mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

python-cryptography: Update to 41.0.4 

This includes a patch to update the version of ouroboros (Rust crate)
used, to fix RUSTSEC-2023-0042[1]. Upstream has switch from ouroboros to
self_cell so this patch should only be necessary for cryptography 41.

[1]: https://rustsec.org/advisories/RUSTSEC-2023-0042.html

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This commit is contained in:
Jeffery To 2023-09-13 12:33:51 +08:00 committed by Rosen Penev
parent 4d43be8549
commit 9fdff3ea94
9 changed files with 33 additions and 324 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lang/python/python-cryptography/Makefile
View File

@ -8,17 +8,17 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=python-cryptography
PKG_VERSION:=3.4.8
PKG_RELEASE:=3
PKG_VERSION:=41.0.4
PKG_RELEASE:=1
PYPI_NAME:=cryptography
PKG_HASH:=94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c
PKG_HASH:=7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a
PKG_LICENSE:=Apache-2.0 BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD
PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
PKG_BUILD_DEPENDS:=libffi/host python-cffi/host # cffi>=1.12
PKG_BUILD_DEPENDS:=libffi/host python-cffi/host python-setuptools-rust/host
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
@ -32,18 +32,18 @@ define Package/python3-cryptography
URL:=https://github.com/pyca/cryptography
DEPENDS:= \
+libopenssl \
+libopenssl-legacy \
+python3-light \
+python3-email \
+python3-openssl \
+python3-urllib \
+python3-cffi \
+python3-six
$(RUST_ARCH_DEPENDS)
endef
define Package/python3-cryptography/description
cryptography is a package which provides cryptographic recipes and
primitives to Python developers. Our goal is for it to be your "cryptographic
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+.
primitives to Python developers. Our goal is for it to be your
"cryptographic standard library".
endef
$(eval $(call Py3Package,python3-cryptography))

20
lang/python/python-cryptography/patches/0001-Add-new-ASN1_STRING_get0_data-API.patch
View File

@ -1,20 +0,0 @@
From 7eefc9c72f522e414f953fee2d6ca9242c566107 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Fri, 7 Jun 2019 18:18:46 -0700
Subject: [PATCH 1/7] Add new ASN1_STRING_get0_data API
Introduced with OpenSSL 1.1
---
src/_cffi_src/openssl/asn1.py | 4 ++++
1 file changed, 4 insertions(+)
--- a/src/_cffi_src/openssl/asn1.py
+++ b/src/_cffi_src/openssl/asn1.py
@@ -105,4 +105,7 @@ ASN1_NULL *ASN1_NULL_new(void);
"""
CUSTOMIZATIONS = """
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+#define ASN1_STRING_data ASN1_STRING_get0_data
+#endif
"""

55
lang/python/python-cryptography/patches/0002-Add-compatibility-for-X509_STORE_set_get_issuer.patch
View File

@ -1,55 +0,0 @@
From 77b25307a743eb52ef5ead24c956e577f5bd025f Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Fri, 7 Jun 2019 20:42:04 -0700
Subject: [PATCH 2/7] Add compatibility for X509_STORE_set_get_issuer
Deprecated under OpenSSL 1.1.
---
src/_cffi_src/openssl/x509_vfy.py | 8 ++++++++
src/cryptography/hazmat/bindings/openssl/_conditional.py | 8 ++++++++
2 files changed, 16 insertions(+)
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -21,6 +21,7 @@ TYPES = """
static const long Cryptography_HAS_102_VERIFICATION;
static const long Cryptography_HAS_110_VERIFICATION_PARAMS;
static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER;
+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK;
typedef ... Cryptography_STACK_OF_ASN1_OBJECT;
typedef ... Cryptography_STACK_OF_X509_OBJECT;
@@ -257,4 +258,11 @@ void (*X509_STORE_set_get_issuer)(X509_S
#else
static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1;
#endif
+
+#ifndef X509_V_FLAG_CB_ISSUER_CHECK
+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 0;
+#define X509_V_FLAG_CB_ISSUER_CHECK 0x0
+#else
+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1;
+#endif
"""
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -269,6 +269,11 @@ def cryptography_has_get_proto_version()
"SSL_get_max_proto_version",
]
+def cryptography_has_x509_cb_issuer_check():
+ return [
+ "X509_V_FLAG_CB_ISSUER_CHECK",
+ ]
+
# This is a mapping of
# {condition: function-returning-names-dependent-on-that-condition} so we can
@@ -318,4 +323,7 @@ CONDITIONAL_NAMES = {
"Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
"Cryptography_HAS_SRTP": cryptography_has_srtp,
"Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
+ "Cryptography_HAS_X509_CB_ISSUER_CHECK": (
+ cryptography_has_x509_cb_issuer_check
+ ),
}

127
lang/python/python-cryptography/patches/0003-Add-compatibility-for-deprecated-TLS-methods.patch
View File

@ -1,127 +0,0 @@
From 7a55c37e01114dfd1ae733b099fdee1ba1889449 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Fri, 7 Jun 2019 21:00:46 -0700
Subject: [PATCH 3/7] Add compatibility for deprecated TLS methods
---
src/_cffi_src/openssl/ssl.py | 45 +++++++++++++++++--
.../hazmat/bindings/openssl/_conditional.py | 36 +++++++++++++++
2 files changed, 77 insertions(+), 4 deletions(-)
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -13,12 +13,14 @@ TYPES = """
static const long Cryptography_HAS_SSL_ST;
static const long Cryptography_HAS_TLS_ST;
static const long Cryptography_HAS_SSL3_METHOD;
-static const long Cryptography_HAS_TLSv1_1;
-static const long Cryptography_HAS_TLSv1_2;
+static const long Cryptography_HAS_TLS1_METHOD;
+static const long Cryptography_HAS_TLS1_1_METHOD;
+static const long Cryptography_HAS_TLS1_2_METHOD;
static const long Cryptography_HAS_TLSv1_3;
static const long Cryptography_HAS_SECURE_RENEGOTIATION;
static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
static const long Cryptography_HAS_DTLS;
+static const long Cryptography_HAS_DTLS1_METHOD;
static const long Cryptography_HAS_SIGALGS;
static const long Cryptography_HAS_PSK;
static const long Cryptography_HAS_VERIFIED_CHAIN;
@@ -548,8 +550,43 @@ static const long Cryptography_HAS_SSL3_
static const long Cryptography_HAS_RELEASE_BUFFERS = 1;
static const long Cryptography_HAS_OP_NO_COMPRESSION = 1;
-static const long Cryptography_HAS_TLSv1_1 = 1;
-static const long Cryptography_HAS_TLSv1_2 = 1;
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_TLS1_METHOD = 0;
+const SSL_METHOD* (*TLSv1_method)(void) = NULL;
+const SSL_METHOD* (*TLSv1_server_method)(void) = NULL;
+const SSL_METHOD* (*TLSv1_client_method)(void) = NULL;
+#else
+static const long Cryptography_HAS_TLS1_METHOD = 1;
+#endif
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_TLS1_1_METHOD = 0;
+const SSL_METHOD* (*TLSv1_1_method)(void) = NULL;
+const SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL;
+const SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL;
+#else
+static const long Cryptography_HAS_TLS1_1_METHOD = 1;
+#endif
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_TLS1_2_METHOD = 0;
+const SSL_METHOD* (*TLSv1_2_method)(void) = NULL;
+const SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL;
+const SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL;
+#else
+static const long Cryptography_HAS_TLS1_2_METHOD = 1;
+#endif
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_DTLS1_METHOD = 0;
+const SSL_METHOD* (*DTLSv1_method)(void) = NULL;
+const SSL_METHOD* (*DTLSv1_server_method)(void) = NULL;
+const SSL_METHOD* (*DTLSv1_client_method)(void) = NULL;
+#else
+static const long Cryptography_HAS_DTLS1_METHOD = 1;
+#endif
+
static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -31,6 +31,38 @@ def cryptography_has_ssl3_method():
]
+def cryptography_has_tls1_method():
+ return [
+ "TLSv1_method",
+ "TLSv1_client_method",
+ "TLSv1_server_method",
+ ]
+
+
+def cryptography_has_tls1_1_method():
+ return [
+ "TLSv1_1_method",
+ "TLSv1_1_client_method",
+ "TLSv1_1_server_method",
+ ]
+
+
+def cryptography_has_tls1_2_method():
+ return [
+ "TLSv1_2_method",
+ "TLSv1_2_client_method",
+ "TLSv1_2_server_method",
+ ]
+
+
+def cryptography_has_dtls1_method():
+ return [
+ "DTLSv1_method",
+ "DTLSv1_client_method",
+ "DTLSv1_server_method",
+ ]
+
+
def cryptography_has_102_verification():
return [
"X509_V_ERR_SUITE_B_INVALID_VERSION",
@@ -285,6 +317,10 @@ CONDITIONAL_NAMES = {
"Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
"Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
"Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
+ "Cryptography_HAS_TLS1_METHOD": cryptography_has_tls1_method,
+ "Cryptography_HAS_TLS1_1_METHOD": cryptography_has_tls1_1_method,
+ "Cryptography_HAS_TLS1_2_METHOD": cryptography_has_tls1_2_method,
+ "Cryptography_HAS_DTLS1_METHOD": cryptography_has_dtls1_method,
"Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification,
"Cryptography_HAS_110_VERIFICATION_PARAMS": (
cryptography_has_110_verification_params

33
lang/python/python-cryptography/patches/0004-disable-rust.patch
View File

@ -1,33 +0,0 @@
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -6,7 +6,6 @@ requires = [
"wheel",
# Must be kept in sync with the `setup_requirements` in `setup.py`
"cffi>=1.12; platform_python_implementation != 'PyPy'",
- "setuptools-rust>=0.11.4",
]
build-backend = "setuptools.build_meta"
--- a/setup.py
+++ b/setup.py
@@ -11,7 +11,7 @@ import sys
from setuptools import find_packages, setup
try:
- from setuptools_rust import RustExtension
+ pass
except ImportError:
print(
"""
@@ -43,9 +43,9 @@ with open(os.path.join(src_dir, "cryptog
# `pyproject.toml`
setuptools_rust = "setuptools-rust>=0.11.4"
install_requirements = ["cffi>=1.12"]
-setup_requirements = install_requirements + [setuptools_rust]
+setup_requirements = install_requirements
-if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):
+if True:
rust_extensions = []
else:
rust_extensions = [

25
lang/python/python-cryptography/patches/0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch
View File

@ -1,25 +0,0 @@
From 98bf3eda9c950158cf6a0a6a698dd365712201b1 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Mon, 25 Nov 2019 12:06:16 -0800
Subject: [PATCH 6/7] Add X509_STORE_CTX_trusted_stack compatibility macro
Deprecated in 1.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
src/_cffi_src/openssl/x509_vfy.py | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -265,4 +265,10 @@ static const long Cryptography_HAS_X509_
#else
static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1;
#endif
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+#define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack
+#define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted
+#define X509_STORE_CTX_get_chain X509_STORE_CTX_get1_chain
+#endif
"""

56
lang/python/python-cryptography/patches/0007-Add-defines-for-totally-deprecated-functions.patch
View File

@ -1,56 +0,0 @@
From e96af1cee523c5551c7fc5f36eba8e271fa51b20 Mon Sep 17 00:00:00 2001
From: Rosen Penev <rosenp@gmail.com>
Date: Thu, 5 Dec 2019 12:52:13 -0800
Subject: [PATCH 7/7] Add defines for totally deprecated functions
---
src/_cffi_src/openssl/conf.py | 4 ++++
src/_cffi_src/openssl/crypto.py | 4 ++++
src/_cffi_src/openssl/ecdh.py | 3 +++
src/_cffi_src/openssl/ssl.py | 5 +++++
4 files changed, 16 insertions(+)
--- a/src/_cffi_src/openssl/conf.py
+++ b/src/_cffi_src/openssl/conf.py
@@ -17,4 +17,8 @@ void OPENSSL_no_config(void);
"""
CUSTOMIZATIONS = """
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+#define OPENSSL_config(x) 0
+#define OPENSSL_no_config() 0
+#endif
"""
--- a/src/_cffi_src/openssl/crypto.py
+++ b/src/_cffi_src/openssl/crypto.py
@@ -113,4 +113,8 @@ void *Cryptography_realloc_wrapper(void
void Cryptography_free_wrapper(void *ptr, const char *path, int line) {
free(ptr);
}
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+#define CRYPTO_get_locking_callback() 0
+#endif
"""
--- a/src/_cffi_src/openssl/ecdh.py
+++ b/src/_cffi_src/openssl/ecdh.py
@@ -17,4 +17,7 @@ long SSL_CTX_set_ecdh_auto(SSL_CTX *, in
"""
CUSTOMIZATIONS = """
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+#define SSL_CTX_set_ecdh_auto(a, b) ((b) != 0)
+#endif
"""
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -745,4 +745,9 @@ long (*SSL_get_max_proto_version)(SSL *)
#else
static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
#endif
+
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
+#define SSL_library_init() 1
+#define SSL_load_error_strings() 0
+#endif
"""

13
lang/python/python-cryptography/patches/001-Update-ouroboros.patch Normal file
View File

@ -0,0 +1,13 @@
Fixes https://rustsec.org/advisories/RUSTSEC-2023-0042.html
--- a/src/rust/Cargo.toml
+++ b/src/rust/Cargo.toml
@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptograp
cryptography-x509 = { path = "cryptography-x509" }
cryptography-openssl = { path = "cryptography-openssl" }
pem = "1.1"
-ouroboros = "0.15"
+ouroboros = "0.18"
openssl = "0.10.54"
openssl-sys = "0.9.88"
foreign-types-shared = "0.1"

12
lang/python/python-cryptography/test.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/sh
[ "$1" = python3-cryptography ] || exit 0
python3 - << EOF
import sys
from cryptography.fernet import Fernet
key = Fernet.generate_key()
f = Fernet(key)
token = f.encrypt(b"my deep dark secret")
sys.exit(0 if f.decrypt(token) == b"my deep dark secret" else 1)
EOF