toxic: 0.15.1 -> 0.16.0
[NixPkgs.git] / pkgs / tools / filesystems / ceph / old-python-packages / cryptography.nix
blob4da68dfb751bb2b8ab4ca277faf75167625f6ed9
1 # This older version only exists because `ceph` needs it, see its package.
3   lib,
4   stdenv,
5   callPackage,
6   buildPythonPackage,
7   fetchPypi,
8   fetchpatch,
9   rustPlatform,
10   cargo,
11   rustc,
12   setuptoolsRustBuildHook,
13   openssl,
14   Security ? null,
15   isPyPy,
16   cffi,
17   pkg-config,
18   pytestCheckHook,
19   pytest-subtests,
20   pythonOlder,
21   pretend,
22   libiconv,
23   libxcrypt,
24   iso8601,
25   py,
26   pytz,
27   hypothesis,
30 let
31   cryptography-vectors = callPackage ./cryptography-vectors.nix { };
33 buildPythonPackage rec {
34   pname = "cryptography";
35   version = "40.0.1"; # Also update the hash in vectors.nix
36   format = "setuptools";
37   disabled = pythonOlder "3.6";
39   src = fetchPypi {
40     inherit pname version;
41     hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
42   };
44   cargoDeps = rustPlatform.fetchCargoTarball {
45     inherit src;
46     sourceRoot = "${pname}-${version}/${cargoRoot}";
47     name = "${pname}-${version}";
48     hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";
49   };
51   # Since Cryptography v40 is quite outdated, we need to backport
52   # security fixes that are only available in newer versions.
53   patches = [
54     # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
55     # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
56     ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
58     # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130
59     # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
60     (fetchpatch {
61       name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";
62       url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";
63       hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";
64     })
65   ];
67   postPatch = ''
68     substituteInPlace pyproject.toml \
69       --replace "--benchmark-disable" ""
70   '';
72   cargoRoot = "src/rust";
74   nativeBuildInputs = [
75     rustPlatform.cargoSetupHook
76     setuptoolsRustBuildHook
77     cargo
78     rustc
79     pkg-config
80   ] ++ lib.optionals (!isPyPy) [ cffi ];
82   buildInputs =
83     [ openssl ]
84     ++ lib.optionals stdenv.hostPlatform.isDarwin [
85       Security
86       libiconv
87     ]
88     ++ lib.optionals (pythonOlder "3.9") [ libxcrypt ];
90   propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];
92   nativeCheckInputs = [
93     cryptography-vectors
94     hypothesis
95     iso8601
96     pretend
97     py
98     pytestCheckHook
99     pytest-subtests
100     pytz
101   ];
103   pytestFlagsArray = [ "--disable-pytest-warnings" ];
105   disabledTestPaths =
106     [
107       # save compute time by not running benchmarks
108       "tests/bench"
109     ]
110     ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
111       # aarch64-darwin forbids W+X memory, but this tests depends on it:
112       # * https://cffi.readthedocs.io/en/latest/using.html#callbacks
113       "tests/hazmat/backends/test_openssl_memleak.py"
114     ];
116   meta = with lib; {
117     description = "A package which provides cryptographic recipes and primitives";
118     longDescription = ''
119       Cryptography includes both high level recipes and low level interfaces to
120       common cryptographic algorithms such as symmetric ciphers, message
121       digests, and key derivation functions.
122       Our goal is for it to be your "cryptographic standard library". It
123       supports Python 2.7, Python 3.5+, and PyPy 5.4+.
124     '';
125     homepage = "https://github.com/pyca/cryptography";
126     changelog =
127       "https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version;
128     license = with licenses; [
129       asl20
130       bsd3
131       psfl
132     ];
133     maintainers = with maintainers; [ nh2 ];
134   };