diff options
author | Orivej Desh <orivej@gmx.fr> | 2020-12-14 16:31:26 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-14 16:31:26 +0000 |
commit | 6fa76f018b287f017f6d0e8b611bd173c490852c (patch) | |
tree | 2777d64cd5e5a39aadb3f63854b0e7d538e8c2fa /pkgs/development/python-modules/cryptography | |
parent | b37c00ab90d9f3216df7990d85ab863e2946a129 (diff) |
python2Packages.cryptography: 2.9.2 -> 3.3.1 (#106792)
Fixes py2 build of pyOpenSSL: https://github.com/NixOS/nixpkgs/issues/106275#issuecomment-743790876
Diffstat (limited to 'pkgs/development/python-modules/cryptography')
-rw-r--r-- | pkgs/development/python-modules/cryptography/3.3.nix (renamed from pkgs/development/python-modules/cryptography/2.9.nix) | 17 | ||||
-rw-r--r-- | pkgs/development/python-modules/cryptography/CVE-2020-25659.patch | 76 | ||||
-rw-r--r-- | pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch | 14 | ||||
-rw-r--r-- | pkgs/development/python-modules/cryptography/vectors-3.3.nix (renamed from pkgs/development/python-modules/cryptography/vectors-2.9.nix) | 2 |
4 files changed, 27 insertions, 82 deletions
diff --git a/pkgs/development/python-modules/cryptography/2.9.nix b/pkgs/development/python-modules/cryptography/3.3.nix index 3cde505428735..a76e62dd4ddbb 100644 --- a/pkgs/development/python-modules/cryptography/2.9.nix +++ b/pkgs/development/python-modules/cryptography/3.3.nix @@ -22,24 +22,31 @@ buildPythonPackage rec { pname = "cryptography"; - version = "2.9.2"; # Also update the hash in vectors.nix + version = "3.3.1"; # Also update the hash in vectors-3.3.nix src = fetchPypi { inherit pname version; - sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0"; + sha256 = "1ribd1vxq9wwz564mg60dzcy699gng54admihjjkgs9dx95pw5vy"; }; - patches = [ ./CVE-2020-25659.patch ]; + patches = [ ./cryptography-py27-warning.patch ]; outputs = [ "out" "dev" ]; + nativeBuildInputs = stdenv.lib.optionals (!isPyPy) [ + cffi + ]; + buildInputs = [ openssl ] ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security; propagatedBuildInputs = [ packaging six - ] ++ stdenv.lib.optional (!isPyPy) cffi - ++ stdenv.lib.optionals isPy27 [ ipaddress enum34 ]; + ] ++ stdenv.lib.optionals (!isPyPy) [ + cffi + ] ++ stdenv.lib.optionals isPy27 [ + ipaddress enum34 + ]; checkInputs = [ cryptography_vectors diff --git a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch b/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch deleted file mode 100644 index a353757be11fe..0000000000000 --- a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch +++ /dev/null @@ -1,76 +0,0 @@ -Backported of: - -From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001 -From: Alex Gaynor <alex.gaynor@gmail.com> -Date: Sun, 25 Oct 2020 21:16:42 -0400 -Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption - (#5507) - -diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt -index 6e4675d..ce66c28 100644 ---- a/docs/spelling_wordlist.txt -+++ b/docs/spelling_wordlist.txt -@@ -6,6 +6,7 @@ backend - Backends - backends - bcrypt -+Bleichenbacher - Blowfish - boolean - Botan -diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py -index 3e4c2fd..6303f95 100644 ---- a/src/cryptography/hazmat/backends/openssl/rsa.py -+++ b/src/cryptography/hazmat/backends/openssl/rsa.py -@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding): - - outlen = backend._ffi.new("size_t *", buf_size) - buf = backend._ffi.new("unsigned char[]", buf_size) -+ # Everything from this line onwards is written with the goal of being as -+ # constant-time as is practical given the constraints of Python and our -+ # API. See Bleichenbacher's '98 attack on RSA, and its many many variants. -+ # As such, you should not attempt to change this (particularly to "clean it -+ # up") without understanding why it was written this way (see -+ # Chesterton's Fence), and without measuring to verify you have not -+ # introduced observable time differences. - res = crypt(pkey_ctx, buf, outlen, data, len(data)) -+ resbuf = backend._ffi.buffer(buf)[: outlen[0]] -+ backend._lib.ERR_clear_error() - if res <= 0: -- _handle_rsa_enc_dec_error(backend, key) -- -- return backend._ffi.buffer(buf)[:outlen[0]] -- -- --def _handle_rsa_enc_dec_error(backend, key): -- errors = backend._consume_errors() -- backend.openssl_assert(errors) -- backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA) -- if isinstance(key, _RSAPublicKey): -- backend.openssl_assert( -- errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE -- ) -- raise ValueError( -- "Data too long for key size. Encrypt less data or use a " -- "larger key size." -- ) -- else: -- decoding_errors = [ -- backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01, -- backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02, -- backend._lib.RSA_R_OAEP_DECODING_ERROR, -- # Though this error looks similar to the -- # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts, -- # rather than on encrypts -- backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS, -- ] -- if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR: -- decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR) -- -- backend.openssl_assert(errors[0].reason in decoding_errors) -- raise ValueError("Decryption failed.") -+ raise ValueError("Encryption/decryption failed.") -+ return resbuf - - - def _rsa_sig_determine_padding(backend, key, padding, algorithm): diff --git a/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch new file mode 100644 index 0000000000000..8233af78a9de3 --- /dev/null +++ b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch @@ -0,0 +1,14 @@ +Delete the warning that breaks tests of dependent projects. + +--- a/src/cryptography/__init__.py ++++ b/src/cryptography/__init__.py +@@ -33,9 +32,0 @@ __all__ = [ +- +-if sys.version_info[0] == 2: +- warnings.warn( +- "Python 2 is no longer supported by the Python core team. Support for " +- "it is now deprecated in cryptography, and will be removed in the " +- "next release.", +- CryptographyDeprecationWarning, +- stacklevel=2, +- ) diff --git a/pkgs/development/python-modules/cryptography/vectors-2.9.nix b/pkgs/development/python-modules/cryptography/vectors-3.3.nix index 096eab77bec3b..94526c8268ef5 100644 --- a/pkgs/development/python-modules/cryptography/vectors-2.9.nix +++ b/pkgs/development/python-modules/cryptography/vectors-3.3.nix @@ -7,7 +7,7 @@ buildPythonPackage rec { src = fetchPypi { inherit pname version; - sha256 = "1d4iykcv7cn9j399hczlxm5pzxmqy6d80h3j16dkjwlmv3293b4r"; + sha256 = "192wix3sr678x21brav5hgc6j93l7ab1kh69p2scr3fsblq9qy03"; }; # No tests included |