about summary refs log tree commit diff
path: root/pkgs/development/python-modules/cryptography
diff options
context:
space:
mode:
authorgithub-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>2020-12-14 18:14:34 +0000
committerGitHub <noreply@github.com>2020-12-14 18:14:34 +0000
commitce7773fcf77d36bcc27c58ba63650b4d0edd0351 (patch)
tree8cd37e7eb6332045b4ef92d1e454231d2cc8c19e /pkgs/development/python-modules/cryptography
parentec2fa1cee81d06d90b88b8e298d1561125df6949 (diff)
parentf91f2c257f12d42b8d59961bd81003b3d471706d (diff)
Merge staging-next into staging
Diffstat (limited to 'pkgs/development/python-modules/cryptography')
-rw-r--r--pkgs/development/python-modules/cryptography/3.3.nix (renamed from pkgs/development/python-modules/cryptography/2.9.nix)17


-rw-r--r--pkgs/development/python-modules/cryptography/CVE-2020-25659.patch76


-rw-r--r--pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch14


-rw-r--r--pkgs/development/python-modules/cryptography/vectors-3.3.nix (renamed from pkgs/development/python-modules/cryptography/vectors-2.9.nix)2


4 files changed, 27 insertions, 82 deletions
diff --git a/pkgs/development/python-modules/cryptography/2.9.nix b/pkgs/development/python-modules/cryptography/3.3.nix
index 3cde505428735..a76e62dd4ddbb 100644
--- a/pkgs/development/python-modules/cryptography/2.9.nix
+++ b/pkgs/development/python-modules/cryptography/3.3.nix
@@ -22,24 +22,31 @@
 
 buildPythonPackage rec {
   pname = "cryptography";
-  version = "2.9.2"; # Also update the hash in vectors.nix
+  version = "3.3.1"; # Also update the hash in vectors-3.3.nix
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0";
+    sha256 = "1ribd1vxq9wwz564mg60dzcy699gng54admihjjkgs9dx95pw5vy";
   };
 
-  patches = [ ./CVE-2020-25659.patch ];
+  patches = [ ./cryptography-py27-warning.patch ];
 
   outputs = [ "out" "dev" ];
 
+  nativeBuildInputs = stdenv.lib.optionals (!isPyPy) [
+    cffi
+  ];
+
   buildInputs = [ openssl ]
              ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
   propagatedBuildInputs = [
     packaging
     six
-  ] ++ stdenv.lib.optional (!isPyPy) cffi
-  ++ stdenv.lib.optionals isPy27 [ ipaddress enum34 ];
+  ] ++ stdenv.lib.optionals (!isPyPy) [
+    cffi
+  ] ++ stdenv.lib.optionals isPy27 [
+    ipaddress enum34
+  ];
 
   checkInputs = [
     cryptography_vectors
diff --git a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch b/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch
deleted file mode 100644
index a353757be11fe..0000000000000
--- a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-Backported of:
-
-From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Sun, 25 Oct 2020 21:16:42 -0400
-Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
- (#5507)
-
-diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
-index 6e4675d..ce66c28 100644
---- a/docs/spelling_wordlist.txt
-+++ b/docs/spelling_wordlist.txt
-@@ -6,6 +6,7 @@ backend
- Backends
- backends
- bcrypt
-+Bleichenbacher
- Blowfish
- boolean
- Botan
-diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
-index 3e4c2fd..6303f95 100644
---- a/src/cryptography/hazmat/backends/openssl/rsa.py
-+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
-@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
- 
-     outlen = backend._ffi.new("size_t *", buf_size)
-     buf = backend._ffi.new("unsigned char[]", buf_size)
-+    # Everything from this line onwards is written with the goal of being as
-+    # constant-time as is practical given the constraints of Python and our
-+    # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
-+    # As such, you should not attempt to change this (particularly to "clean it
-+    # up") without understanding why it was written this way (see
-+    # Chesterton's Fence), and without measuring to verify you have not
-+    # introduced observable time differences.
-     res = crypt(pkey_ctx, buf, outlen, data, len(data))
-+    resbuf = backend._ffi.buffer(buf)[: outlen[0]]
-+    backend._lib.ERR_clear_error()
-     if res <= 0:
--        _handle_rsa_enc_dec_error(backend, key)
--
--    return backend._ffi.buffer(buf)[:outlen[0]]
--
--
--def _handle_rsa_enc_dec_error(backend, key):
--    errors = backend._consume_errors()
--    backend.openssl_assert(errors)
--    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
--    if isinstance(key, _RSAPublicKey):
--        backend.openssl_assert(
--            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
--        )
--        raise ValueError(
--            "Data too long for key size. Encrypt less data or use a "
--            "larger key size."
--        )
--    else:
--        decoding_errors = [
--            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
--            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
--            backend._lib.RSA_R_OAEP_DECODING_ERROR,
--            # Though this error looks similar to the
--            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
--            # rather than on encrypts
--            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
--        ]
--        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
--            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
--
--        backend.openssl_assert(errors[0].reason in decoding_errors)
--        raise ValueError("Decryption failed.")
-+        raise ValueError("Encryption/decryption failed.")
-+    return resbuf
- 
- 
- def _rsa_sig_determine_padding(backend, key, padding, algorithm):
diff --git a/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch
new file mode 100644
index 0000000000000..8233af78a9de3
--- /dev/null
+++ b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch
@@ -0,0 +1,14 @@
+Delete the warning that breaks tests of dependent projects.
+
+--- a/src/cryptography/__init__.py
++++ b/src/cryptography/__init__.py
+@@ -33,9 +32,0 @@ __all__ = [
+-
+-if sys.version_info[0] == 2:
+-    warnings.warn(
+-        "Python 2 is no longer supported by the Python core team. Support for "
+-        "it is now deprecated in cryptography, and will be removed in the "
+-        "next release.",
+-        CryptographyDeprecationWarning,
+-        stacklevel=2,
+-    )
diff --git a/pkgs/development/python-modules/cryptography/vectors-2.9.nix b/pkgs/development/python-modules/cryptography/vectors-3.3.nix
index 096eab77bec3b..94526c8268ef5 100644
--- a/pkgs/development/python-modules/cryptography/vectors-2.9.nix
+++ b/pkgs/development/python-modules/cryptography/vectors-3.3.nix
@@ -7,7 +7,7 @@ buildPythonPackage rec {
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1d4iykcv7cn9j399hczlxm5pzxmqy6d80h3j16dkjwlmv3293b4r";
+    sha256 = "192wix3sr678x21brav5hgc6j93l7ab1kh69p2scr3fsblq9qy03";
   };
 
   # No tests included

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-08 10:54:36 +0000