@@ -19,3 +19,6 @@ LAYERDEPENDS_meta-arm-bsp:append:musca-s1 = " meta-python"
# Additional license directories.
LICENSE_PATH += "${LAYERDIR}/custom-licenses"
+
+# Delete this when our downgrade of python3-cryptography is removed
+BBMASK += "meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb"
new file mode 100644
@@ -0,0 +1,10 @@
+--- a/tests/hypothesis/__init__.py
++++ b/tests/hypothesis/__init__.py
+@@ -3,3 +3,7 @@
+ # for complete details.
+
+ from __future__ import absolute_import, division, print_function
++
++import pytest
++hypothesis = pytest.importorskip("hypothesis")
++
new file mode 100644
@@ -0,0 +1,62 @@
+Encourage our old python3-cryptography to at least start to work with OpenSSL 3.
+
+- Backport one patch to err.py to remove a symbol which has been removed in
+ OpenSSL 3, and isn't used in python3-cryptography.
+ (50ec692749b7e2e62685b443f5e629627b03987e)
+
+- Backport the detection of OpenSSL 3 and don't link to FIPS_mode/FIPS_mode_set
+ (parts of f08a7de651f9e6475c8c0a67d2a61ed8b669ddf6)
+
+This is *not* a complete backport of the 3.0 support, but is enough that packages
+such as imgtool can import python3-cryptography and operate until the upgrade is
+ready.
+
+Upstream-Status: Inappropriate
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+
+diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
+index f24bee5a..920a86de 100644
+--- a/src/_cffi_src/openssl/cryptography.py
++++ b/src/_cffi_src/openssl/cryptography.py
+@@ -35,6 +35,8 @@ INCLUDES = """
+
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
++#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
++ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+ (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
+@@ -54,6 +56,7 @@ INCLUDES = """
+
+ TYPES = """
+ static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
++static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
+
+ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
+ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
+diff --git a/src/_cffi_src/openssl/err.py b/src/_cffi_src/openssl/err.py
+index 0dd74146..42bab4d9 100644
+--- a/src/_cffi_src/openssl/err.py
++++ b/src/_cffi_src/openssl/err.py
+@@ -40,7 +40,6 @@ void ERR_clear_error(void);
+ void ERR_put_error(int, int, int, const char *, int);
+
+ int ERR_GET_LIB(unsigned long);
+-int ERR_GET_FUNC(unsigned long);
+ int ERR_GET_REASON(unsigned long);
+
+ """
+diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py
+index c92bca49..38bfa231 100644
+--- a/src/_cffi_src/openssl/fips.py
++++ b/src/_cffi_src/openssl/fips.py
+@@ -18,7 +18,7 @@ int FIPS_mode(void);
+ """
+
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+ static const long Cryptography_HAS_FIPS = 0;
+ int (*FIPS_mode_set)(int) = NULL;
+ int (*FIPS_mode)(void) = NULL;
new file mode 100644
@@ -0,0 +1,2 @@
+#!/bin/sh
+py.test
new file mode 100644
@@ -0,0 +1,68 @@
+SUMMARY = "Provides cryptographic recipes and primitives to python developers"
+HOMEPAGE = "https://cryptography.io/"
+SECTION = "devel/python"
+LICENSE = "Apache-2.0 | BSD-3-Clause"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=bf405a8056a6647e7d077b0e7bc36aba \
+ file://LICENSE.APACHE;md5=4e168cce331e5c827d4c2b68a6200e1b \
+ file://LICENSE.BSD;md5=5ae30ba4123bc4f2fa49aa0b0dce887b"
+
+LDSHARED += "-pthread"
+
+SRC_URI[sha256sum] = "5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed"
+
+SRC_URI += " \
+ file://run-ptest \
+ file://h-test.patch \
+ file://openssl3.patch \
+"
+
+inherit pypi setuptools3
+
+DEPENDS += " \
+ ${PYTHON_PN}-cffi \
+ ${PYTHON_PN}-cffi-native \
+ ${PYTHON_PN}-asn1crypto \
+ ${PYTHON_PN}-six \
+"
+
+RDEPENDS:${PN} += " \
+ ${PYTHON_PN}-cffi \
+ ${PYTHON_PN}-idna \
+ ${PYTHON_PN}-asn1crypto \
+ ${PYTHON_PN}-setuptools \
+ ${PYTHON_PN}-six \
+"
+
+RDEPENDS:${PN}:class-target += " \
+ ${PYTHON_PN}-cffi \
+ ${PYTHON_PN}-idna \
+ ${PYTHON_PN}-numbers \
+ ${PYTHON_PN}-asn1crypto \
+ ${PYTHON_PN}-setuptools \
+ ${PYTHON_PN}-six \
+ ${PYTHON_PN}-threading \
+"
+
+RDEPENDS:${PN}-ptest += " \
+ ${PN} \
+ ${PYTHON_PN}-cryptography-vectors \
+ ${PYTHON_PN}-iso8601 \
+ ${PYTHON_PN}-pretend \
+ ${PYTHON_PN}-pytest \
+ ${PYTHON_PN}-pytz \
+"
+
+inherit ptest
+
+do_install_ptest() {
+ install -d ${D}${PTEST_PATH}/tests
+ cp -rf ${S}/tests/* ${D}${PTEST_PATH}/tests/
+ install -d ${D}${PTEST_PATH}/tests/hazmat
+ cp -rf ${S}/tests/hazmat/* ${D}${PTEST_PATH}/tests/hazmat/
+}
+
+FILES:${PN}-dbg += " \
+ ${libdir}/${PYTHON_PN}2.7/site-packages/${SRCNAME}/hazmat/bindings/.debug \
+"
+
+BBCLASSEXTEND = "native nativesdk"
meta-python has upgraded to python3-cryptography 36, which has a problem when used in native recipes: cryptography.exceptions.InternalError: Unknown OpenSSL error This causes all builds of TF-M to fail. Until this error is fixed, add the old version of python3-cryptography. A BBMASK is set so that it has to be explicitly opted-in, as it DEPENDS on recipes from meta-python which isn't a hard dependency for meta-arm. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta-arm-bsp/conf/layer.conf | 3 + .../python/python3-cryptography/h-test.patch | 10 +++ .../python3-cryptography/openssl3.patch | 62 +++++++++++++++++ .../python/python3-cryptography/run-ptest | 2 + .../python/python3-cryptography_3.3.2.bb | 68 +++++++++++++++++++ 5 files changed, 145 insertions(+) create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/h-test.patch create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/openssl3.patch create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography/run-ptest create mode 100644 meta-arm-bsp/recipes-devtools/python/python3-cryptography_3.3.2.bb