Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptography 42 and rust #1261

Merged
merged 10 commits into from
Oct 17, 2024
Prev Previous commit
Next Next commit
Update to cryptography 42.0.8 (requires rust)
Cryptography 42.0.8 can now be built provided that the Rust
compiler and toolchains are installed into the build machine.

Note: legacy ciphers are disabled to prevent load-time crash
as if the CRYPTOGRAPHY_OPENSSL_NO_LEGACY environment variable
was set.
https://cryptography.io/en/latest/openssl/#legacy-provider-in-openssl-3-x

Closes #657
emanuele-f committed Oct 9, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit b6d8f3ca231bdeaa73e6cf61f4d559d00643df85
3 changes: 3 additions & 0 deletions server/pypi/build-wheel.py
Original file line number Diff line number Diff line change
@@ -616,6 +616,9 @@ def env_vars(self):
"PKG_VERSION": self.version,
"RECIPE_DIR": self.package_dir,
"SRC_DIR": self.src_dir,

# allows packages to locate openssl, openssl must be in the meta.yml requirements.host
"OPENSSL_DIR": f"{self.host_env}/chaquopy",
})

if self.needs_rust:
31 changes: 2 additions & 29 deletions server/pypi/packages/cryptography/meta.yaml
Original file line number Diff line number Diff line change
@@ -1,37 +1,10 @@
package:
name: cryptography
version: "3.4.8"

build:
number: 2
script_env:
- CRYPTOGRAPHY_DONT_BUILD_RUST=1
version: "42.0.8"

requirements:
build:
- cffi 1.15.1
- setuptools-rust 0.11.6
- setuptools-rust 1.7.0
host:
# This version of cryptography isn't compatible with OpenSSL 3. So to build it for
# Python 3.9 and 3.10, we link it against OpenSSL 1.1.
#
# We don't do this by supplying an OpenSSL 1.1 wheel with a shared library, because
# the Chaquopy runtime (perhaps unnecessarily) loads non-Python libraries using
# RTLD_GLOBAL, which could cause conflicts with the OpenSSL 3 library which Chaquopy
# loads on startup.
#
# Instead, we link against OpenSSL 1.1 statically, as follows:
# * Run the OpenSSL 1.1 build command from target/build-all.sh.
# * For each combination of Python version and ABI, run build-with-static-openssl.sh
# in this directory.
#
# Although this may cause some of OpenSSL's symbols to be exported by crytography's
# Python modules, that's safe because Python modules are loaded using RTLD_LOCAL. And
# although the GLOBAL/LOCAL distinction is only respected from API level 23, older
# versions wouldn't include earlier libraries in the symbol search order for later
# libraries anyway, unless they were listed in DT_NEEDED.
#
# More information:
# * https://github.com/aosp-mirror/platform_bionic/blob/master/android-changes-for-ndk-developers.md
# * https://github.com/android/ndk/issues/1244
- openssl
13 changes: 13 additions & 0 deletions server/pypi/packages/cryptography/patches/openssl_no_legacy.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
--- src-original/src/rust/src/lib.rs
+++ src/src/rust/src/lib.rs
@@ -45,9 +45,7 @@
// serialization), RC4, Blowfish, IDEA, SEED, etc. These things
// are ugly legacy, but we aren't going to get rid of them
// any time soon.
- let load_legacy = env::var("CRYPTOGRAPHY_OPENSSL_NO_LEGACY")
- .map(|v| v.is_empty() || v == "0")
- .unwrap_or(true);
+ let load_legacy = false;
let legacy = if load_legacy {
let legacy_result = provider::Provider::load(None, "legacy");
_legacy_provider_error(legacy_result.is_ok())?;
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
--- src-original/src/rust/Cargo.toml
+++ src/src/rust/Cargo.toml
@@ -10,7 +10,7 @@
[dependencies]
once_cell = "1"
cfg-if = "1"
-pyo3 = { version = "0.20", features = ["abi3"] }
+pyo3 = { version = "0.20", features = ["abi3", "abi3-py310"] }
asn1 = { version = "0.15.5", default-features = false }
cryptography-cffi = { path = "cryptography-cffi" }
cryptography-key-parsing = { path = "cryptography-key-parsing" }