7-bundle-with-no-certificates.patch
+Patch6005:      backport-raise-an-exception-instead-of-returning-an-empty-list-for-pkcs7-cert-loading.patch
 
 BuildRequires:  openssl-devel
 BuildRequires:  gcc
@@ -119,6 +125,21 @@ PYTHONPATH=%{buildroot}%{python3_sitearch} %{__python3} -m pytest -k "not (test_
 %doc README.rst docs
 
 %changelog
+* Sat Dec 2 2023 liningjie <liningjie@xfusion.com> - 3.3.1-5
+- raise an exception instead of returning an empty list for pkcs7 cert loading
+
+* Wed Nov 29 2023 liningjie <liningjie@xfusion.com> - 3.3.1-4
+- Fixed crash when loading a PKCS#7 bundle with no certificates
+
+* Tue Feb 14 2023 zhuofeng<zhuofeng2@huawei.com> - 3.3.1-3
+- Type:CVE
+- CVE:CVE-2023-23931
+- SUG:NA
+- DESC:fix CVE-2023-23931
+
+* Thu Sep 1 2022 dongyuzhen <dongyuzhen@h-partners.com> - 3.3.1-2
+- add SM4 symmetric block cipher and provide openssl apis related to SM for python
+
 * Thu Aug 12 2021 liyanan <liyanan32@huawei.com> - 3.3.1-1
 - update to 3.3.1