pyrox.dev
1# This older version only exists because `ceph` needs it, see its package.
2{
3 lib,
4 stdenv,
5 callPackage,
6 buildPythonPackage,
7 fetchPypi,
8 fetchpatch,
9 rustPlatform,
10 cargo,
11 rustc,
12 setuptoolsRustBuildHook,
13 openssl,
14 Security ? null,
15 isPyPy,
16 cffi,
17 pkg-config,
18 pytestCheckHook,
19 pytest-subtests,
20 pythonOlder,
21 pretend,
22 libiconv,
23 libxcrypt,
24 iso8601,
25 py,
26 pytz,
27 hypothesis,
28}:
29
30let
31 cryptography-vectors = callPackage ./cryptography-vectors.nix { };
32in
33buildPythonPackage rec {
34 pname = "cryptography";
35 version = "40.0.1"; # Also update the hash in vectors.nix
36 format = "setuptools";
37 disabled = pythonOlder "3.6";
38
39 src = fetchPypi {
40 inherit pname version;
41 hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
42 };
43
44 cargoDeps = rustPlatform.fetchCargoVendor {
45 inherit src;
46 sourceRoot = "${pname}-${version}/${cargoRoot}";
47 name = "${pname}-${version}";
48 hash = "sha256-pZHu3Oo9DWRAtldU0UvrH1FIg0bEvyfizPUhj9IBL58=";
49 };
50
51 # Since Cryptography v40 is quite outdated, we need to backport
52 # security fixes that are only available in newer versions.
53 patches = [
54 # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
55 # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
56 ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
57
58 # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130
59 # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
60 (fetchpatch {
61 name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";
62 url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";
63 hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";
64 })
65 ];
66
67 postPatch = ''
68 substituteInPlace pyproject.toml \
69 --replace "--benchmark-disable" ""
70 '';
71
72 cargoRoot = "src/rust";
73
74 nativeBuildInputs = [
75 rustPlatform.cargoSetupHook
76 setuptoolsRustBuildHook
77 cargo
78 rustc
79 pkg-config
80 ] ++ lib.optionals (!isPyPy) [ cffi ];
81
82 buildInputs =
83 [ openssl ]
84 ++ lib.optionals stdenv.hostPlatform.isDarwin [
85 libiconv
86 ]
87 ++ lib.optionals (pythonOlder "3.9") [ libxcrypt ];
88
89 propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];
90
91 nativeCheckInputs = [
92 cryptography-vectors
93 hypothesis
94 iso8601
95 pretend
96 py
97 pytestCheckHook
98 pytest-subtests
99 pytz
100 ];
101
102 pytestFlagsArray = [ "--disable-pytest-warnings" ];
103
104 disabledTestPaths =
105 [
106 # save compute time by not running benchmarks
107 "tests/bench"
108 ]
109 ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
110 # aarch64-darwin forbids W+X memory, but this tests depends on it:
111 # * https://cffi.readthedocs.io/en/latest/using.html#callbacks
112 "tests/hazmat/backends/test_openssl_memleak.py"
113 ];
114
115 meta = with lib; {
116 description = "A package which provides cryptographic recipes and primitives";
117 longDescription = ''
118 Cryptography includes both high level recipes and low level interfaces to
119 common cryptographic algorithms such as symmetric ciphers, message
120 digests, and key derivation functions.
121 Our goal is for it to be your "cryptographic standard library". It
122 supports Python 2.7, Python 3.5+, and PyPy 5.4+.
123 '';
124 homepage = "https://github.com/pyca/cryptography";
125 changelog =
126 "https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version;
127 license = with licenses; [
128 asl20
129 bsd3
130 psfl
131 ];
132 maintainers = with maintainers; [ nh2 ];
133 };
134}