ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
pkgs/tools/filesystems/ceph/old-python-packages/cryptography-vectors.nix Normal file
View File

@@ -0,0 +1,36 @@
# This older version only exists because `ceph` needs it, see `cryptography.nix`.
{
buildPythonPackage,
fetchPypi,
lib,
cryptography,
}:
buildPythonPackage rec {
pname = "cryptography-vectors";
# The test vectors must have the same version as the cryptography package
inherit (cryptography) version;
format = "setuptools";
src = fetchPypi {
pname = "cryptography_vectors";
inherit version;
hash = "sha256-hGBwa1tdDOSoVXHKM4nPiPcAu2oMYTPcn+D1ovW9oEE=";
};
# No tests included
doCheck = false;
pythonImportsCheck = [ "cryptography_vectors" ];
meta = with lib; {
description = "Test vectors for the cryptography package";
homepage = "https://cryptography.io/en/latest/development/test-vectors/";
# Source: https://github.com/pyca/cryptography/tree/master/vectors;
license = with licenses; [
asl20
bsd3
];
maintainers = with maintainers; [ nh2 ];
};
}

138
pkgs/tools/filesystems/ceph/old-python-packages/cryptography.nix Normal file
View File

@@ -0,0 +1,138 @@
# This older version only exists because `ceph` needs it, see its package.
{
lib,
stdenv,
callPackage,
buildPythonPackage,
fetchPypi,
fetchpatch,
rustPlatform,
cargo,
rustc,
setuptoolsRustBuildHook,
openssl,
Security ? null,
isPyPy,
cffi,
pkg-config,
pytestCheckHook,
pytest-subtests,
pythonOlder,
pretend,
libiconv,
libxcrypt,
iso8601,
py,
pytz,
hypothesis,
}:
let
cryptography-vectors = callPackage ./cryptography-vectors.nix { };
in
buildPythonPackage rec {
pname = "cryptography";
version = "40.0.1"; # Also update the hash in vectors.nix
format = "setuptools";
disabled = pythonOlder "3.6";
src = fetchPypi {
inherit pname version;
hash = "sha256-KAPy+LHpX2FEGZJsfm9V2CivxhTKXtYVQ4d65mjMNHI=";
};
cargoDeps = rustPlatform.fetchCargoVendor {
inherit
pname
version
src
cargoRoot
;
hash = "sha256-pZHu3Oo9DWRAtldU0UvrH1FIg0bEvyfizPUhj9IBL58=";
};
# Since Cryptography v40 is quite outdated, we need to backport
# security fixes that are only available in newer versions.
patches = [
# Fix https://nvd.nist.gov/vuln/detail/CVE-2023-49083 which has no upstream backport.
# See https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a#diff-f5134bf8f3cf0a5cc8601df55e50697acc866c603a38caff98802bd8e17976c5R1893
./python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch
# Fix https://nvd.nist.gov/vuln/detail/CVE-2024-26130
# See https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
(fetchpatch {
name = "python-cryptography-CVE-2024-26130-dont-crash-when-a-PKCS-12-key-and-cert-dont-match-mmap-mode.patch";
url = "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55.patch";
hash = "sha256-l45NOzOWhHW4nY4OIRpdjYQRvUW8BROGWdpkAtvVn0Y=";
})
];
postPatch = ''
substituteInPlace pyproject.toml \
--replace "--benchmark-disable" ""
'';
cargoRoot = "src/rust";
nativeBuildInputs = [
rustPlatform.cargoSetupHook
setuptoolsRustBuildHook
cargo
rustc
pkg-config
]
++ lib.optionals (!isPyPy) [ cffi ];
buildInputs = [
openssl
]
++ lib.optionals stdenv.hostPlatform.isDarwin [
libiconv
]
++ lib.optionals (pythonOlder "3.9") [ libxcrypt ];
propagatedBuildInputs = lib.optionals (!isPyPy) [ cffi ];
nativeCheckInputs = [
cryptography-vectors
hypothesis
iso8601
pretend
py
pytestCheckHook
pytest-subtests
pytz
];
pytestFlags = [ "--disable-pytest-warnings" ];
disabledTestPaths = [
# save compute time by not running benchmarks
"tests/bench"
]
++ lib.optionals (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64) [
# aarch64-darwin forbids W+X memory, but this tests depends on it:
# * https://cffi.readthedocs.io/en/latest/using.html#callbacks
"tests/hazmat/backends/test_openssl_memleak.py"
];
meta = with lib; {
description = "Package which provides cryptographic recipes and primitives";
longDescription = ''
Cryptography includes both high level recipes and low level interfaces to
common cryptographic algorithms such as symmetric ciphers, message
digests, and key derivation functions.
Our goal is for it to be your "cryptographic standard library". It
supports Python 2.7, Python 3.5+, and PyPy 5.4+.
'';
homepage = "https://github.com/pyca/cryptography";
changelog =
"https://cryptography.io/en/latest/changelog/#v" + replaceStrings [ "." ] [ "-" ] version;
license = with licenses; [
asl20
bsd3
psfl
];
maintainers = with maintainers; [ nh2 ];
};
}

44
pkgs/tools/filesystems/ceph/old-python-packages/python-cryptography-Cherry-pick-fix-for-CVE-2023-49083-on-cryptography-40.patch Normal file
View File

@@ -0,0 +1,44 @@
commit 08dbad8552ecca85d3e38072f94eb864b143d218
Author: Niklas Hambüchen <mail@nh2.me>
Date: Mon Jan 22 12:52:06 2024 +0000
Cherry-pick fix for CVE-2023-49083
Cherry-Picked-From: f09c261ca10a31fe41b1262306db7f8f1da0e48a
Cherry-Picked-By: Niklas Hambüchen <mail@nh2.me>
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index a3fe1bce4..58e7207c4 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2383,9 +2383,12 @@ class Backend:
_Reasons.UNSUPPORTED_SERIALIZATION,
)
+ certs: list[x509.Certificate] = []
+ if p7.d.sign == self._ffi.NULL:
+ return certs
+
sk_x509 = p7.d.sign.cert
num = self._lib.sk_X509_num(sk_x509)
- certs = []
for i in range(num):
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py
index 4e61c5ef5..d8170bfb9 100644
--- a/tests/hazmat/primitives/test_pkcs7.py
+++ b/tests/hazmat/primitives/test_pkcs7.py
@@ -89,6 +89,12 @@ class TestPKCS7Loading:
mode="rb",
)
+ def test_load_pkcs7_empty_certificates(self, backend):
+ der = b"\x30\x0B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x02"
+
+ certificates = pkcs7.load_der_pkcs7_certificates(der)
+ assert certificates == []
+
# We have no public verification API and won't be adding one until we get
# some requirements from users so this function exists to give us basic

52
pkgs/tools/filesystems/ceph/old-python-packages/trustme.nix Normal file
View File

@@ -0,0 +1,52 @@
# This older version only exists because `ceph` needs it, see its package.
{
lib,
buildPythonPackage,
cryptography,
fetchPypi,
idna,
pyopenssl,
pytestCheckHook,
pythonOlder,
service-identity,
}:
buildPythonPackage rec {
pname = "trustme";
version = "1.1.0";
format = "setuptools";
disabled = pythonOlder "3.8";
src = fetchPypi {
inherit pname version;
hash = "sha256-U3Wtf7QnB0vslWWS4NTuKkz02miTThukvPQhcSa8ReY=";
};
propagatedBuildInputs = [
cryptography
idna
];
nativeCheckInputs = [
pyopenssl
pytestCheckHook
service-identity
];
# Some of the tests use localhost networking.
__darwinAllowLocalNetworking = true;
pythonImportsCheck = [ "trustme" ];
meta = with lib; {
description = "High quality TLS certs while you wait, for the discerning tester";
homepage = "https://github.com/python-trio/trustme";
changelog = "https://trustme.readthedocs.io/en/latest/#change-history";
license = with licenses; [
mit
asl20
];
maintainers = with maintainers; [ jfly ];
};
}