python2Packages.cryptography: 2.9.2 -> 3.3.1 (#106792)

Fixes py2 build of pyOpenSSL: https://github.com/NixOS/nixpkgs/issues/106275#issuecomment-743790876
2020-12-14 16:31:26 +00:00 · 2020-12-14 16:31:26 +00:00 · 6fa76f018b
commit 6fa76f018b
parent b37c00ab90
6 changed files with 29 additions and 87 deletions
--- a/pkgs/development/python-modules/cryptography/3.3.nix
+++ b/pkgs/development/python-modules/cryptography/3.3.nix
@ -22,24 +22,31 @@

 buildPythonPackage rec {
  pname = "cryptography";
-  version = "2.9.2"; # Also update the hash in vectors.nix
+  version = "3.3.1"; # Also update the hash in vectors-3.3.nix

  src = fetchPypi {
    inherit pname version;
-    sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0";
+    sha256 = "1ribd1vxq9wwz564mg60dzcy699gng54admihjjkgs9dx95pw5vy";
  };

-  patches = [ ./CVE-2020-25659.patch ];
+  patches = [ ./cryptography-py27-warning.patch ];

  outputs = [ "out" "dev" ];

+  nativeBuildInputs = stdenv.lib.optionals (!isPyPy) [
+    cffi
+  ];
+
  buildInputs = [ openssl ]
             ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
  propagatedBuildInputs = [
    packaging
    six
-  ] ++ stdenv.lib.optional (!isPyPy) cffi
-  ++ stdenv.lib.optionals isPy27 [ ipaddress enum34 ];
+  ] ++ stdenv.lib.optionals (!isPyPy) [
+    cffi
+  ] ++ stdenv.lib.optionals isPy27 [
+    ipaddress enum34
+  ];

  checkInputs = [
    cryptography_vectors
--- a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch
+++ b/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch
@ -1,76 +0,0 @@
-Backported of:
-
-From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Sun, 25 Oct 2020 21:16:42 -0400
-Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
- (#5507)
-
-diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
-index 6e4675d..ce66c28 100644
--- a/docs/spelling_wordlist.txt
-+++ b/docs/spelling_wordlist.txt
-@@ -6,6 +6,7 @@ backend
- Backends
- backends
- bcrypt
-+Bleichenbacher
- Blowfish
- boolean
- Botan
-diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
-index 3e4c2fd..6303f95 100644
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
-+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
-@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
- 
-     outlen = backend._ffi.new("size_t *", buf_size)
-     buf = backend._ffi.new("unsigned char[]", buf_size)
-+    # Everything from this line onwards is written with the goal of being as
-+    # constant-time as is practical given the constraints of Python and our
-+    # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
-+    # As such, you should not attempt to change this (particularly to "clean it
-+    # up") without understanding why it was written this way (see
-+    # Chesterton's Fence), and without measuring to verify you have not
-+    # introduced observable time differences.
-     res = crypt(pkey_ctx, buf, outlen, data, len(data))
-+    resbuf = backend._ffi.buffer(buf)[: outlen[0]]
-+    backend._lib.ERR_clear_error()
-     if res <= 0:
-        _handle_rsa_enc_dec_error(backend, key)
-
-    return backend._ffi.buffer(buf)[:outlen[0]]
-
-
-def _handle_rsa_enc_dec_error(backend, key):
-    errors = backend._consume_errors()
-    backend.openssl_assert(errors)
-    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
-    if isinstance(key, _RSAPublicKey):
-        backend.openssl_assert(
-            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
-        )
-        raise ValueError(
-            "Data too long for key size. Encrypt less data or use a "
-            "larger key size."
-        )
-    else:
-        decoding_errors = [
-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
-            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
-            backend._lib.RSA_R_OAEP_DECODING_ERROR,
-            # Though this error looks similar to the
-            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
-            # rather than on encrypts
-            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
-        ]
-        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
-            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
-
-        backend.openssl_assert(errors[0].reason in decoding_errors)
-        raise ValueError("Decryption failed.")
-+        raise ValueError("Encryption/decryption failed.")
-+    return resbuf
- 
- 
- def _rsa_sig_determine_padding(backend, key, padding, algorithm):
--- a/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch
+++ b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch
@ -0,0 +1,14 @@
+Delete the warning that breaks tests of dependent projects.
+
+--- a/src/cryptography/__init__.py
+++ b/src/cryptography/__init__.py
+@@ -33,9 +32,0 @@ __all__ = [
+-
+-if sys.version_info[0] == 2:
+-    warnings.warn(
+-        "Python 2 is no longer supported by the Python core team. Support for "
+-        "it is now deprecated in cryptography, and will be removed in the "
+-        "next release.",
+-        CryptographyDeprecationWarning,
+-        stacklevel=2,
+-    )
--- a/pkgs/development/python-modules/cryptography/vectors-3.3.nix
+++ b/pkgs/development/python-modules/cryptography/vectors-3.3.nix
@ -7,7 +7,7 @@ buildPythonPackage rec {

  src = fetchPypi {
    inherit pname version;
-    sha256 = "1d4iykcv7cn9j399hczlxm5pzxmqy6d80h3j16dkjwlmv3293b4r";
+    sha256 = "192wix3sr678x21brav5hgc6j93l7ab1kh69p2scr3fsblq9qy03";
  };

  # No tests included
--- a/pkgs/development/python-modules/werkzeug/default.nix
+++ b/pkgs/development/python-modules/werkzeug/default.nix
@ -21,9 +21,6 @@ buildPythonPackage rec {
    "test_get_machine_id"
  ];

-  # Python 2 pytest fails with INTERNALERROR due to a deprecation warning.
-  doCheck = isPy3k;
-
  meta = with stdenv.lib; {
    homepage = "https://palletsprojects.com/p/werkzeug/";
    description = "A WSGI utility library for Python";
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@ -1389,12 +1389,12 @@ in {
  cryptacular = callPackage ../development/python-modules/cryptacular { };

  cryptography = if isPy27 then
-    callPackage ../development/python-modules/cryptography/2.9.nix { }
+    callPackage ../development/python-modules/cryptography/3.3.nix { }
  else
    callPackage ../development/python-modules/cryptography { };

  cryptography_vectors = if isPy27 then
-    callPackage ../development/python-modules/cryptography/vectors-2.9.nix { }
+    callPackage ../development/python-modules/cryptography/vectors-3.3.nix { }
  else
    callPackage ../development/python-modules/cryptography/vectors.nix { };