| blob | 4da68dfb751bb2b8ab4ca277faf75167625f6ed9 |
1 # This older version only exists because `ceph` needs it, see its package.
2 {
3 lib,
4 stdenv,
5 callPackage,
6 buildPythonPackage,
7 fetchPypi,
8 fetchpatch,
9 rustPlatform,
10 cargo,
11 rustc,
12 setuptoolsRustBuildHook,
13 openssl,
14 Security ? null,
15 isPyPy,
16 cffi,
17 pkg-config,
18 pytestCheckHook,
19 pytest-subtests,
20 pythonOlder,
21 pretend,
22 libiconv,
23 libxcrypt,
24 iso8601,
25 py,
26 pytz,
27 hypothesis,
28 }:
30 let
31 cryptography-vectors = callPackage ./cryptography-vectors.nix { };
32 in
33 buildPythonPackage rec {
34 pname = "cryptography";
35 version = "40.0.1"; # Also update the hash in vectors.nix
36 format = "setuptools";
37 disabled = pythonOlder "3.6";
39 src = fetchPypi {
40 inherit pname version;
41 hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
42 };
44 cargoDeps = rustPlatform.fetchCargoTarball {
45 inherit src;
46 sourceRoot = "${pname}-${version}/${cargoRoot}";
47 name = "${pname}-${version}";
48 hash = "sha256-gFfDTc2QWBWHBCycVH1dYlCsWQMVcRZfOBIau+njtDU=";
49 };
51 # Since Cryptography v40 is quite outdated, we need to backport
52 # security fixes that are only available in newer versions.
53 patches = [
54 # Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
55 # See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
56 ./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
58 # Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130
59 # See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
60 (fetchpatch {
61 name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";
62 url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";
63 hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";
64 })
65 ];
67 postPatch = ''
68 substituteInPlace pyproject.toml \
69 --replace "--benchmark-disable" ""
70 '';
72 cargoRoot = "src/rust";
74 nativeBuildInputs = [
75 rustPlatform.cargoSetupHook
76 setuptoolsRustBuildHook
77 cargo
78 rustc
79 pkg-config
80 ] ++ lib.optionals (!isPyPy) [ cffi ];
82 buildInputs =
83 [ openssl ]
84 ++ lib.optionals stdenv.hostPlatform.isDarwin [
85 Security
86 libiconv
87 ]
88 ++ lib.optionals (pythonOlder "3.9") [ libxcrypt ];
90 propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];
92 nativeCheckInputs = [
93 cryptography-vectors
94 hypothesis
95 iso8601
96 pretend
97 py
98 pytestCheckHook
99 pytest-subtests
100 pytz
101 ];
103 pytestFlagsArray = [ "--disable-pytest-warnings" ];
105 disabledTestPaths =
106 [
107 # save compute time by not running benchmarks
108 "tests/bench"
109 ]
110 ++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
111 # aarch64-darwin forbids W+X memory, but this tests depends on it:
112 # * https://cffi.readthedocs.io/en/latest/using.html#callbacks
113 "tests/hazmat/backends/test_openssl_memleak.py"
114 ];
116 meta = with lib; {
117 description = "A package which provides cryptographic recipes and primitives";
118 longDescription = ''
119 Cryptography includes both high level recipes and low level interfaces to
120 common cryptographic algorithms such as symmetric ciphers, message
121 digests, and key derivation functions.
122 Our goal is for it to be your "cryptographic standard library". It
123 supports Python 2.7, Python 3.5+, and PyPy 5.4+.
124 '';
125 homepage = "https://github.com/pyca/cryptography";
126 changelog =
127 "https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version;
128 license = with licenses; [
129 asl20
130 bsd3
131 psfl
132 ];
133 maintainers = with maintainers; [ nh2 ];
134 };
135 }