pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / pkgs / tools / filesystems / ceph / old-python-packages / cryptography.nix
at master 3.8 kB view raw
1# This older version only exists because `ceph` needs it, see its package. 2{ 3 lib, 4 stdenv, 5 callPackage, 6 buildPythonPackage, 7 fetchPypi, 8 fetchpatch, 9 rustPlatform, 10 cargo, 11 rustc, 12 setuptoolsRustBuildHook, 13 openssl, 14 Security ? null, 15 isPyPy, 16 cffi, 17 pkg-config, 18 pytestCheckHook, 19 pytest-subtests, 20 pythonOlder, 21 pretend, 22 libiconv, 23 libxcrypt, 24 iso8601, 25 py, 26 pytz, 27 hypothesis, 28}: 29 30let 31 cryptography-vectors = callPackage ./cryptography-vectors.nix { }; 32in 33buildPythonPackage rec { 34 pname = "cryptography"; 35 version = "40.0.1"; # Also update the hash in vectors.nix 36 format = "setuptools"; 37 disabled = pythonOlder "3.6"; 38 39 src = fetchPypi { 40 inherit pname version; 41 hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI="; 42 }; 43 44 cargoDeps = rustPlatform.fetchCargoVendor { 45 inherit 46 pname 47 version 48 src 49 cargoRoot 50 ; 51 hash = "sha256-pZHu3Oo9DWRAtldU0UvrH1FIg0bEvyfizPUhj9IBL58="; 52 }; 53 54 # Since Cryptography v40 is quite outdated, we need to backport 55 # security fixes that are only available in newer versions. 56 patches = [ 57 # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport. 58 # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893 59 ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch 60 61 # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130 62 # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 63 (fetchpatch { 64 name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch"; 65 url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch"; 66 hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y="; 67 }) 68 ]; 69 70 postPatch = '' 71 substituteInPlace pyproject.toml \ 72 --replace "--benchmark-disable" "" 73 ''; 74 75 cargoRoot = "src/rust"; 76 77 nativeBuildInputs = [ 78 rustPlatform.cargoSetupHook 79 setuptoolsRustBuildHook 80 cargo 81 rustc 82 pkg-config 83 ] 84 ++ lib.optionals (!isPyPy) [ cffi ]; 85 86 buildInputs = [ 87 openssl 88 ] 89 ++ lib.optionals stdenv.hostPlatform.isDarwin [ 90 libiconv 91 ] 92 ++ lib.optionals (pythonOlder "3.9") [ libxcrypt ]; 93 94 propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ]; 95 96 nativeCheckInputs = [ 97 cryptography-vectors 98 hypothesis 99 iso8601 100 pretend 101 py 102 pytestCheckHook 103 pytest-subtests 104 pytz 105 ]; 106 107 pytestFlags = [ "--disable-pytest-warnings" ]; 108 109 disabledTestPaths = [ 110 # save compute time by not running benchmarks 111 "tests/bench" 112 ] 113 ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [ 114 # aarch64-darwin forbids W+X memory, but this tests depends on it: 115 # * https://cffi.readthedocs.io/en/latest/using.html#callbacks 116 "tests/hazmat/backends/test_openssl_memleak.py" 117 ]; 118 119 meta = with lib; { 120 description = "Package which provides cryptographic recipes and primitives"; 121 longDescription = '' 122 Cryptography includes both high level recipes and low level interfaces to 123 common cryptographic algorithms such as symmetric ciphers, message 124 digests, and key derivation functions. 125 Our goal is for it to be your "cryptographic standard library". It 126 supports Python 2.7, Python 3.5+, and PyPy 5.4+. 127 ''; 128 homepage = "https://github.com/pyca/cryptography"; 129 changelog = 130 "https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version; 131 license = with licenses; [ 132 asl20 133 bsd3 134 psfl 135 ]; 136 maintainers = with maintainers; [ nh2 ]; 137 }; 138}