From 9fdff3ea94662653188c3902840e97c35e9f138f Mon Sep 17 00:00:00 2001 From: Jeffery To Date: Wed, 13 Sep 2023 12:33:51 +0800 Subject: [PATCH] python-cryptography: Update to 41.0.4 This includes a patch to update the version of ouroboros (Rust crate) used, to fix RUSTSEC-2023-0042[1]. Upstream has switch from ouroboros to self_cell so this patch should only be necessary for cryptography 41. [1]: https://rustsec.org/advisories/RUSTSEC-2023-0042.html Signed-off-by: Jeffery To --- lang/python/python-cryptography/Makefile | 16 +-- ...01-Add-new-ASN1_STRING_get0_data-API.patch | 20 --- ...bility-for-X509_STORE_set_get_issuer.patch | 55 -------- ...atibility-for-deprecated-TLS-methods.patch | 127 ------------------ .../patches/0004-disable-rust.patch | 33 ----- ...TX_trusted_stack-compatibility-macro.patch | 25 ---- ...nes-for-totally-deprecated-functions.patch | 56 -------- .../patches/001-Update-ouroboros.patch | 13 ++ lang/python/python-cryptography/test.sh | 12 ++ 9 files changed, 33 insertions(+), 324 deletions(-) delete mode 100644 lang/python/python-cryptography/patches/0001-Add-new-ASN1_STRING_get0_data-API.patch delete mode 100644 lang/python/python-cryptography/patches/0002-Add-compatibility-for-X509_STORE_set_get_issuer.patch delete mode 100644 lang/python/python-cryptography/patches/0003-Add-compatibility-for-deprecated-TLS-methods.patch delete mode 100644 lang/python/python-cryptography/patches/0004-disable-rust.patch delete mode 100644 lang/python/python-cryptography/patches/0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch delete mode 100644 lang/python/python-cryptography/patches/0007-Add-defines-for-totally-deprecated-functions.patch create mode 100644 lang/python/python-cryptography/patches/001-Update-ouroboros.patch create mode 100644 lang/python/python-cryptography/test.sh diff --git a/lang/python/python-cryptography/Makefile b/lang/python/python-cryptography/Makefile index eca9394584..6ef9cb969f 100644 --- a/lang/python/python-cryptography/Makefile +++ b/lang/python/python-cryptography/Makefile @@ -8,17 +8,17 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-cryptography -PKG_VERSION:=3.4.8 -PKG_RELEASE:=3 +PKG_VERSION:=41.0.4 +PKG_RELEASE:=1 PYPI_NAME:=cryptography -PKG_HASH:=94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c +PKG_HASH:=7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a PKG_LICENSE:=Apache-2.0 BSD-3-Clause PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD PKG_MAINTAINER:=Jeffery To -PKG_BUILD_DEPENDS:=libffi/host python-cffi/host # cffi>=1.12 +PKG_BUILD_DEPENDS:=libffi/host python-cffi/host python-setuptools-rust/host include ../pypi.mk include $(INCLUDE_DIR)/package.mk @@ -32,18 +32,18 @@ define Package/python3-cryptography URL:=https://github.com/pyca/cryptography DEPENDS:= \ +libopenssl \ + +libopenssl-legacy \ +python3-light \ +python3-email \ - +python3-openssl \ +python3-urllib \ +python3-cffi \ - +python3-six + $(RUST_ARCH_DEPENDS) endef define Package/python3-cryptography/description cryptography is a package which provides cryptographic recipes and -primitives to Python developers. Our goal is for it to be your "cryptographic -standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+. +primitives to Python developers. Our goal is for it to be your +"cryptographic standard library". endef $(eval $(call Py3Package,python3-cryptography)) diff --git a/lang/python/python-cryptography/patches/0001-Add-new-ASN1_STRING_get0_data-API.patch b/lang/python/python-cryptography/patches/0001-Add-new-ASN1_STRING_get0_data-API.patch deleted file mode 100644 index 46adae82d6..0000000000 --- a/lang/python/python-cryptography/patches/0001-Add-new-ASN1_STRING_get0_data-API.patch +++ /dev/null @@ -1,20 +0,0 @@ -From 7eefc9c72f522e414f953fee2d6ca9242c566107 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Fri, 7 Jun 2019 18:18:46 -0700 -Subject: [PATCH 1/7] Add new ASN1_STRING_get0_data API - -Introduced with OpenSSL 1.1 ---- - src/_cffi_src/openssl/asn1.py | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/src/_cffi_src/openssl/asn1.py -+++ b/src/_cffi_src/openssl/asn1.py -@@ -105,4 +105,7 @@ ASN1_NULL *ASN1_NULL_new(void); - """ - - CUSTOMIZATIONS = """ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+#define ASN1_STRING_data ASN1_STRING_get0_data -+#endif - """ diff --git a/lang/python/python-cryptography/patches/0002-Add-compatibility-for-X509_STORE_set_get_issuer.patch b/lang/python/python-cryptography/patches/0002-Add-compatibility-for-X509_STORE_set_get_issuer.patch deleted file mode 100644 index 52f4340952..0000000000 --- a/lang/python/python-cryptography/patches/0002-Add-compatibility-for-X509_STORE_set_get_issuer.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 77b25307a743eb52ef5ead24c956e577f5bd025f Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Fri, 7 Jun 2019 20:42:04 -0700 -Subject: [PATCH 2/7] Add compatibility for X509_STORE_set_get_issuer - -Deprecated under OpenSSL 1.1. ---- - src/_cffi_src/openssl/x509_vfy.py | 8 ++++++++ - src/cryptography/hazmat/bindings/openssl/_conditional.py | 8 ++++++++ - 2 files changed, 16 insertions(+) - ---- a/src/_cffi_src/openssl/x509_vfy.py -+++ b/src/_cffi_src/openssl/x509_vfy.py -@@ -21,6 +21,7 @@ TYPES = """ - static const long Cryptography_HAS_102_VERIFICATION; - static const long Cryptography_HAS_110_VERIFICATION_PARAMS; - static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER; -+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK; - - typedef ... Cryptography_STACK_OF_ASN1_OBJECT; - typedef ... Cryptography_STACK_OF_X509_OBJECT; -@@ -257,4 +258,11 @@ void (*X509_STORE_set_get_issuer)(X509_S - #else - static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1; - #endif -+ -+#ifndef X509_V_FLAG_CB_ISSUER_CHECK -+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 0; -+#define X509_V_FLAG_CB_ISSUER_CHECK 0x0 -+#else -+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1; -+#endif - """ ---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py -+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py -@@ -269,6 +269,11 @@ def cryptography_has_get_proto_version() - "SSL_get_max_proto_version", - ] - -+def cryptography_has_x509_cb_issuer_check(): -+ return [ -+ "X509_V_FLAG_CB_ISSUER_CHECK", -+ ] -+ - - # This is a mapping of - # {condition: function-returning-names-dependent-on-that-condition} so we can -@@ -318,4 +323,7 @@ CONDITIONAL_NAMES = { - "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, - "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, -+ "Cryptography_HAS_X509_CB_ISSUER_CHECK": ( -+ cryptography_has_x509_cb_issuer_check -+ ), - } diff --git a/lang/python/python-cryptography/patches/0003-Add-compatibility-for-deprecated-TLS-methods.patch b/lang/python/python-cryptography/patches/0003-Add-compatibility-for-deprecated-TLS-methods.patch deleted file mode 100644 index f30d1e92b9..0000000000 --- a/lang/python/python-cryptography/patches/0003-Add-compatibility-for-deprecated-TLS-methods.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 7a55c37e01114dfd1ae733b099fdee1ba1889449 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Fri, 7 Jun 2019 21:00:46 -0700 -Subject: [PATCH 3/7] Add compatibility for deprecated TLS methods - ---- - src/_cffi_src/openssl/ssl.py | 45 +++++++++++++++++-- - .../hazmat/bindings/openssl/_conditional.py | 36 +++++++++++++++ - 2 files changed, 77 insertions(+), 4 deletions(-) - ---- a/src/_cffi_src/openssl/ssl.py -+++ b/src/_cffi_src/openssl/ssl.py -@@ -13,12 +13,14 @@ TYPES = """ - static const long Cryptography_HAS_SSL_ST; - static const long Cryptography_HAS_TLS_ST; - static const long Cryptography_HAS_SSL3_METHOD; --static const long Cryptography_HAS_TLSv1_1; --static const long Cryptography_HAS_TLSv1_2; -+static const long Cryptography_HAS_TLS1_METHOD; -+static const long Cryptography_HAS_TLS1_1_METHOD; -+static const long Cryptography_HAS_TLS1_2_METHOD; - static const long Cryptography_HAS_TLSv1_3; - static const long Cryptography_HAS_SECURE_RENEGOTIATION; - static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; - static const long Cryptography_HAS_DTLS; -+static const long Cryptography_HAS_DTLS1_METHOD; - static const long Cryptography_HAS_SIGALGS; - static const long Cryptography_HAS_PSK; - static const long Cryptography_HAS_VERIFIED_CHAIN; -@@ -548,8 +550,43 @@ static const long Cryptography_HAS_SSL3_ - - static const long Cryptography_HAS_RELEASE_BUFFERS = 1; - static const long Cryptography_HAS_OP_NO_COMPRESSION = 1; --static const long Cryptography_HAS_TLSv1_1 = 1; --static const long Cryptography_HAS_TLSv1_2 = 1; -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+static const long Cryptography_HAS_TLS1_METHOD = 0; -+const SSL_METHOD* (*TLSv1_method)(void) = NULL; -+const SSL_METHOD* (*TLSv1_server_method)(void) = NULL; -+const SSL_METHOD* (*TLSv1_client_method)(void) = NULL; -+#else -+static const long Cryptography_HAS_TLS1_METHOD = 1; -+#endif -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+static const long Cryptography_HAS_TLS1_1_METHOD = 0; -+const SSL_METHOD* (*TLSv1_1_method)(void) = NULL; -+const SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL; -+const SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL; -+#else -+static const long Cryptography_HAS_TLS1_1_METHOD = 1; -+#endif -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+static const long Cryptography_HAS_TLS1_2_METHOD = 0; -+const SSL_METHOD* (*TLSv1_2_method)(void) = NULL; -+const SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL; -+const SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL; -+#else -+static const long Cryptography_HAS_TLS1_2_METHOD = 1; -+#endif -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+static const long Cryptography_HAS_DTLS1_METHOD = 0; -+const SSL_METHOD* (*DTLSv1_method)(void) = NULL; -+const SSL_METHOD* (*DTLSv1_server_method)(void) = NULL; -+const SSL_METHOD* (*DTLSv1_client_method)(void) = NULL; -+#else -+static const long Cryptography_HAS_DTLS1_METHOD = 1; -+#endif -+ - static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; - static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1; - static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; ---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py -+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py -@@ -31,6 +31,38 @@ def cryptography_has_ssl3_method(): - ] - - -+def cryptography_has_tls1_method(): -+ return [ -+ "TLSv1_method", -+ "TLSv1_client_method", -+ "TLSv1_server_method", -+ ] -+ -+ -+def cryptography_has_tls1_1_method(): -+ return [ -+ "TLSv1_1_method", -+ "TLSv1_1_client_method", -+ "TLSv1_1_server_method", -+ ] -+ -+ -+def cryptography_has_tls1_2_method(): -+ return [ -+ "TLSv1_2_method", -+ "TLSv1_2_client_method", -+ "TLSv1_2_server_method", -+ ] -+ -+ -+def cryptography_has_dtls1_method(): -+ return [ -+ "DTLSv1_method", -+ "DTLSv1_client_method", -+ "DTLSv1_server_method", -+ ] -+ -+ - def cryptography_has_102_verification(): - return [ - "X509_V_ERR_SUITE_B_INVALID_VERSION", -@@ -285,6 +317,10 @@ CONDITIONAL_NAMES = { - "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md, - "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label, - "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method, -+ "Cryptography_HAS_TLS1_METHOD": cryptography_has_tls1_method, -+ "Cryptography_HAS_TLS1_1_METHOD": cryptography_has_tls1_1_method, -+ "Cryptography_HAS_TLS1_2_METHOD": cryptography_has_tls1_2_method, -+ "Cryptography_HAS_DTLS1_METHOD": cryptography_has_dtls1_method, - "Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification, - "Cryptography_HAS_110_VERIFICATION_PARAMS": ( - cryptography_has_110_verification_params diff --git a/lang/python/python-cryptography/patches/0004-disable-rust.patch b/lang/python/python-cryptography/patches/0004-disable-rust.patch deleted file mode 100644 index bf3010bb03..0000000000 --- a/lang/python/python-cryptography/patches/0004-disable-rust.patch +++ /dev/null @@ -1,33 +0,0 @@ ---- a/pyproject.toml -+++ b/pyproject.toml -@@ -6,7 +6,6 @@ requires = [ - "wheel", - # Must be kept in sync with the `setup_requirements` in `setup.py` - "cffi>=1.12; platform_python_implementation != 'PyPy'", -- "setuptools-rust>=0.11.4", - ] - build-backend = "setuptools.build_meta" - ---- a/setup.py -+++ b/setup.py -@@ -11,7 +11,7 @@ import sys - from setuptools import find_packages, setup - - try: -- from setuptools_rust import RustExtension -+ pass - except ImportError: - print( - """ -@@ -43,9 +43,9 @@ with open(os.path.join(src_dir, "cryptog - # `pyproject.toml` - setuptools_rust = "setuptools-rust>=0.11.4" - install_requirements = ["cffi>=1.12"] --setup_requirements = install_requirements + [setuptools_rust] -+setup_requirements = install_requirements - --if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"): -+if True: - rust_extensions = [] - else: - rust_extensions = [ diff --git a/lang/python/python-cryptography/patches/0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch b/lang/python/python-cryptography/patches/0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch deleted file mode 100644 index d43abc6d66..0000000000 --- a/lang/python/python-cryptography/patches/0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 98bf3eda9c950158cf6a0a6a698dd365712201b1 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Mon, 25 Nov 2019 12:06:16 -0800 -Subject: [PATCH 6/7] Add X509_STORE_CTX_trusted_stack compatibility macro - -Deprecated in 1.1 - -Signed-off-by: Rosen Penev ---- - src/_cffi_src/openssl/x509_vfy.py | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/src/_cffi_src/openssl/x509_vfy.py -+++ b/src/_cffi_src/openssl/x509_vfy.py -@@ -265,4 +265,10 @@ static const long Cryptography_HAS_X509_ - #else - static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1; - #endif -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+#define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack -+#define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted -+#define X509_STORE_CTX_get_chain X509_STORE_CTX_get1_chain -+#endif - """ diff --git a/lang/python/python-cryptography/patches/0007-Add-defines-for-totally-deprecated-functions.patch b/lang/python/python-cryptography/patches/0007-Add-defines-for-totally-deprecated-functions.patch deleted file mode 100644 index 7aca62c8dd..0000000000 --- a/lang/python/python-cryptography/patches/0007-Add-defines-for-totally-deprecated-functions.patch +++ /dev/null @@ -1,56 +0,0 @@ -From e96af1cee523c5551c7fc5f36eba8e271fa51b20 Mon Sep 17 00:00:00 2001 -From: Rosen Penev -Date: Thu, 5 Dec 2019 12:52:13 -0800 -Subject: [PATCH 7/7] Add defines for totally deprecated functions - ---- - src/_cffi_src/openssl/conf.py | 4 ++++ - src/_cffi_src/openssl/crypto.py | 4 ++++ - src/_cffi_src/openssl/ecdh.py | 3 +++ - src/_cffi_src/openssl/ssl.py | 5 +++++ - 4 files changed, 16 insertions(+) - ---- a/src/_cffi_src/openssl/conf.py -+++ b/src/_cffi_src/openssl/conf.py -@@ -17,4 +17,8 @@ void OPENSSL_no_config(void); - """ - - CUSTOMIZATIONS = """ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+#define OPENSSL_config(x) 0 -+#define OPENSSL_no_config() 0 -+#endif - """ ---- a/src/_cffi_src/openssl/crypto.py -+++ b/src/_cffi_src/openssl/crypto.py -@@ -113,4 +113,8 @@ void *Cryptography_realloc_wrapper(void - void Cryptography_free_wrapper(void *ptr, const char *path, int line) { - free(ptr); - } -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+#define CRYPTO_get_locking_callback() 0 -+#endif - """ ---- a/src/_cffi_src/openssl/ecdh.py -+++ b/src/_cffi_src/openssl/ecdh.py -@@ -17,4 +17,7 @@ long SSL_CTX_set_ecdh_auto(SSL_CTX *, in - """ - - CUSTOMIZATIONS = """ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+#define SSL_CTX_set_ecdh_auto(a, b) ((b) != 0) -+#endif - """ ---- a/src/_cffi_src/openssl/ssl.py -+++ b/src/_cffi_src/openssl/ssl.py -@@ -745,4 +745,9 @@ long (*SSL_get_max_proto_version)(SSL *) - #else - static const long Cryptography_HAS_GET_PROTO_VERSION = 1; - #endif -+ -+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL -+#define SSL_library_init() 1 -+#define SSL_load_error_strings() 0 -+#endif - """ diff --git a/lang/python/python-cryptography/patches/001-Update-ouroboros.patch b/lang/python/python-cryptography/patches/001-Update-ouroboros.patch new file mode 100644 index 0000000000..93abe3a4f1 --- /dev/null +++ b/lang/python/python-cryptography/patches/001-Update-ouroboros.patch @@ -0,0 +1,13 @@ +Fixes https://rustsec.org/advisories/RUSTSEC-2023-0042.html + +--- a/src/rust/Cargo.toml ++++ b/src/rust/Cargo.toml +@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptograp + cryptography-x509 = { path = "cryptography-x509" } + cryptography-openssl = { path = "cryptography-openssl" } + pem = "1.1" +-ouroboros = "0.15" ++ouroboros = "0.18" + openssl = "0.10.54" + openssl-sys = "0.9.88" + foreign-types-shared = "0.1" diff --git a/lang/python/python-cryptography/test.sh b/lang/python/python-cryptography/test.sh new file mode 100644 index 0000000000..b706d561ab --- /dev/null +++ b/lang/python/python-cryptography/test.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +[ "$1" = python3-cryptography ] || exit 0 + +python3 - << EOF +import sys +from cryptography.fernet import Fernet +key = Fernet.generate_key() +f = Fernet(key) +token = f.encrypt(b"my deep dark secret") +sys.exit(0 if f.decrypt(token) == b"my deep dark secret" else 1) +EOF