From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: openembedded-core@lists.openembedded.org
Cc: Mikko Rapeli <mikko.rapeli@linaro.org>
Subject: [PATCH] python3-cryptography: workaround broken native functionality
Date: Tue, 13 Sep 2022 12:34:52 +0300 [thread overview]
Message-ID: <20220913093452.47839-1-mikko.rapeli@linaro.org> (raw)
The python3-cryptography-native builds work but are functionally broken
on Ubuntu 18.04 build host since the update from 3.3.2 in
meta-openembedded/meta-python. If recipe needs and DEPENDS on
python3-cryptography-native for signing use cases, loading
the python modules fails:
$ python3 -c "from OpenSSL import crypto"
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/crypto.py", line 11, in <module>
from OpenSSL._util import (
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/_util.py", line 5, in <module>
from cryptography.hazmat.bindings.openssl.binding import Binding
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 228, in <module>
Binding.init_static_locks()
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 188, in init_static_locks
cls._ensure_ffi_initialized()
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 176, in _ensure_ffi_initialized
_openssl_assert(
File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 90, in _openssl_assert
raise InternalError(
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=126615813, lib=15, reason=786693, reason_text=b'error:078C0105:common libcrypto routines::init fail')])
This hacky patch enables enough functionality in
python3-cryptography-native to work so that basic secure boot
signing use cases work again.
Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
---
...3-cryptography_hack_to_remove_legacy.patch | 54 +++++++++++++++++++
.../python/python3-cryptography_37.0.4.bb | 5 ++
2 files changed, 59 insertions(+)
create mode 100644 meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch
diff --git a/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch b/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch
new file mode 100644
index 0000000000..74b1cff248
--- /dev/null
+++ b/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch
@@ -0,0 +1,54 @@
+python3-cryptography: ignore broken legacy providers
+
+These are broken on python3-cryptography-native builds
+since update from python3-cryptography 3.3.2 in meta-openembedded/meta-python
+to the new rust based versions 35 and newer.
+
+Test case on Ubuntu 18.04 build host, a recipe which needs
+python3-cryptography-native for e.g. signing secure boot binaries:
+
+# python3 -c "from OpenSSL import crypto"
+Traceback (most recent call last):
+ File "<string>", line 1, in <module>
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/__init__.py", line 8, in <module>
+ from OpenSSL import crypto, SSL
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/crypto.py", line 11, in <module>
+ from OpenSSL._util import (
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/_util.py", line 5, in <module>
+ from cryptography.hazmat.bindings.openssl.binding import Binding
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 228, in <module>
+ Binding.init_static_locks()
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 188, in init_static_locks
+ cls._ensure_ffi_initialized()
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 176, in _ensure_ffi_initialized
+ _openssl_assert(
+ File "/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 90, in _openssl_assert
+ raise InternalError(
+cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, reason_text=b'error:12800067:DSO support routines::could not load the shared library'), _OpenSSLErrorWithText(code=126615813, lib=15, reason=786693, reason_text=b'error:078C0105:common libcrypto routines::init fail')])
+
+With this hacky patch, the needed signing functions of
+python3-cryptography-native still work.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
+
+diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
+index a6fbc94..fffb669 100644
+--- a/src/cryptography/hazmat/bindings/openssl/binding.py
++++ b/src/cryptography/hazmat/bindings/openssl/binding.py
+@@ -173,9 +173,11 @@ class Binding:
+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load(
+ cls.ffi.NULL, b"legacy"
+ )
+- _openssl_assert(
+- cls.lib, cls._legacy_provider != cls.ffi.NULL
+- )
++ # HACK: for some reason this check is failing on native
++ # but maybe it doesn't harm to break old, broken ciphers
++ #_openssl_assert(
++ # cls.lib, cls._legacy_provider != cls.ffi.NULL
++ #)
+ cls._default_provider = cls.lib.OSSL_PROVIDER_load(
+ cls.ffi.NULL, b"default"
+ )
diff --git a/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb b/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb
index c91a8c7771..116871cd0b 100644
--- a/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb
@@ -63,6 +63,11 @@ SRC_URI += "file://run-ptest \
crate://crates.io/winapi/0.3.9 \
"
+# workaround for native builds to get some of the signing functions working
+SRC_URI:append:class-native = " \
+ file://python3-cryptography_hack_to_remove_legacy.patch \
+"
+
inherit pypi python_setuptools3_rust
DEPENDS += " \
--
2.17.1
next reply other threads:[~2022-09-13 9:35 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-13 9:34 Mikko Rapeli [this message]
2022-09-13 10:01 ` [OE-core] [PATCH] python3-cryptography: workaround broken native functionality Richard Purdie
2022-09-13 10:29 ` Mikko Rapeli
2022-09-13 10:34 ` Richard Purdie
2022-09-13 11:13 ` Mikko Rapeli
2022-09-13 12:24 ` Richard Purdie
2022-09-14 8:09 ` Mikko Rapeli
2022-09-14 8:19 ` Alexander Kanavin
2022-09-14 8:43 ` Mikko Rapeli
2022-09-14 8:45 ` Alexander Kanavin
2022-09-14 8:51 ` Mikko Rapeli
2022-09-14 8:52 ` Alexander Kanavin
2022-09-14 8:58 ` Richard Purdie
2022-09-15 11:17 ` Ross Burton
2022-09-15 11:26 ` Mikko Rapeli
2022-09-15 11:36 ` Martin Jansa
2022-09-20 10:20 ` Mikko Rapeli
2022-09-20 11:35 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220913093452.47839-1-mikko.rapeli@linaro.org \
--to=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox