[OE-core] [PATCH] python3-cryptography: workaround broken native functionality

Mikko Rapeli Tue, 13 Sep 2022 02:35:10 -0700

The python3-cryptography-native builds work but are functionally broken
on Ubuntu 18.04 build host since the update from 3.3.2 in
meta-openembedded/meta-python. If recipe needs and DEPENDS on
python3-cryptography-native for signing use cases, loading
the python modules fails:


$ python3 -c  "from OpenSSL import crypto"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/__init__.py",
 line 8, in <module>
    from OpenSSL import crypto, SSL
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/crypto.py",
 line 11, in <module>
    from OpenSSL._util import (
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/_util.py",
 line 5, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 228, in <module>
    Binding.init_static_locks()
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 188, in init_static_locks
    cls._ensure_ffi_initialized()
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 176, in _ensure_ffi_initialized
    _openssl_assert(
  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 90, in _openssl_assert
    raise InternalError(
cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is 
commonly encountered when another library is not cleaning up the OpenSSL error 
stack. If you are using cryptography with another library that uses OpenSSL try 
disabling it before reporting a bug. Otherwise please file an issue at 
https://github.com/pyca/cryptography/issues with information on how to 
reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, 
reason_text=b'error:12800067:DSO support routines::could not load the shared 
library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, 
reason_text=b'error:12800067:DSO support routines::could not load the shared 
library'), _OpenSSLErrorWithText(code=126615813, lib=15, reason=786693, 
reason_text=b'error:078C0105:common libcrypto routines::init fail')])

This hacky patch enables enough functionality in
python3-cryptography-native to work so that basic secure boot
signing use cases work again.

Signed-off-by: Mikko Rapeli <[email protected]>
---
 ...3-cryptography_hack_to_remove_legacy.patch | 54 +++++++++++++++++++
 .../python/python3-cryptography_37.0.4.bb     |  5 ++
 2 files changed, 59 insertions(+)
 create mode 100644 
meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch

diff --git 
a/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch
 
b/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch
new file mode 100644
index 0000000000..74b1cff248
--- /dev/null
+++ 
b/meta/recipes-devtools/python/python3-cryptography/python3-cryptography_hack_to_remove_legacy.patch
@@ -0,0 +1,54 @@
+python3-cryptography: ignore broken legacy providers
+
+These are broken on python3-cryptography-native builds
+since update from python3-cryptography 3.3.2 in meta-openembedded/meta-python
+to the new rust based versions 35 and newer.
+
+Test case on Ubuntu 18.04 build host, a recipe which needs
+python3-cryptography-native for e.g. signing secure boot binaries:
+
+# python3 -c  "from OpenSSL import crypto"
+Traceback (most recent call last):
+  File "<string>", line 1, in <module>
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/__init__.py",
 line 8, in <module>
+    from OpenSSL import crypto, SSL
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/crypto.py",
 line 11, in <module>
+    from OpenSSL._util import (
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/OpenSSL/_util.py",
 line 5, in <module>
+    from cryptography.hazmat.bindings.openssl.binding import Binding
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 228, in <module>
+    Binding.init_static_locks()
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 188, in init_static_locks
+    cls._ensure_ffi_initialized()
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 176, in _ensure_ffi_initialized
+    _openssl_assert(
+  File 
"/home/builder/poky/build_kirkstone/tmp/work/core2-64-poky-linux/busybox/1.35.0-r0/recipe-sysroot-native/usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/binding.py",
 line 90, in _openssl_assert
+    raise InternalError(
+cryptography.exceptions.InternalError: Unknown OpenSSL error. This error is 
commonly encountered when another library is not cleaning up the OpenSSL error 
stack. If you are using cryptography with another library that uses OpenSSL try 
disabling it before reporting a bug. Otherwise please file an issue at 
https://github.com/pyca/cryptography/issues with information on how to 
reproduce this. ([_OpenSSLErrorWithText(code=310378599, lib=37, reason=103, 
reason_text=b'error:12800067:DSO support routines::could not load the shared 
library'), _OpenSSLErrorWithText(code=310378599, lib=37, reason=103, 
reason_text=b'error:12800067:DSO support routines::could not load the shared 
library'), _OpenSSLErrorWithText(code=126615813, lib=15, reason=786693, 
reason_text=b'error:078C0105:common libcrypto routines::init fail')])
+
+With this hacky patch, the needed signing functions of
+python3-cryptography-native still work.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Mikko Rapeli <[email protected]>
+
+diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py 
b/src/cryptography/hazmat/bindings/openssl/binding.py
+index a6fbc94..fffb669 100644
+--- a/src/cryptography/hazmat/bindings/openssl/binding.py
++++ b/src/cryptography/hazmat/bindings/openssl/binding.py
+@@ -173,9 +173,11 @@ class Binding:
+                     cls._legacy_provider = cls.lib.OSSL_PROVIDER_load(
+                         cls.ffi.NULL, b"legacy"
+                     )
+-                    _openssl_assert(
+-                        cls.lib, cls._legacy_provider != cls.ffi.NULL
+-                    )
++                    # HACK: for some reason this check is failing on native
++                    # but maybe it doesn't harm to break old, broken ciphers
++                    #_openssl_assert(
++                    #    cls.lib, cls._legacy_provider != cls.ffi.NULL
++                    #)
+                     cls._default_provider = cls.lib.OSSL_PROVIDER_load(
+                         cls.ffi.NULL, b"default"
+                     )
diff --git a/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb 
b/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb
index c91a8c7771..116871cd0b 100644
--- a/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb
+++ b/meta/recipes-devtools/python/python3-cryptography_37.0.4.bb
@@ -63,6 +63,11 @@ SRC_URI += "file://run-ptest \
            crate://crates.io/winapi/0.3.9 \
            "
 
+# workaround for native builds to get some of the signing functions working
+SRC_URI:append:class-native = " \
+           file://python3-cryptography_hack_to_remove_legacy.patch \
+"
+
 inherit pypi python_setuptools3_rust
 
 DEPENDS += " \
-- 
2.17.1

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#170562): 
https://lists.openembedded.org/g/openembedded-core/message/170562
Mute This Topic: https://lists.openembedded.org/mt/93651845/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] python3-cryptography: workaround broken native functionality

Reply via email to