python-cryptography: Update to 41.0.4
This includes a patch to update the version of ouroboros (Rust crate) used, to fix RUSTSEC-2023-0042[1]. Upstream has switch from ouroboros to self_cell so this patch should only be necessary for cryptography 41. [1]: https://rustsec.org/advisories/RUSTSEC-2023-0042.html Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This commit is contained in:
parent
4d43be8549
commit
9fdff3ea94
|
@ -8,17 +8,17 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=python-cryptography
|
||||
PKG_VERSION:=3.4.8
|
||||
PKG_RELEASE:=3
|
||||
PKG_VERSION:=41.0.4
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PYPI_NAME:=cryptography
|
||||
PKG_HASH:=94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c
|
||||
PKG_HASH:=7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a
|
||||
|
||||
PKG_LICENSE:=Apache-2.0 BSD-3-Clause
|
||||
PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD
|
||||
PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
|
||||
|
||||
PKG_BUILD_DEPENDS:=libffi/host python-cffi/host # cffi>=1.12
|
||||
PKG_BUILD_DEPENDS:=libffi/host python-cffi/host python-setuptools-rust/host
|
||||
|
||||
include ../pypi.mk
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
@ -32,18 +32,18 @@ define Package/python3-cryptography
|
|||
URL:=https://github.com/pyca/cryptography
|
||||
DEPENDS:= \
|
||||
+libopenssl \
|
||||
+libopenssl-legacy \
|
||||
+python3-light \
|
||||
+python3-email \
|
||||
+python3-openssl \
|
||||
+python3-urllib \
|
||||
+python3-cffi \
|
||||
+python3-six
|
||||
$(RUST_ARCH_DEPENDS)
|
||||
endef
|
||||
|
||||
define Package/python3-cryptography/description
|
||||
cryptography is a package which provides cryptographic recipes and
|
||||
primitives to Python developers. Our goal is for it to be your "cryptographic
|
||||
standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+.
|
||||
primitives to Python developers. Our goal is for it to be your
|
||||
"cryptographic standard library".
|
||||
endef
|
||||
|
||||
$(eval $(call Py3Package,python3-cryptography))
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
From 7eefc9c72f522e414f953fee2d6ca9242c566107 Mon Sep 17 00:00:00 2001
|
||||
From: Rosen Penev <rosenp@gmail.com>
|
||||
Date: Fri, 7 Jun 2019 18:18:46 -0700
|
||||
Subject: [PATCH 1/7] Add new ASN1_STRING_get0_data API
|
||||
|
||||
Introduced with OpenSSL 1.1
|
||||
---
|
||||
src/_cffi_src/openssl/asn1.py | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/src/_cffi_src/openssl/asn1.py
|
||||
+++ b/src/_cffi_src/openssl/asn1.py
|
||||
@@ -105,4 +105,7 @@ ASN1_NULL *ASN1_NULL_new(void);
|
||||
"""
|
||||
|
||||
CUSTOMIZATIONS = """
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+#define ASN1_STRING_data ASN1_STRING_get0_data
|
||||
+#endif
|
||||
"""
|
|
@ -1,55 +0,0 @@
|
|||
From 77b25307a743eb52ef5ead24c956e577f5bd025f Mon Sep 17 00:00:00 2001
|
||||
From: Rosen Penev <rosenp@gmail.com>
|
||||
Date: Fri, 7 Jun 2019 20:42:04 -0700
|
||||
Subject: [PATCH 2/7] Add compatibility for X509_STORE_set_get_issuer
|
||||
|
||||
Deprecated under OpenSSL 1.1.
|
||||
---
|
||||
src/_cffi_src/openssl/x509_vfy.py | 8 ++++++++
|
||||
src/cryptography/hazmat/bindings/openssl/_conditional.py | 8 ++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
--- a/src/_cffi_src/openssl/x509_vfy.py
|
||||
+++ b/src/_cffi_src/openssl/x509_vfy.py
|
||||
@@ -21,6 +21,7 @@ TYPES = """
|
||||
static const long Cryptography_HAS_102_VERIFICATION;
|
||||
static const long Cryptography_HAS_110_VERIFICATION_PARAMS;
|
||||
static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER;
|
||||
+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK;
|
||||
|
||||
typedef ... Cryptography_STACK_OF_ASN1_OBJECT;
|
||||
typedef ... Cryptography_STACK_OF_X509_OBJECT;
|
||||
@@ -257,4 +258,11 @@ void (*X509_STORE_set_get_issuer)(X509_S
|
||||
#else
|
||||
static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1;
|
||||
#endif
|
||||
+
|
||||
+#ifndef X509_V_FLAG_CB_ISSUER_CHECK
|
||||
+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 0;
|
||||
+#define X509_V_FLAG_CB_ISSUER_CHECK 0x0
|
||||
+#else
|
||||
+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1;
|
||||
+#endif
|
||||
"""
|
||||
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
|
||||
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
|
||||
@@ -269,6 +269,11 @@ def cryptography_has_get_proto_version()
|
||||
"SSL_get_max_proto_version",
|
||||
]
|
||||
|
||||
+def cryptography_has_x509_cb_issuer_check():
|
||||
+ return [
|
||||
+ "X509_V_FLAG_CB_ISSUER_CHECK",
|
||||
+ ]
|
||||
+
|
||||
|
||||
# This is a mapping of
|
||||
# {condition: function-returning-names-dependent-on-that-condition} so we can
|
||||
@@ -318,4 +323,7 @@ CONDITIONAL_NAMES = {
|
||||
"Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
|
||||
"Cryptography_HAS_SRTP": cryptography_has_srtp,
|
||||
"Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
|
||||
+ "Cryptography_HAS_X509_CB_ISSUER_CHECK": (
|
||||
+ cryptography_has_x509_cb_issuer_check
|
||||
+ ),
|
||||
}
|
|
@ -1,127 +0,0 @@
|
|||
From 7a55c37e01114dfd1ae733b099fdee1ba1889449 Mon Sep 17 00:00:00 2001
|
||||
From: Rosen Penev <rosenp@gmail.com>
|
||||
Date: Fri, 7 Jun 2019 21:00:46 -0700
|
||||
Subject: [PATCH 3/7] Add compatibility for deprecated TLS methods
|
||||
|
||||
---
|
||||
src/_cffi_src/openssl/ssl.py | 45 +++++++++++++++++--
|
||||
.../hazmat/bindings/openssl/_conditional.py | 36 +++++++++++++++
|
||||
2 files changed, 77 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/src/_cffi_src/openssl/ssl.py
|
||||
+++ b/src/_cffi_src/openssl/ssl.py
|
||||
@@ -13,12 +13,14 @@ TYPES = """
|
||||
static const long Cryptography_HAS_SSL_ST;
|
||||
static const long Cryptography_HAS_TLS_ST;
|
||||
static const long Cryptography_HAS_SSL3_METHOD;
|
||||
-static const long Cryptography_HAS_TLSv1_1;
|
||||
-static const long Cryptography_HAS_TLSv1_2;
|
||||
+static const long Cryptography_HAS_TLS1_METHOD;
|
||||
+static const long Cryptography_HAS_TLS1_1_METHOD;
|
||||
+static const long Cryptography_HAS_TLS1_2_METHOD;
|
||||
static const long Cryptography_HAS_TLSv1_3;
|
||||
static const long Cryptography_HAS_SECURE_RENEGOTIATION;
|
||||
static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
|
||||
static const long Cryptography_HAS_DTLS;
|
||||
+static const long Cryptography_HAS_DTLS1_METHOD;
|
||||
static const long Cryptography_HAS_SIGALGS;
|
||||
static const long Cryptography_HAS_PSK;
|
||||
static const long Cryptography_HAS_VERIFIED_CHAIN;
|
||||
@@ -548,8 +550,43 @@ static const long Cryptography_HAS_SSL3_
|
||||
|
||||
static const long Cryptography_HAS_RELEASE_BUFFERS = 1;
|
||||
static const long Cryptography_HAS_OP_NO_COMPRESSION = 1;
|
||||
-static const long Cryptography_HAS_TLSv1_1 = 1;
|
||||
-static const long Cryptography_HAS_TLSv1_2 = 1;
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+static const long Cryptography_HAS_TLS1_METHOD = 0;
|
||||
+const SSL_METHOD* (*TLSv1_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*TLSv1_server_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*TLSv1_client_method)(void) = NULL;
|
||||
+#else
|
||||
+static const long Cryptography_HAS_TLS1_METHOD = 1;
|
||||
+#endif
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+static const long Cryptography_HAS_TLS1_1_METHOD = 0;
|
||||
+const SSL_METHOD* (*TLSv1_1_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL;
|
||||
+#else
|
||||
+static const long Cryptography_HAS_TLS1_1_METHOD = 1;
|
||||
+#endif
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+static const long Cryptography_HAS_TLS1_2_METHOD = 0;
|
||||
+const SSL_METHOD* (*TLSv1_2_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL;
|
||||
+#else
|
||||
+static const long Cryptography_HAS_TLS1_2_METHOD = 1;
|
||||
+#endif
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+static const long Cryptography_HAS_DTLS1_METHOD = 0;
|
||||
+const SSL_METHOD* (*DTLSv1_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*DTLSv1_server_method)(void) = NULL;
|
||||
+const SSL_METHOD* (*DTLSv1_client_method)(void) = NULL;
|
||||
+#else
|
||||
+static const long Cryptography_HAS_DTLS1_METHOD = 1;
|
||||
+#endif
|
||||
+
|
||||
static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
|
||||
static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
|
||||
static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
|
||||
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
|
||||
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
|
||||
@@ -31,6 +31,38 @@ def cryptography_has_ssl3_method():
|
||||
]
|
||||
|
||||
|
||||
+def cryptography_has_tls1_method():
|
||||
+ return [
|
||||
+ "TLSv1_method",
|
||||
+ "TLSv1_client_method",
|
||||
+ "TLSv1_server_method",
|
||||
+ ]
|
||||
+
|
||||
+
|
||||
+def cryptography_has_tls1_1_method():
|
||||
+ return [
|
||||
+ "TLSv1_1_method",
|
||||
+ "TLSv1_1_client_method",
|
||||
+ "TLSv1_1_server_method",
|
||||
+ ]
|
||||
+
|
||||
+
|
||||
+def cryptography_has_tls1_2_method():
|
||||
+ return [
|
||||
+ "TLSv1_2_method",
|
||||
+ "TLSv1_2_client_method",
|
||||
+ "TLSv1_2_server_method",
|
||||
+ ]
|
||||
+
|
||||
+
|
||||
+def cryptography_has_dtls1_method():
|
||||
+ return [
|
||||
+ "DTLSv1_method",
|
||||
+ "DTLSv1_client_method",
|
||||
+ "DTLSv1_server_method",
|
||||
+ ]
|
||||
+
|
||||
+
|
||||
def cryptography_has_102_verification():
|
||||
return [
|
||||
"X509_V_ERR_SUITE_B_INVALID_VERSION",
|
||||
@@ -285,6 +317,10 @@ CONDITIONAL_NAMES = {
|
||||
"Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
|
||||
"Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
|
||||
"Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
|
||||
+ "Cryptography_HAS_TLS1_METHOD": cryptography_has_tls1_method,
|
||||
+ "Cryptography_HAS_TLS1_1_METHOD": cryptography_has_tls1_1_method,
|
||||
+ "Cryptography_HAS_TLS1_2_METHOD": cryptography_has_tls1_2_method,
|
||||
+ "Cryptography_HAS_DTLS1_METHOD": cryptography_has_dtls1_method,
|
||||
"Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification,
|
||||
"Cryptography_HAS_110_VERIFICATION_PARAMS": (
|
||||
cryptography_has_110_verification_params
|
|
@ -1,33 +0,0 @@
|
|||
--- a/pyproject.toml
|
||||
+++ b/pyproject.toml
|
||||
@@ -6,7 +6,6 @@ requires = [
|
||||
"wheel",
|
||||
# Must be kept in sync with the `setup_requirements` in `setup.py`
|
||||
"cffi>=1.12; platform_python_implementation != 'PyPy'",
|
||||
- "setuptools-rust>=0.11.4",
|
||||
]
|
||||
build-backend = "setuptools.build_meta"
|
||||
|
||||
--- a/setup.py
|
||||
+++ b/setup.py
|
||||
@@ -11,7 +11,7 @@ import sys
|
||||
from setuptools import find_packages, setup
|
||||
|
||||
try:
|
||||
- from setuptools_rust import RustExtension
|
||||
+ pass
|
||||
except ImportError:
|
||||
print(
|
||||
"""
|
||||
@@ -43,9 +43,9 @@ with open(os.path.join(src_dir, "cryptog
|
||||
# `pyproject.toml`
|
||||
setuptools_rust = "setuptools-rust>=0.11.4"
|
||||
install_requirements = ["cffi>=1.12"]
|
||||
-setup_requirements = install_requirements + [setuptools_rust]
|
||||
+setup_requirements = install_requirements
|
||||
|
||||
-if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):
|
||||
+if True:
|
||||
rust_extensions = []
|
||||
else:
|
||||
rust_extensions = [
|
|
@ -1,25 +0,0 @@
|
|||
From 98bf3eda9c950158cf6a0a6a698dd365712201b1 Mon Sep 17 00:00:00 2001
|
||||
From: Rosen Penev <rosenp@gmail.com>
|
||||
Date: Mon, 25 Nov 2019 12:06:16 -0800
|
||||
Subject: [PATCH 6/7] Add X509_STORE_CTX_trusted_stack compatibility macro
|
||||
|
||||
Deprecated in 1.1
|
||||
|
||||
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
||||
---
|
||||
src/_cffi_src/openssl/x509_vfy.py | 12 +++++++++++-
|
||||
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/_cffi_src/openssl/x509_vfy.py
|
||||
+++ b/src/_cffi_src/openssl/x509_vfy.py
|
||||
@@ -265,4 +265,10 @@ static const long Cryptography_HAS_X509_
|
||||
#else
|
||||
static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1;
|
||||
#endif
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+#define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack
|
||||
+#define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted
|
||||
+#define X509_STORE_CTX_get_chain X509_STORE_CTX_get1_chain
|
||||
+#endif
|
||||
"""
|
|
@ -1,56 +0,0 @@
|
|||
From e96af1cee523c5551c7fc5f36eba8e271fa51b20 Mon Sep 17 00:00:00 2001
|
||||
From: Rosen Penev <rosenp@gmail.com>
|
||||
Date: Thu, 5 Dec 2019 12:52:13 -0800
|
||||
Subject: [PATCH 7/7] Add defines for totally deprecated functions
|
||||
|
||||
---
|
||||
src/_cffi_src/openssl/conf.py | 4 ++++
|
||||
src/_cffi_src/openssl/crypto.py | 4 ++++
|
||||
src/_cffi_src/openssl/ecdh.py | 3 +++
|
||||
src/_cffi_src/openssl/ssl.py | 5 +++++
|
||||
4 files changed, 16 insertions(+)
|
||||
|
||||
--- a/src/_cffi_src/openssl/conf.py
|
||||
+++ b/src/_cffi_src/openssl/conf.py
|
||||
@@ -17,4 +17,8 @@ void OPENSSL_no_config(void);
|
||||
"""
|
||||
|
||||
CUSTOMIZATIONS = """
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+#define OPENSSL_config(x) 0
|
||||
+#define OPENSSL_no_config() 0
|
||||
+#endif
|
||||
"""
|
||||
--- a/src/_cffi_src/openssl/crypto.py
|
||||
+++ b/src/_cffi_src/openssl/crypto.py
|
||||
@@ -113,4 +113,8 @@ void *Cryptography_realloc_wrapper(void
|
||||
void Cryptography_free_wrapper(void *ptr, const char *path, int line) {
|
||||
free(ptr);
|
||||
}
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+#define CRYPTO_get_locking_callback() 0
|
||||
+#endif
|
||||
"""
|
||||
--- a/src/_cffi_src/openssl/ecdh.py
|
||||
+++ b/src/_cffi_src/openssl/ecdh.py
|
||||
@@ -17,4 +17,7 @@ long SSL_CTX_set_ecdh_auto(SSL_CTX *, in
|
||||
"""
|
||||
|
||||
CUSTOMIZATIONS = """
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+#define SSL_CTX_set_ecdh_auto(a, b) ((b) != 0)
|
||||
+#endif
|
||||
"""
|
||||
--- a/src/_cffi_src/openssl/ssl.py
|
||||
+++ b/src/_cffi_src/openssl/ssl.py
|
||||
@@ -745,4 +745,9 @@ long (*SSL_get_max_proto_version)(SSL *)
|
||||
#else
|
||||
static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
|
||||
#endif
|
||||
+
|
||||
+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
|
||||
+#define SSL_library_init() 1
|
||||
+#define SSL_load_error_strings() 0
|
||||
+#endif
|
||||
"""
|
|
@ -0,0 +1,13 @@
|
|||
Fixes https://rustsec.org/advisories/RUSTSEC-2023-0042.html
|
||||
|
||||
--- a/src/rust/Cargo.toml
|
||||
+++ b/src/rust/Cargo.toml
|
||||
@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptograp
|
||||
cryptography-x509 = { path = "cryptography-x509" }
|
||||
cryptography-openssl = { path = "cryptography-openssl" }
|
||||
pem = "1.1"
|
||||
-ouroboros = "0.15"
|
||||
+ouroboros = "0.18"
|
||||
openssl = "0.10.54"
|
||||
openssl-sys = "0.9.88"
|
||||
foreign-types-shared = "0.1"
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/sh
|
||||
|
||||
[ "$1" = python3-cryptography ] || exit 0
|
||||
|
||||
python3 - << EOF
|
||||
import sys
|
||||
from cryptography.fernet import Fernet
|
||||
key = Fernet.generate_key()
|
||||
f = Fernet(key)
|
||||
token = f.encrypt(b"my deep dark secret")
|
||||
sys.exit(0 if f.decrypt(token) == b"my deep dark secret" else 1)
|
||||
EOF
|
Loading…
Reference in New Issue