Commit Graph

34 Commits

Author SHA1 Message Date
Michael Weiss
af9568fae8
python3Packages.cryptography: 3.3.1 -> 3.3.2 (security, CVE-2020-36242)
SECURITY ISSUE: Fixed a bug where certain sequences of update() calls
when symmetrically encrypting very large payloads (>2GB) could result in
an integer overflow, leading to buffer overflows. CVE-2020-36242

Note: This also updates {,vectors-}3.3.nix (for Python 2 / nixops)
because of the security issue.
2021-02-07 20:09:55 +01:00
Pavol Rusnak
a4bbfba80d
pkgs/development/python-modules: stdenv.lib -> lib 2021-01-24 01:29:22 +01:00
Profpatsch
4a7f99d55d treewide: with stdenv.lib; in meta -> with lib;
Part of: https://github.com/NixOS/nixpkgs/issues/108938

meta = with stdenv.lib;

is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.

This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.

The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
2021-01-11 10:38:22 +01:00
Michael Weiss
44b7d77591
python3Packages.cryptography: 3.2.1 -> 3.3.1
Backward incompatible changes:
- Support for Python 3.5 has been removed due to low usage and
  maintenance burden.
- The GCM and AESGCM now require 64-bit to 1024-bit (8 byte to 128 byte)
  initialization vectors. This change is to conform with an upcoming
  OpenSSL release that will no longer support sizes outside this window.
- When deserializing asymmetric keys we now raise ValueError rather than
  UnsupportedAlgorithm when an unsupported cipher is used. This change
  is to conform with an upcoming OpenSSL release that will no longer
  distinguish between error types.
- We no longer allow loading of finite field Diffie-Hellman parameters
  of less than 512 bits in length. This change is to conform with an
  upcoming OpenSSL release that no longer supports smaller sizes. These
  keys were already wildly insecure and should not have been used in any
  application outside of testing.
2020-12-10 13:40:57 +01:00
Frederik Rietdijk
489912ee8b pythonPackages.cffi: cffi is a native build input as well 2020-11-19 20:59:16 +01:00
Michael Weiss
c2694ef30d python3Packages.cryptography: 3.2 -> 3.2.1
Changelog:
- Disable blinding on RSA public keys to address an error with some
  versions of OpenSSL.
2020-10-29 12:20:02 -07:00
Michael Weiss
1083cdd279
python3Packages.cryptography: 3.1.1 -> 3.2 (security, CVE-2020-25659)
SECURITY ISSUE: Attempted to make RSA PKCS#1v1.5 decryption more
constant time, to protect against Bleichenbacher vulnerabilities. Due to
limitations imposed by our API, we cannot completely mitigate this
vulnerability and a future release will contain a new API which is
designed to be resilient to these for contexts where it is required.
Credit to Hubert Kario for reporting the issue. CVE-2020-25659
2020-10-26 12:19:28 +01:00
Michael Weiss
6afb5823e1
python3Packages.cryptography: 3.1 -> 3.1.1 2020-09-22 22:02:38 +02:00
Michael Weiss
16ecb025bd python3Packages.cryptography: 3.0 -> 3.1
Backwards incompatible changes:
- Removed support for idna based U-label parsing in various X.509
  classes. This support was originally deprecated in version 2.1 and
  moved to an extra in 2.5.
2020-08-29 13:35:56 +02:00
Michael Weiss
434a0111f6 python3Packages.cryptography: 2.9.2 -> 3.0
Backwards incompatible changes:
- Removed support for passing an Extension instance to
  from_issuer_subject_key_identifier(), as per our deprecation policy.
- Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has been removed (2.9.1+
  is still supported).
- Dropped support for macOS 10.9, macOS users must upgrade to 10.10 or
  newer.
- RSA generate_private_key() no longer accepts public_exponent values
  except 65537 and 3 (the latter for legacy purposes).
- X.509 certificate parsing now enforces that the version field contains
  a valid value, rather than deferring this check until version is
  accessed.

Deprecations:
- Deprecated support for Python 2. At the time there is no time table
  for actually dropping support, however we strongly encourage all users
  to upgrade their Python, as Python 2 no longer receives support from
  the Python core team.
2020-07-22 16:54:20 +02:00
Frederik Rietdijk
51a4f9d4ca python3Packages.cryptography: 2.9.1 -> 2.9.2 2020-05-11 22:12:10 +02:00
Michael Weiss
c6e3c006b1 python3Packages.cryptography: 2.9 -> 2.9.1
"Updated Windows, macOS, and ``manylinux`` wheels to be compiled with
OpenSSL 1.1.1g."
2020-04-22 17:08:52 +02:00
Vladimír Čunát
312e9037f4
python2.pkgs.cryptography: fixup build of dependants
... most notably fix pyopenssl.  I can't say I really understand this,
but the commit seems safe enough.
2020-04-18 07:39:10 +02:00
Jonathan Ringer
2e6fb22992 python2Packages.cryptography: add missing ipaddress dependency 2020-04-10 12:04:47 +02:00
Michael Weiss
af1cb9f1b5 python3Packages.cryptography: 2.8 -> 2.9
Backwards incompatible changes:
- Support for Python 3.4 has been removed due to low usage and
  maintenance burden.
- Support for OpenSSL 1.0.1 has been removed. Users on older version of
  OpenSSL will need to upgrade.
- Support for LibreSSL 2.6.x has been removed.
- Reversed the order in which rfc4514_string() returns the RDNs as
  required by RFC 4514.

Note: The first three changes should have no impact on Nixpkgs as we
already removed Python 3.4 and OpenSSL 1.0.1. Additionally we don't
support LibreSSL for this package.
2020-04-05 13:14:45 +02:00
Michael Weiss
baf5494330 python37Packages.cryptography: 2.7 -> 2.8
Changelog:
https://cryptography.io/en/latest/changelog/#v2-8

Important changes:
- Deprecated support for OpenSSL 1.0.1. Support will be removed in
  cryptography 2.9.
- cryptography no longer depends on asn1crypto.
- Added support for Python 3.8.
2019-10-20 11:07:41 +02:00
Robin Gloster
8b34d843c6
python.pkgs.cryptography: fix/ignore broken tests
Broken tests by openssl 1.1.1d, added patch and skipped one test

Issue for skipped test: https://github.com/pyca/cryptography/issues/4998
2019-09-13 20:20:09 +02:00
Michael Weiss
77e1967dcd
python37Packages.cryptography: 2.6.1 -> 2.7
Changelog:
https://cryptography.io/en/latest/changelog/#v2-7

Important changes:
- BACKWARDS INCOMPATIBLE: We no longer distribute 32-bit manylinux1
  wheels. Continuing to produce them was a maintenance burden.
- BACKWARDS INCOMPATIBLE: Removed the
  cryptography.hazmat.primitives.mac.MACContext interface.
  The CMAC and HMAC APIs have not changed, but they are no longer
  registered as MACContext instances.
2019-05-31 23:18:55 +02:00
Matthew Bauer
87944c3125
Merge pull request #56744 from matthewbauer/macos-10-12
Update macOS to 10.12
2019-04-26 22:20:03 -04:00
Matthew Bauer
2a59d24387 pycrypto: remove pre-10.12 patch 2019-04-26 21:54:57 -04:00
worldofpeace
186fc20392
pythonPackages.cryptography: vectors are checkInputs 2019-04-22 12:29:34 +02:00
Michael Weiss
047af233cd
python37Packages.cryptography: 2.5 -> 2.6.1
Changelog:
https://cryptography.io/en/latest/changelog/#v2-6-1

Important changes:
- BACKWARDS INCOMPATIBLE: Removed
  cryptography.hazmat.primitives.asymmetric.utils.encode_rfc6979_signature
  and
  cryptography.hazmat.primitives.asymmetric.utils.decode_rfc6979_signature,
  which had been deprecated for nearly 4 years. Use
  encode_dss_signature() and decode_dss_signature() instead.
- BACKWARDS INCOMPATIBLE: Removed cryptography.x509.Certificate.serial,
  which had been deprecated for nearly 3 years. Use serial_number
  instead.
2019-04-22 12:29:34 +02:00
Michael Weiss
22714ad6d0
python37Packages.cryptography: Improve the test vectors integration
This should make the management easier. The package cryptography_vectors
contains the test vectors for cryptography and should therefore always
have the same version. By linking the version of cryptography_vectors to
cryptography, this simply cannot be forgotten.
2019-04-22 12:29:34 +02:00
Michael Weiss
ecfa775439 python37Packages.cryptography: 2.4.2 -> 2.5
Changelog:
https://cryptography.io/en/latest/changelog/#v2-5

Important changes:
- BACKWARDS INCOMPATIBLE: U-label strings were deprecated in version
  2.1, but this version removes the default idna dependency as well.
- BACKWARDS INCOMPATIBLE: The minimum supported PyPy version is now 5.4.
2019-02-14 08:15:15 +01:00
Matthew Bauer
92f0f8dd68 Merge remote-tracking branch 'NixOS/master' into staging 2019-01-27 00:01:13 -05:00
Michael Weiss
f88f643659
python37Packages.cryptography: Add meta-attributes 2019-01-24 00:01:31 +01:00
Michael Weiss
a82557e99b
python37Packages.cryptography: 2.3.1 -> 2.4.2
Changelog:
https://cryptography.io/en/latest/changelog/#v2-4-2

Important changes:
- BACKWARDS INCOMPATIBLE: Dropped support for LibreSSL 2.4.x.
- Deprecated OpenSSL 1.0.1 support. OpenSSL 1.0.1 is no longer supported
  by the OpenSSL project. At this time there is no time table for
  dropping support, however we strongly encourage all users to upgrade
  or install cryptography from a wheel.
2019-01-14 20:07:11 +01:00
Frederik Rietdijk
ed8400bb9a pythonPackages.cryptography: ignore pytest warnings
The test suite was generating a lot of warnings, causing the hydra build
to fail. Unfortunately, PYTHONWARNINGS env var is completely ignored.
2018-11-11 08:55:35 +01:00
Frederik Rietdijk
c9be5d27d6 python: cryptography: 2.3 -> 2.3.1 2018-08-25 18:02:27 +02:00
Robert Schütz
41c13780cb python.pkgs.cryptography: remove assert broken when overriding
When overriding cryptography and cryptograohy_vectors, the assertion
fails because `version` still refers to the old value.
2018-08-21 19:26:54 +02:00
Frederik Rietdijk
67031b8719 python: cryptography: 2.2.2 -> 2.3 2018-07-22 16:52:37 +02:00
Frederik Rietdijk
c09552008e python: cryptography: 2.1.4 -> 2.2.2 2018-04-08 11:34:53 +02:00
Frederik Rietdijk
796a7d66b8 python: cryptography: 2.0.3 -> 2.1.4 2018-02-03 17:43:30 +01:00
Frederik Rietdijk
bba1393361 python.pkgs.cryptography: move expression 2018-02-03 17:43:30 +01:00