python2Packages.cryptography: 2.9.2 -> 3.3.1 (#106792)
Fixes py2 build of pyOpenSSL: https://github.com/NixOS/nixpkgs/issues/106275#issuecomment-743790876
This commit is contained in:
Orivej Desh
GitHub
parent
b37c00ab90
commit
6fa76f018b
@ -22,24 +22,31 @@
|
|||||||
|
|
||||||
buildPythonPackage rec {
|
buildPythonPackage rec {
|
||||||
pname = "cryptography";
|
pname = "cryptography";
|
||||||
version = "2.9.2"; # Also update the hash in vectors.nix
|
version = "3.3.1"; # Also update the hash in vectors-3.3.nix
|
||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0";
|
sha256 = "1ribd1vxq9wwz564mg60dzcy699gng54admihjjkgs9dx95pw5vy";
|
||||||
};
|
};
|
||||||
|
|
||||||
patches = [ ./CVE-2020-25659.patch ];
|
patches = [ ./cryptography-py27-warning.patch ];
|
||||||
|
|
||||||
outputs = [ "out" "dev" ];
|
outputs = [ "out" "dev" ];
|
||||||
|
|
||||||
|
nativeBuildInputs = stdenv.lib.optionals (!isPyPy) [
|
||||||
|
cffi
|
||||||
|
];
|
||||||
|
|
||||||
buildInputs = [ openssl ]
|
buildInputs = [ openssl ]
|
||||||
++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
|
++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
|
||||||
propagatedBuildInputs = [
|
propagatedBuildInputs = [
|
||||||
packaging
|
packaging
|
||||||
six
|
six
|
||||||
] ++ stdenv.lib.optional (!isPyPy) cffi
|
] ++ stdenv.lib.optionals (!isPyPy) [
|
||||||
++ stdenv.lib.optionals isPy27 [ ipaddress enum34 ];
|
cffi
|
||||||
|
] ++ stdenv.lib.optionals isPy27 [
|
||||||
|
ipaddress enum34
|
||||||
|
];
|
||||||
|
|
||||||
checkInputs = [
|
checkInputs = [
|
||||||
cryptography_vectors
|
cryptography_vectors
|
||||||
@ -1,76 +0,0 @@
|
|||||||
Backported of:
|
|
||||||
|
|
||||||
From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alex Gaynor <alex.gaynor@gmail.com>
|
|
||||||
Date: Sun, 25 Oct 2020 21:16:42 -0400
|
|
||||||
Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
|
|
||||||
(#5507)
|
|
||||||
|
|
||||||
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
|
|
||||||
index 6e4675d..ce66c28 100644
|
|
||||||
--- a/docs/spelling_wordlist.txt
|
|
||||||
+++ b/docs/spelling_wordlist.txt
|
|
||||||
@@ -6,6 +6,7 @@ backend
|
|
||||||
Backends
|
|
||||||
backends
|
|
||||||
bcrypt
|
|
||||||
+Bleichenbacher
|
|
||||||
Blowfish
|
|
||||||
boolean
|
|
||||||
Botan
|
|
||||||
diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
|
|
||||||
index 3e4c2fd..6303f95 100644
|
|
||||||
--- a/src/cryptography/hazmat/backends/openssl/rsa.py
|
|
||||||
+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
|
|
||||||
@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
|
|
||||||
|
|
||||||
outlen = backend._ffi.new("size_t *", buf_size)
|
|
||||||
buf = backend._ffi.new("unsigned char[]", buf_size)
|
|
||||||
+ # Everything from this line onwards is written with the goal of being as
|
|
||||||
+ # constant-time as is practical given the constraints of Python and our
|
|
||||||
+ # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
|
|
||||||
+ # As such, you should not attempt to change this (particularly to "clean it
|
|
||||||
+ # up") without understanding why it was written this way (see
|
|
||||||
+ # Chesterton's Fence), and without measuring to verify you have not
|
|
||||||
+ # introduced observable time differences.
|
|
||||||
res = crypt(pkey_ctx, buf, outlen, data, len(data))
|
|
||||||
+ resbuf = backend._ffi.buffer(buf)[: outlen[0]]
|
|
||||||
+ backend._lib.ERR_clear_error()
|
|
||||||
if res <= 0:
|
|
||||||
- _handle_rsa_enc_dec_error(backend, key)
|
|
||||||
-
|
|
||||||
- return backend._ffi.buffer(buf)[:outlen[0]]
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-def _handle_rsa_enc_dec_error(backend, key):
|
|
||||||
- errors = backend._consume_errors()
|
|
||||||
- backend.openssl_assert(errors)
|
|
||||||
- backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
|
|
||||||
- if isinstance(key, _RSAPublicKey):
|
|
||||||
- backend.openssl_assert(
|
|
||||||
- errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
|
|
||||||
- )
|
|
||||||
- raise ValueError(
|
|
||||||
- "Data too long for key size. Encrypt less data or use a "
|
|
||||||
- "larger key size."
|
|
||||||
- )
|
|
||||||
- else:
|
|
||||||
- decoding_errors = [
|
|
||||||
- backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
|
|
||||||
- backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
|
|
||||||
- backend._lib.RSA_R_OAEP_DECODING_ERROR,
|
|
||||||
- # Though this error looks similar to the
|
|
||||||
- # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
|
|
||||||
- # rather than on encrypts
|
|
||||||
- backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
|
|
||||||
- ]
|
|
||||||
- if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
|
|
||||||
- decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
|
|
||||||
-
|
|
||||||
- backend.openssl_assert(errors[0].reason in decoding_errors)
|
|
||||||
- raise ValueError("Decryption failed.")
|
|
||||||
+ raise ValueError("Encryption/decryption failed.")
|
|
||||||
+ return resbuf
|
|
||||||
|
|
||||||
|
|
||||||
def _rsa_sig_determine_padding(backend, key, padding, algorithm):
|
|
||||||
@ -0,0 +1,14 @@
|
|||||||
|
Delete the warning that breaks tests of dependent projects.
|
||||||
|
|
||||||
|
--- a/src/cryptography/__init__.py
|
||||||
|
+++ b/src/cryptography/__init__.py
|
||||||
|
@@ -33,9 +32,0 @@ __all__ = [
|
||||||
|
-
|
||||||
|
-if sys.version_info[0] == 2:
|
||||||
|
- warnings.warn(
|
||||||
|
- "Python 2 is no longer supported by the Python core team. Support for "
|
||||||
|
- "it is now deprecated in cryptography, and will be removed in the "
|
||||||
|
- "next release.",
|
||||||
|
- CryptographyDeprecationWarning,
|
||||||
|
- stacklevel=2,
|
||||||
|
- )
|
||||||
@ -7,7 +7,7 @@ buildPythonPackage rec {
|
|||||||
|
|
||||||
src = fetchPypi {
|
src = fetchPypi {
|
||||||
inherit pname version;
|
inherit pname version;
|
||||||
sha256 = "1d4iykcv7cn9j399hczlxm5pzxmqy6d80h3j16dkjwlmv3293b4r";
|
sha256 = "192wix3sr678x21brav5hgc6j93l7ab1kh69p2scr3fsblq9qy03";
|
||||||
};
|
};
|
||||||
|
|
||||||
# No tests included
|
# No tests included
|
||||||
@ -21,9 +21,6 @@ buildPythonPackage rec {
|
|||||||
"test_get_machine_id"
|
"test_get_machine_id"
|
||||||
];
|
];
|
||||||
|
|
||||||
# Python 2 pytest fails with INTERNALERROR due to a deprecation warning.
|
|
||||||
doCheck = isPy3k;
|
|
||||||
|
|
||||||
meta = with stdenv.lib; {
|
meta = with stdenv.lib; {
|
||||||
homepage = "https://palletsprojects.com/p/werkzeug/";
|
homepage = "https://palletsprojects.com/p/werkzeug/";
|
||||||
description = "A WSGI utility library for Python";
|
description = "A WSGI utility library for Python";
|
||||||
|
|||||||
@ -1389,12 +1389,12 @@ in {
|
|||||||
cryptacular = callPackage ../development/python-modules/cryptacular { };
|
cryptacular = callPackage ../development/python-modules/cryptacular { };
|
||||||
|
|
||||||
cryptography = if isPy27 then
|
cryptography = if isPy27 then
|
||||||
callPackage ../development/python-modules/cryptography/2.9.nix { }
|
callPackage ../development/python-modules/cryptography/3.3.nix { }
|
||||||
else
|
else
|
||||||
callPackage ../development/python-modules/cryptography { };
|
callPackage ../development/python-modules/cryptography { };
|
||||||
|
|
||||||
cryptography_vectors = if isPy27 then
|
cryptography_vectors = if isPy27 then
|
||||||
callPackage ../development/python-modules/cryptography/vectors-2.9.nix { }
|
callPackage ../development/python-modules/cryptography/vectors-3.3.nix { }
|
||||||
else
|
else
|
||||||
callPackage ../development/python-modules/cryptography/vectors.nix { };
|
callPackage ../development/python-modules/cryptography/vectors.nix { };
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user