python2Packages.cryptography: 2.9.2 -> 3.3.1 (#106792)

Fixes py2 build of pyOpenSSL:
https://github.com/NixOS/nixpkgs/issues/106275#issuecomment-743790876

6 files changed, 29 insertions, 87 deletions

diff --git a/pkgs/development/python-modules/cryptography/2.9.nix b/pkgs/development/python-modules/cryptography/3.3.nix
index 3cde50542873..a76e62dd4ddb 100644
--- a/pkgs/development/python-modules/cryptography/2.9.nix
+++ b/pkgs/development/python-modules/cryptography/3.3.nix
@@ -22,24 +22,31 @@
 
 buildPythonPackage rec {
   pname = "cryptography";
-  version = "2.9.2"; # Also update the hash in vectors.nix
+  version = "3.3.1"; # Also update the hash in vectors-3.3.nix
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "0af25w5mkd6vwns3r6ai1w5ip9xp0ms9s261zzssbpadzdr05hx0";
+    sha256 = "1ribd1vxq9wwz564mg60dzcy699gng54admihjjkgs9dx95pw5vy";
   };
 
-  patches = [ ./CVE-2020-25659.patch ];
+  patches = [ ./cryptography-py27-warning.patch ];
 
   outputs = [ "out" "dev" ];
 
+  nativeBuildInputs = stdenv.lib.optionals (!isPyPy) [
+    cffi
+  ];
+
   buildInputs = [ openssl ]
              ++ stdenv.lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
   propagatedBuildInputs = [
     packaging
     six
-  ] ++ stdenv.lib.optional (!isPyPy) cffi
-  ++ stdenv.lib.optionals isPy27 [ ipaddress enum34 ];
+  ] ++ stdenv.lib.optionals (!isPyPy) [
+    cffi
+  ] ++ stdenv.lib.optionals isPy27 [
+    ipaddress enum34
+  ];
 
   checkInputs = [
     cryptography_vectors
diff --git a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch b/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch
deleted file mode 100644
index a353757be11f..000000000000
--- a/pkgs/development/python-modules/cryptography/CVE-2020-25659.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-Backported of:
-
-From 58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 Mon Sep 17 00:00:00 2001
-From: Alex Gaynor <alex.gaynor@gmail.com>
-Date: Sun, 25 Oct 2020 21:16:42 -0400
-Subject: [PATCH] Attempt to mitigate Bleichenbacher attacks on RSA decryption
- (#5507)
-
-diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
-index 6e4675d..ce66c28 100644
---- a/docs/spelling_wordlist.txt
-+++ b/docs/spelling_wordlist.txt
-@@ -6,6 +6,7 @@ backend
- Backends
- backends
- bcrypt
-+Bleichenbacher
- Blowfish
- boolean
- Botan
-diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py
-index 3e4c2fd..6303f95 100644
---- a/src/cryptography/hazmat/backends/openssl/rsa.py
-+++ b/src/cryptography/hazmat/backends/openssl/rsa.py
-@@ -117,40 +117,19 @@ def _enc_dec_rsa_pkey_ctx(backend, key, data, padding_enum, padding):
- 
-     outlen = backend._ffi.new("size_t *", buf_size)
-     buf = backend._ffi.new("unsigned char[]", buf_size)
-+    # Everything from this line onwards is written with the goal of being as
-+    # constant-time as is practical given the constraints of Python and our
-+    # API. See Bleichenbacher's '98 attack on RSA, and its many many variants.
-+    # As such, you should not attempt to change this (particularly to "clean it
-+    # up") without understanding why it was written this way (see
-+    # Chesterton's Fence), and without measuring to verify you have not
-+    # introduced observable time differences.
-     res = crypt(pkey_ctx, buf, outlen, data, len(data))
-+    resbuf = backend._ffi.buffer(buf)[: outlen[0]]
-+    backend._lib.ERR_clear_error()
-     if res <= 0:
--        _handle_rsa_enc_dec_error(backend, key)
--
--    return backend._ffi.buffer(buf)[:outlen[0]]
--
--
--def _handle_rsa_enc_dec_error(backend, key):
--    errors = backend._consume_errors()
--    backend.openssl_assert(errors)
--    backend.openssl_assert(errors[0].lib == backend._lib.ERR_LIB_RSA)
--    if isinstance(key, _RSAPublicKey):
--        backend.openssl_assert(
--            errors[0].reason == backend._lib.RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE
--        )
--        raise ValueError(
--            "Data too long for key size. Encrypt less data or use a "
--            "larger key size."
--        )
--    else:
--        decoding_errors = [
--            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_01,
--            backend._lib.RSA_R_BLOCK_TYPE_IS_NOT_02,
--            backend._lib.RSA_R_OAEP_DECODING_ERROR,
--            # Though this error looks similar to the
--            # RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE, this occurs on decrypts,
--            # rather than on encrypts
--            backend._lib.RSA_R_DATA_TOO_LARGE_FOR_MODULUS,
--        ]
--        if backend._lib.Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR:
--            decoding_errors.append(backend._lib.RSA_R_PKCS_DECODING_ERROR)
--
--        backend.openssl_assert(errors[0].reason in decoding_errors)
--        raise ValueError("Decryption failed.")
-+        raise ValueError("Encryption/decryption failed.")
-+    return resbuf
- 
- 
- def _rsa_sig_determine_padding(backend, key, padding, algorithm):
diff --git a/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch
new file mode 100644
index 000000000000..8233af78a9de
--- /dev/null
+++ b/pkgs/development/python-modules/cryptography/cryptography-py27-warning.patch
@@ -0,0 +1,14 @@
+Delete the warning that breaks tests of dependent projects.
+
+--- a/src/cryptography/__init__.py
++++ b/src/cryptography/__init__.py
+@@ -33,9 +32,0 @@ __all__ = [
+-
+-if sys.version_info[0] == 2:
+-    warnings.warn(
+-        "Python 2 is no longer supported by the Python core team. Support for "
+-        "it is now deprecated in cryptography, and will be removed in the "
+-        "next release.",
+-        CryptographyDeprecationWarning,
+-        stacklevel=2,
+-    )
diff --git a/pkgs/development/python-modules/cryptography/vectors-2.9.nix b/pkgs/development/python-modules/cryptography/vectors-3.3.nix
index 096eab77bec3..94526c8268ef 100644
--- a/pkgs/development/python-modules/cryptography/vectors-2.9.nix
+++ b/pkgs/development/python-modules/cryptography/vectors-3.3.nix
@@ -7,7 +7,7 @@ buildPythonPackage rec {
 
   src = fetchPypi {
     inherit pname version;
-    sha256 = "1d4iykcv7cn9j399hczlxm5pzxmqy6d80h3j16dkjwlmv3293b4r";
+    sha256 = "192wix3sr678x21brav5hgc6j93l7ab1kh69p2scr3fsblq9qy03";
   };
 
   # No tests included
diff --git a/pkgs/development/python-modules/werkzeug/default.nix b/pkgs/development/python-modules/werkzeug/default.nix
index a4146d4d3b12..fd634e51796e 100644
--- a/pkgs/development/python-modules/werkzeug/default.nix
+++ b/pkgs/development/python-modules/werkzeug/default.nix
@@ -21,9 +21,6 @@ buildPythonPackage rec {
     "test_get_machine_id"
   ];
 
-  # Python 2 pytest fails with INTERNALERROR due to a deprecation warning.
-  doCheck = isPy3k;
-
   meta = with stdenv.lib; {
     homepage = "https://palletsprojects.com/p/werkzeug/";
     description = "A WSGI utility library for Python";
diff --git a/pkgs/top-level/python-packages.nix b/pkgs/top-level/python-packages.nix
index eeed74d4cad5..309a31d4614f 100644
--- a/pkgs/top-level/python-packages.nix
+++ b/pkgs/top-level/python-packages.nix
@@ -1389,12 +1389,12 @@ in {
   cryptacular = callPackage ../development/python-modules/cryptacular { };
 
   cryptography = if isPy27 then
-    callPackage ../development/python-modules/cryptography/2.9.nix { }
+    callPackage ../development/python-modules/cryptography/3.3.nix { }
   else
     callPackage ../development/python-modules/cryptography { };
 
   cryptography_vectors = if isPy27 then
-    callPackage ../development/python-modules/cryptography/vectors-2.9.nix { }
+    callPackage ../development/python-modules/cryptography/vectors-3.3.nix { }
   else
     callPackage ../development/python-modules/cryptography/vectors.nix { };