tjh.dev
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
1# This older version only exists because `ceph` needs it, see its package.
2{
3 lib,
4 stdenv,
5 callPackage,
6 buildPythonPackage,
7 fetchPypi,
8 fetchpatch,
9 rustPlatform,
10 cargo,
11 rustc,
12 setuptools-rust,
13 openssl,
14 isPyPy,
15 cffi,
16 pkg-config,
17 pytestCheckHook,
18 pretend,
19 libiconv,
20 iso8601,
21 py,
22 pytz,
23 hypothesis,
24}:
25
26let
27 cryptography-vectors = callPackage ./cryptography-vectors.nix { };
28in
29buildPythonPackage rec {
30 pname = "cryptography";
31 version = "40.0.1"; # Also update the hash in vectors.nix
32 format = "setuptools";
33
34 src = fetchPypi {
35 inherit pname version;
36 hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
37 };
38
39 cargoDeps = rustPlatform.fetchCargoVendor {
40 inherit
41 pname
42 version
43 src
44 cargoRoot
45 ;
46 hash = "sha256-pZHu3Oo9DWRAtldU0UvrH1FIg0bEvyfizPUhj9IBL58=";
47 };
48
49 # Since Cryptography v40 is quite outdated, we need to backport
50 # security fixes that are only available in newer versions.
51 patches = [
52 # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
53 # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
54 ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
55
56 # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130
57 # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
58 (fetchpatch {
59 name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";
60 url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";
61 hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";
62 })
63 ];
64
65 postPatch = ''
66 substituteInPlace pyproject.toml \
67 --replace "--benchmark-disable" ""
68 '';
69
70 cargoRoot = "src/rust";
71
72 build-system = [
73 setuptools-rust
74 ];
75
76 nativeBuildInputs = [
77 rustPlatform.cargoSetupHook
78 cargo
79 rustc
80 pkg-config
81 ]
82 ++ lib.optionals (!isPyPy) [ cffi ];
83
84 buildInputs = [
85 openssl
86 ]
87 ++ lib.optionals stdenv.hostPlatform.isDarwin [
88 libiconv
89 ];
90
91 propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];
92
93 nativeCheckInputs = [
94 cryptography-vectors
95 hypothesis
96 iso8601
97 pretend
98 py
99 pytestCheckHook
100 pytz
101 ];
102
103 pytestFlags = [ "--disable-pytest-warnings" ];
104
105 disabledTestPaths = [
106 # save compute time by not running benchmarks
107 "tests/bench"
108 # aarch64-darwin forbids W+X memory, but this tests depends on it:
109 # * https://cffi.readthedocs.io/en/latest/using.html#callbacks
110 # furthermore, this test fails with OpenSSL 3.6.0, probably due to:
111 # * https://github.com/openssl/openssl/issues/28757
112 # * https://github.com/openssl/openssl/issues/28770
113 # * https://github.com/openssl/openssl/issues/28888
114 "tests/hazmat/backends/test_openssl_memleak.py"
115 ];
116
117 meta = {
118 description = "Package which provides cryptographic recipes and primitives";
119 longDescription = ''
120 Cryptography includes both high level recipes and low level interfaces to
121 common cryptographic algorithms such as symmetric ciphers, message
122 digests, and key derivation functions.
123 Our goal is for it to be your "cryptographic standard library". It
124 supports Python 2.7, Python 3.5+, and PyPy 5.4+.
125 '';
126 homepage = "https://github.com/pyca/cryptography";
127 changelog =
128 "https://cryptography.io/en/latest/changelog/#v" + lib.replaceStrings [ "." ] [ "-" ] version;
129 license = with lib.licenses; [
130 asl20
131 bsd3
132 psfl
133 ];
134 maintainers = with lib.maintainers; [ nh2 ];
135 };
136}