diff --git a/newsfragments/3998.minor b/newsfragments/3998.minor new file mode 100644 index 000000000..e69de29bb diff --git a/nix/pyopenssl.nix b/nix/pyopenssl.nix new file mode 100644 index 000000000..b8966fad1 --- /dev/null +++ b/nix/pyopenssl.nix @@ -0,0 +1,10 @@ +{ pyopenssl, fetchPypi, isPyPy }: +pyopenssl.overrideAttrs (old: rec { + pname = "pyOpenSSL"; + version = "23.2.0"; + name = "${pname}-${version}"; + src = fetchPypi { + inherit pname version; + sha256 = "J2+TH1WkUufeppxxc+mE6ypEB85BPJGKo0tV+C+bi6w="; + }; +}) diff --git a/nix/python-overrides.nix b/nix/python-overrides.nix index d1c995e66..0ed415691 100644 --- a/nix/python-overrides.nix +++ b/nix/python-overrides.nix @@ -30,6 +30,16 @@ in { inherit (super) txtorcon; }; + # Update the version of pyopenssl. + pyopenssl = self.callPackage ./pyopenssl.nix { + pyopenssl = + # Building the docs requires sphinx which brings in a dependency on babel, + # the test suite of which fails. + onPyPy (dontBuildDocs { sphinx-rtd-theme = null; }) + # Avoid infinite recursion. + super.pyopenssl; + }; + # collections-extended is currently broken for Python 3.11 in nixpkgs but # we know where a working version lives. collections-extended = self.callPackage ./collections-extended.nix { @@ -63,10 +73,6 @@ in { # a5f8184fb816a4fd5ae87136838c9981e0d22c67. six = onPyPy dontCheck super.six; - # Building the docs requires sphinx which brings in a dependency on babel, - # the test suite of which fails. - pyopenssl = onPyPy (dontBuildDocs { sphinx-rtd-theme = null; }) super.pyopenssl; - # Likewise for beautifulsoup4. beautifulsoup4 = onPyPy (dontBuildDocs {}) super.beautifulsoup4; diff --git a/setup.py b/setup.py index ec4936645..7ca2650d5 100644 --- a/setup.py +++ b/setup.py @@ -63,11 +63,10 @@ install_requires = [ # Twisted[conch] also depends on cryptography and Twisted[tls] # transitively depends on cryptography. So it's anyone's guess what # version of cryptography will *really* be installed. + "cryptography >= 2.6", - # * cryptography 40 broke constants we need; should really be using them - # * via pyOpenSSL; will be fixed in - # * https://github.com/pyca/pyopenssl/issues/1201 - "cryptography >= 2.6, < 40", + # * Used for custom HTTPS validation + "pyOpenSSL >= 23.2.0", # * The SFTP frontend depends on Twisted 11.0.0 to fix the SSH server # rekeying bug diff --git a/src/allmydata/storage/http_client.py b/src/allmydata/storage/http_client.py index 670d84be3..658d3e828 100644 --- a/src/allmydata/storage/http_client.py +++ b/src/allmydata/storage/http_client.py @@ -47,7 +47,6 @@ import treq from treq.client import HTTPClient from treq.testing import StubTreq from OpenSSL import SSL -from cryptography.hazmat.bindings.openssl.binding import Binding from werkzeug.http import parse_content_range_header from .http_common import ( @@ -61,8 +60,6 @@ from .common import si_b2a, si_to_human_readable from ..util.hashutil import timing_safe_compare from ..util.deferredutil import async_to_deferred -_OPENSSL = Binding().lib - def _encode_si(si): # type: (bytes) -> str """Encode the storage index into Unicode string.""" @@ -257,11 +254,11 @@ class _TLSContextFactory(CertificateOptions): # not the usual TLS concerns about invalid CAs or revoked # certificates. things_are_ok = ( - _OPENSSL.X509_V_OK, - _OPENSSL.X509_V_ERR_CERT_NOT_YET_VALID, - _OPENSSL.X509_V_ERR_CERT_HAS_EXPIRED, - _OPENSSL.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT, - _OPENSSL.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, + SSL.X509VerificationCodes.OK, + SSL.X509VerificationCodes.ERR_CERT_NOT_YET_VALID, + SSL.X509VerificationCodes.ERR_CERT_HAS_EXPIRED, + SSL.X509VerificationCodes.ERR_DEPTH_ZERO_SELF_SIGNED_CERT, + SSL.X509VerificationCodes.ERR_SELF_SIGNED_CERT_IN_CHAIN, ) # TODO can we do this once instead of multiple times? if errno in things_are_ok and timing_safe_compare(