python-cryptography: Update to 41.0.4

This includes a patch to update the version of ouroboros (Rust crate)
used, to fix RUSTSEC-2023-0042[1]. Upstream has switch from ouroboros to
self_cell so this patch should only be necessary for cryptography 41.

[1]: https://rustsec.org/advisories/RUSTSEC-2023-0042.html

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

lang/python/python-cryptography/Makefile

@@ -8,17 +8,17 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=python-cryptography
-PKG_VERSION:=3.4.8
+PKG_VERSION:=41.0.4
-PKG_RELEASE:=3
+PKG_RELEASE:=1
 
 PYPI_NAME:=cryptography
-PKG_HASH:=94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c
+PKG_HASH:=7febc3094125fc126a7f6fb1f420d0da639f3f32cb15c8ff0dc3997c4549f51a
 
 PKG_LICENSE:=Apache-2.0 BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE.APACHE LICENSE.BSD
 PKG_MAINTAINER:=Jeffery To <jeffery.to@gmail.com>
 
-PKG_BUILD_DEPENDS:=libffi/host python-cffi/host  # cffi>=1.12
+PKG_BUILD_DEPENDS:=libffi/host python-cffi/host python-setuptools-rust/host
 
 include ../pypi.mk
 include $(INCLUDE_DIR)/package.mk
@@ -32,18 +32,18 @@ define Package/python3-cryptography
   URL:=https://github.com/pyca/cryptography
   DEPENDS:= \
       +libopenssl \
+      +libopenssl-legacy \
       +python3-light \
       +python3-email \
-      +python3-openssl \
       +python3-urllib \
       +python3-cffi \
-      +python3-six
+      $(RUST_ARCH_DEPENDS)
 endef
 
 define Package/python3-cryptography/description
 cryptography is a package which provides cryptographic recipes and
-primitives to Python developers.  Our goal is for it to be your "cryptographic
+primitives to Python developers. Our goal is for it to be your
-standard library". It supports Python 2.6-2.7, Python 3.3+, and PyPy 2.6+.
+"cryptographic standard library".
 endef
 
 $(eval $(call Py3Package,python3-cryptography))

lang/python/python-cryptography/patches/0001-Add-new-ASN1_STRING_get0_data-API.patch

@@ -1,20 +0,0 @@
-From 7eefc9c72f522e414f953fee2d6ca9242c566107 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Fri, 7 Jun 2019 18:18:46 -0700
-Subject: [PATCH 1/7] Add new ASN1_STRING_get0_data API
-
-Introduced with OpenSSL 1.1
----
- src/_cffi_src/openssl/asn1.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/src/_cffi_src/openssl/asn1.py
-+++ b/src/_cffi_src/openssl/asn1.py
-@@ -105,4 +105,7 @@ ASN1_NULL *ASN1_NULL_new(void);
- """
- 
- CUSTOMIZATIONS = """
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+#define ASN1_STRING_data ASN1_STRING_get0_data
-+#endif
- """

lang/python/python-cryptography/patches/0002-Add-compatibility-for-X509_STORE_set_get_issuer.patch

@@ -1,55 +0,0 @@
-From 77b25307a743eb52ef5ead24c956e577f5bd025f Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Fri, 7 Jun 2019 20:42:04 -0700
-Subject: [PATCH 2/7] Add compatibility for X509_STORE_set_get_issuer
-
-Deprecated under OpenSSL 1.1.
----
- src/_cffi_src/openssl/x509_vfy.py                        | 8 ++++++++
- src/cryptography/hazmat/bindings/openssl/_conditional.py | 8 ++++++++
- 2 files changed, 16 insertions(+)
-
---- a/src/_cffi_src/openssl/x509_vfy.py
-+++ b/src/_cffi_src/openssl/x509_vfy.py
-@@ -21,6 +21,7 @@ TYPES = """
- static const long Cryptography_HAS_102_VERIFICATION;
- static const long Cryptography_HAS_110_VERIFICATION_PARAMS;
- static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER;
-+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK;
- 
- typedef ... Cryptography_STACK_OF_ASN1_OBJECT;
- typedef ... Cryptography_STACK_OF_X509_OBJECT;
-@@ -257,4 +258,11 @@ void (*X509_STORE_set_get_issuer)(X509_S
- #else
- static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 1;
- #endif
-+
-+#ifndef X509_V_FLAG_CB_ISSUER_CHECK
-+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 0;
-+#define X509_V_FLAG_CB_ISSUER_CHECK	0x0
-+#else
-+static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1;
-+#endif
- """
---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
-+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
-@@ -269,6 +269,11 @@ def cryptography_has_get_proto_version()
-         "SSL_get_max_proto_version",
-     ]
- 
-+def cryptography_has_x509_cb_issuer_check():
-+    return [
-+        "X509_V_FLAG_CB_ISSUER_CHECK",
-+    ]
-+
- 
- # This is a mapping of
- # {condition: function-returning-names-dependent-on-that-condition} so we can
-@@ -318,4 +323,7 @@ CONDITIONAL_NAMES = {
-     "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
-     "Cryptography_HAS_SRTP": cryptography_has_srtp,
-     "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
-+    "Cryptography_HAS_X509_CB_ISSUER_CHECK": (
-+        cryptography_has_x509_cb_issuer_check
-+    ),
- }

lang/python/python-cryptography/patches/0003-Add-compatibility-for-deprecated-TLS-methods.patch

@@ -1,127 +0,0 @@
-From 7a55c37e01114dfd1ae733b099fdee1ba1889449 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Fri, 7 Jun 2019 21:00:46 -0700
-Subject: [PATCH 3/7] Add compatibility for deprecated TLS methods
-
----
- src/_cffi_src/openssl/ssl.py                  | 45 +++++++++++++++++--
- .../hazmat/bindings/openssl/_conditional.py   | 36 +++++++++++++++
- 2 files changed, 77 insertions(+), 4 deletions(-)
-
---- a/src/_cffi_src/openssl/ssl.py
-+++ b/src/_cffi_src/openssl/ssl.py
-@@ -13,12 +13,14 @@ TYPES = """
- static const long Cryptography_HAS_SSL_ST;
- static const long Cryptography_HAS_TLS_ST;
- static const long Cryptography_HAS_SSL3_METHOD;
--static const long Cryptography_HAS_TLSv1_1;
--static const long Cryptography_HAS_TLSv1_2;
-+static const long Cryptography_HAS_TLS1_METHOD;
-+static const long Cryptography_HAS_TLS1_1_METHOD;
-+static const long Cryptography_HAS_TLS1_2_METHOD;
- static const long Cryptography_HAS_TLSv1_3;
- static const long Cryptography_HAS_SECURE_RENEGOTIATION;
- static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
- static const long Cryptography_HAS_DTLS;
-+static const long Cryptography_HAS_DTLS1_METHOD;
- static const long Cryptography_HAS_SIGALGS;
- static const long Cryptography_HAS_PSK;
- static const long Cryptography_HAS_VERIFIED_CHAIN;
-@@ -548,8 +550,43 @@ static const long Cryptography_HAS_SSL3_
- 
- static const long Cryptography_HAS_RELEASE_BUFFERS = 1;
- static const long Cryptography_HAS_OP_NO_COMPRESSION = 1;
--static const long Cryptography_HAS_TLSv1_1 = 1;
--static const long Cryptography_HAS_TLSv1_2 = 1;
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+static const long Cryptography_HAS_TLS1_METHOD = 0;
-+const SSL_METHOD* (*TLSv1_method)(void) = NULL;
-+const SSL_METHOD* (*TLSv1_server_method)(void) = NULL;
-+const SSL_METHOD* (*TLSv1_client_method)(void) = NULL;
-+#else
-+static const long Cryptography_HAS_TLS1_METHOD = 1;
-+#endif
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+static const long Cryptography_HAS_TLS1_1_METHOD = 0;
-+const SSL_METHOD* (*TLSv1_1_method)(void) = NULL;
-+const SSL_METHOD* (*TLSv1_1_server_method)(void) = NULL;
-+const SSL_METHOD* (*TLSv1_1_client_method)(void) = NULL;
-+#else
-+static const long Cryptography_HAS_TLS1_1_METHOD = 1;
-+#endif
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+static const long Cryptography_HAS_TLS1_2_METHOD = 0;
-+const SSL_METHOD* (*TLSv1_2_method)(void) = NULL;
-+const SSL_METHOD* (*TLSv1_2_server_method)(void) = NULL;
-+const SSL_METHOD* (*TLSv1_2_client_method)(void) = NULL;
-+#else
-+static const long Cryptography_HAS_TLS1_2_METHOD = 1;
-+#endif
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+static const long Cryptography_HAS_DTLS1_METHOD = 0;
-+const SSL_METHOD* (*DTLSv1_method)(void) = NULL;
-+const SSL_METHOD* (*DTLSv1_server_method)(void) = NULL;
-+const SSL_METHOD* (*DTLSv1_client_method)(void) = NULL;
-+#else
-+static const long Cryptography_HAS_DTLS1_METHOD = 1;
-+#endif
-+
- static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
- static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
- static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
---- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
-+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
-@@ -31,6 +31,38 @@ def cryptography_has_ssl3_method():
-     ]
- 
- 
-+def cryptography_has_tls1_method():
-+    return [
-+        "TLSv1_method",
-+        "TLSv1_client_method",
-+        "TLSv1_server_method",
-+    ]
-+
-+
-+def cryptography_has_tls1_1_method():
-+    return [
-+        "TLSv1_1_method",
-+        "TLSv1_1_client_method",
-+        "TLSv1_1_server_method",
-+    ]
-+
-+
-+def cryptography_has_tls1_2_method():
-+    return [
-+        "TLSv1_2_method",
-+        "TLSv1_2_client_method",
-+        "TLSv1_2_server_method",
-+    ]
-+
-+
-+def cryptography_has_dtls1_method():
-+    return [
-+        "DTLSv1_method",
-+        "DTLSv1_client_method",
-+        "DTLSv1_server_method",
-+    ]
-+
-+
- def cryptography_has_102_verification():
-     return [
-         "X509_V_ERR_SUITE_B_INVALID_VERSION",
-@@ -285,6 +317,10 @@ CONDITIONAL_NAMES = {
-     "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
-     "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
-     "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
-+    "Cryptography_HAS_TLS1_METHOD": cryptography_has_tls1_method,
-+    "Cryptography_HAS_TLS1_1_METHOD": cryptography_has_tls1_1_method,
-+    "Cryptography_HAS_TLS1_2_METHOD": cryptography_has_tls1_2_method,
-+    "Cryptography_HAS_DTLS1_METHOD": cryptography_has_dtls1_method,
-     "Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification,
-     "Cryptography_HAS_110_VERIFICATION_PARAMS": (
-         cryptography_has_110_verification_params

lang/python/python-cryptography/patches/0004-disable-rust.patch

@@ -1,33 +0,0 @@
---- a/pyproject.toml
-+++ b/pyproject.toml
-@@ -6,7 +6,6 @@ requires = [
-     "wheel",
-     # Must be kept in sync with the `setup_requirements` in `setup.py`
-     "cffi>=1.12; platform_python_implementation != 'PyPy'",
--    "setuptools-rust>=0.11.4",
- ]
- build-backend = "setuptools.build_meta"
- 
---- a/setup.py
-+++ b/setup.py
-@@ -11,7 +11,7 @@ import sys
- from setuptools import find_packages, setup
- 
- try:
--    from setuptools_rust import RustExtension
-+    pass
- except ImportError:
-     print(
-         """
-@@ -43,9 +43,9 @@ with open(os.path.join(src_dir, "cryptog
- # `pyproject.toml`
- setuptools_rust = "setuptools-rust>=0.11.4"
- install_requirements = ["cffi>=1.12"]
--setup_requirements = install_requirements + [setuptools_rust]
-+setup_requirements = install_requirements
- 
--if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):
-+if True:
-     rust_extensions = []
- else:
-     rust_extensions = [

lang/python/python-cryptography/patches/0006-Add-X509_STORE_CTX_trusted_stack-compatibility-macro.patch

@@ -1,25 +0,0 @@
-From 98bf3eda9c950158cf6a0a6a698dd365712201b1 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Mon, 25 Nov 2019 12:06:16 -0800
-Subject: [PATCH 6/7] Add X509_STORE_CTX_trusted_stack compatibility macro
-
-Deprecated in 1.1
-
-Signed-off-by: Rosen Penev <rosenp@gmail.com>
----
- src/_cffi_src/openssl/x509_vfy.py | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
---- a/src/_cffi_src/openssl/x509_vfy.py
-+++ b/src/_cffi_src/openssl/x509_vfy.py
-@@ -265,4 +265,10 @@ static const long Cryptography_HAS_X509_
- #else
- static const long Cryptography_HAS_X509_CB_ISSUER_CHECK = 1;
- #endif
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+#define X509_STORE_CTX_trusted_stack X509_STORE_CTX_set0_trusted_stack
-+#define X509_STORE_CTX_set_chain X509_STORE_CTX_set0_untrusted
-+#define X509_STORE_CTX_get_chain X509_STORE_CTX_get1_chain
-+#endif
- """

lang/python/python-cryptography/patches/0007-Add-defines-for-totally-deprecated-functions.patch

@@ -1,56 +0,0 @@
-From e96af1cee523c5551c7fc5f36eba8e271fa51b20 Mon Sep 17 00:00:00 2001
-From: Rosen Penev <rosenp@gmail.com>
-Date: Thu, 5 Dec 2019 12:52:13 -0800
-Subject: [PATCH 7/7] Add defines for totally deprecated functions
-
----
- src/_cffi_src/openssl/conf.py   | 4 ++++
- src/_cffi_src/openssl/crypto.py | 4 ++++
- src/_cffi_src/openssl/ecdh.py   | 3 +++
- src/_cffi_src/openssl/ssl.py    | 5 +++++
- 4 files changed, 16 insertions(+)
-
---- a/src/_cffi_src/openssl/conf.py
-+++ b/src/_cffi_src/openssl/conf.py
-@@ -17,4 +17,8 @@ void OPENSSL_no_config(void);
- """
- 
- CUSTOMIZATIONS = """
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+#define OPENSSL_config(x) 0
-+#define OPENSSL_no_config() 0
-+#endif
- """
---- a/src/_cffi_src/openssl/crypto.py
-+++ b/src/_cffi_src/openssl/crypto.py
-@@ -113,4 +113,8 @@ void *Cryptography_realloc_wrapper(void
- void Cryptography_free_wrapper(void *ptr, const char *path, int line) {
-     free(ptr);
- }
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+#define CRYPTO_get_locking_callback() 0
-+#endif
- """
---- a/src/_cffi_src/openssl/ecdh.py
-+++ b/src/_cffi_src/openssl/ecdh.py
-@@ -17,4 +17,7 @@ long SSL_CTX_set_ecdh_auto(SSL_CTX *, in
- """
- 
- CUSTOMIZATIONS = """
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+#define SSL_CTX_set_ecdh_auto(a, b) ((b) != 0)
-+#endif
- """
---- a/src/_cffi_src/openssl/ssl.py
-+++ b/src/_cffi_src/openssl/ssl.py
-@@ -745,4 +745,9 @@ long (*SSL_get_max_proto_version)(SSL *)
- #else
- static const long Cryptography_HAS_GET_PROTO_VERSION = 1;
- #endif
-+
-+#if (OPENSSL_API_COMPAT >= 0x10100000L) && !CRYPTOGRAPHY_IS_LIBRESSL
-+#define SSL_library_init() 1
-+#define SSL_load_error_strings() 0
-+#endif
- """

lang/python/python-cryptography/patches/001-Update-ouroboros.patch

@@ -0,0 +1,13 @@
+Fixes https://rustsec.org/advisories/RUSTSEC-2023-0042.html
+
+--- a/src/rust/Cargo.toml
++++ b/src/rust/Cargo.toml
+@@ -15,7 +15,7 @@ cryptography-cffi = { path = "cryptograp
+ cryptography-x509 = { path = "cryptography-x509" }
+ cryptography-openssl = { path = "cryptography-openssl" }
+ pem = "1.1"
+-ouroboros = "0.15"
++ouroboros = "0.18"
+ openssl = "0.10.54"
+ openssl-sys = "0.9.88"
+ foreign-types-shared = "0.1"

lang/python/python-cryptography/test.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+[ "$1" = python3-cryptography ] || exit 0
+
+python3 - << EOF
+import sys
+from cryptography.fernet import Fernet
+key = Fernet.generate_key()
+f = Fernet(key)
+token = f.encrypt(b"my deep dark secret")
+sys.exit(0 if f.decrypt(token) == b"my deep dark secret" else 1)
+EOF