diff --git a/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch b/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch new file mode 100644 index 0000000000..74b1cff248 --- /dev/null +++ b/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch @@ -0,0 +1,54 @@ +python3-cryptography: ignore broken legacy providers + +These are broken on python3-cryptography-native builds +since update from python3-cryptography 3.3.2 in meta-openembedded/meta-python +to the new rust based versions 35 and newer. + +Test case on Ubuntu 18.04 build host, a recipe which needs +python3-cryptography-native for e.g. signing secure boot binaries: + +# python3 -c "from OpenSSL import crypto" +Traceback (most recent call last): + File "", line 1, in + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/__init__.py", line 8, in + from OpenSSL import crypto, SSL + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/crypto.py", line 11, in + from OpenSSL._util import ( + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/_util.py", line 5, in + from cryptography.hazmat.bindings.openssl.binding import Binding + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 228, in + Binding.init_static_locks() + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 188, in init_static_locks + cls._ensure_ffi_initialized() + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 176, in _ensure_ffi_initialized + _openssl_assert( + File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 90, in _openssl_assert + raise InternalError( +cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=126615813, lib=15, reason=786693, reason_text=b'error:078C0105:common libcrypto routines::init fail')]) + +With this hacky patch, the needed signing functions of +python3-cryptography-native still work. + +Upstream-Status: Inappropriate + +Signed-off-by: Mikko Rapeli + +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index a6fbc94..fffb669 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -173,9 +173,11 @@ class Binding: + cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( + cls.ffi.NULL, b"legacy" + ) +- _openssl_assert( +- cls.lib, cls._legacy_provider != cls.ffi.NULL +- ) ++ # HACK: for some reason this check is failing on native ++ # but maybe it doesn't harm to break old, broken ciphers ++ #_openssl_assert( ++ # cls.lib, cls._legacy_provider != cls.ffi.NULL ++ #) + cls._default_provider = cls.lib.OSSL_PROVIDER_load( + cls.ffi.NULL, b"default" + ) diff --git a/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb b/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb index c91a8c7771..116871cd0b 100644 --- a/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb +++ b/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb @@ -63,6 +63,11 @@ SRC_URI += "file://run-ptest \ crate://crates.io/winapi/0.3.9 \ " +# workaround for native builds to get some of the signing functions working +SRC_URI:append:class-native = " \ + file://python3-cryptography_hack_to_remove_legacy.patch \ +" + inherit pypi python_setuptools3_rust DEPENDS += " \