159e378cbb
GitOrigin-RevId: c04d5652cfa9742b1d519688f65d1bbccea9eb7e
135 lines
3.7 KiB
Nix
135 lines
3.7 KiB
Nix
# This older version only exists because `ceph` needs it, see its package.
|
|
{
|
|
lib,
|
|
stdenv,
|
|
callPackage,
|
|
buildPythonPackage,
|
|
fetchPypi,
|
|
fetchpatch,
|
|
rustPlatform,
|
|
cargo,
|
|
rustc,
|
|
setuptoolsRustBuildHook,
|
|
openssl,
|
|
Security ? null,
|
|
isPyPy,
|
|
cffi,
|
|
pkg-config,
|
|
pytestCheckHook,
|
|
pytest-subtests,
|
|
pythonOlder,
|
|
pretend,
|
|
libiconv,
|
|
libxcrypt,
|
|
iso8601,
|
|
py,
|
|
pytz,
|
|
hypothesis,
|
|
}:
|
|
|
|
let
|
|
cryptography-vectors = callPackage ./cryptography-vectors.nix { };
|
|
in
|
|
buildPythonPackage rec {
|
|
pname = "cryptography";
|
|
version = "40.0.1"; # Also update the hash in vectors.nix
|
|
format = "setuptools";
|
|
disabled = pythonOlder "3.6";
|
|
|
|
src = fetchPypi {
|
|
inherit pname version;
|
|
hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
|
|
};
|
|
|
|
cargoDeps = rustPlatform.fetchCargoTarball {
|
|
inherit src;
|
|
sourceRoot = "${pname}-${version}/${cargoRoot}";
|
|
name = "${pname}-${version}";
|
|
hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";
|
|
};
|
|
|
|
# Since Cryptography v40 is quite outdated, we need to backport
|
|
# security fixes that are only available in newer versions.
|
|
patches = [
|
|
# Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
|
|
# See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
|
|
./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
|
|
|
|
# Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130
|
|
# See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
|
|
(fetchpatch {
|
|
name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";
|
|
url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";
|
|
hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";
|
|
})
|
|
];
|
|
|
|
postPatch = ''
|
|
substituteInPlace pyproject.toml \
|
|
--replace "--benchmark-disable" ""
|
|
'';
|
|
|
|
cargoRoot = "src/rust";
|
|
|
|
nativeBuildInputs = [
|
|
rustPlatform.cargoSetupHook
|
|
setuptoolsRustBuildHook
|
|
cargo
|
|
rustc
|
|
pkg-config
|
|
] ++ lib.optionals (!isPyPy) [ cffi ];
|
|
|
|
buildInputs =
|
|
[ openssl ]
|
|
++ lib.optionals stdenv.isDarwin [
|
|
Security
|
|
libiconv
|
|
]
|
|
++ lib.optionals (pythonOlder "3.9") [ libxcrypt ];
|
|
|
|
propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];
|
|
|
|
nativeCheckInputs = [
|
|
cryptography-vectors
|
|
hypothesis
|
|
iso8601
|
|
pretend
|
|
py
|
|
pytestCheckHook
|
|
pytest-subtests
|
|
pytz
|
|
];
|
|
|
|
pytestFlagsArray = [ "--disable-pytest-warnings" ];
|
|
|
|
disabledTestPaths =
|
|
[
|
|
# save compute time by not running benchmarks
|
|
"tests/bench"
|
|
]
|
|
++ lib.optionals (stdenv.isDarwin && stdenv.isAarch64) [
|
|
# aarch64-darwin forbids W+X memory, but this tests depends on it:
|
|
# * https://cffi.readthedocs.io/en/latest/using.html#callbacks
|
|
"tests/hazmat/backends/test_openssl_memleak.py"
|
|
];
|
|
|
|
meta = with lib; {
|
|
description = "A package which provides cryptographic recipes and primitives";
|
|
longDescription = ''
|
|
Cryptography includes both high level recipes and low level interfaces to
|
|
common cryptographic algorithms such as symmetric ciphers, message
|
|
digests, and key derivation functions.
|
|
Our goal is for it to be your "cryptographic standard library". It
|
|
supports Python 2.7, Python 3.5+, and PyPy 5.4+.
|
|
'';
|
|
homepage = "https://github.com/pyca/cryptography";
|
|
changelog =
|
|
"https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version;
|
|
license = with licenses; [
|
|
asl20
|
|
bsd3
|
|
psfl
|
|
];
|
|
maintainers = with maintainers; [ nh2 ];
|
|
};
|
|
}
|