# ------------------------------------------------------------------
|
# Copyright (c) 2020 PyInstaller Development Team.
|
#
|
# This file is distributed under the terms of the GNU General Public
|
# License (version 2.0 or later).
|
#
|
# The full license is available in LICENSE, distributed with
|
# this software.
|
#
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
# ------------------------------------------------------------------
|
"""
|
Hook for cryptography module from the Python Cryptography Authority.
|
"""
|
|
import os
|
import glob
|
import pathlib
|
|
from PyInstaller import compat
|
from PyInstaller import isolated
|
from PyInstaller.utils.hooks import (
|
collect_submodules,
|
copy_metadata,
|
get_module_file_attribute,
|
is_module_satisfies,
|
logger,
|
)
|
|
# get the package data so we can load the backends
|
datas = copy_metadata('cryptography')
|
|
# Add the backends as hidden imports
|
hiddenimports = collect_submodules('cryptography.hazmat.backends')
|
|
# Add the OpenSSL FFI binding modules as hidden imports
|
hiddenimports += collect_submodules('cryptography.hazmat.bindings.openssl') + ['_cffi_backend']
|
|
|
# Include the cffi extensions as binaries in a subfolder named like the package.
|
# The cffi verifier expects to find them inside the package directory for
|
# the main module. We cannot use hiddenimports because that would add the modules
|
# outside the package.
|
# NOTE: this is not true anymore with PyInstaller >= 6.0, but we keep it like this for compatibility with 5.x series.
|
binaries = []
|
cryptography_dir = os.path.dirname(get_module_file_attribute('cryptography'))
|
for ext in compat.EXTENSION_SUFFIXES:
|
ffimods = glob.glob(os.path.join(cryptography_dir, '*_cffi_*%s*' % ext))
|
for f in ffimods:
|
binaries.append((f, 'cryptography'))
|
|
|
# Check if `cryptography` is dynamically linked against OpenSSL >= 3.0.0. In that case, we might need to collect
|
# external OpenSSL modules, if OpenSSL was built with modules support. It seems the best indication of this is the
|
# presence of `ossl-modules` directory next to the OpenSSL shared library.
|
#
|
# NOTE: PyPI wheels ship with extensions statically linked against OpenSSL, so this is mostly catering alternative
|
# installation methods (Anaconda on all OSes, Homebrew on macOS, various linux distributions).
|
try:
|
@isolated.decorate
|
def _check_cryptography_openssl3():
|
# Check if OpenSSL 3 is used.
|
from cryptography.hazmat.backends.openssl.backend import backend
|
openssl_version = backend.openssl_version_number()
|
if openssl_version < 0x30000000:
|
return False, None
|
|
# Obtain path to the bindings module for binary dependency analysis. Under older versions of cryptography,
|
# this was a separate `_openssl` module; in contemporary versions, it is `_rust` module.
|
try:
|
import cryptography.hazmat.bindings._openssl as bindings_module
|
except ImportError:
|
import cryptography.hazmat.bindings._rust as bindings_module
|
|
return True, str(bindings_module.__file__)
|
|
uses_openssl3, bindings_module = _check_cryptography_openssl3()
|
except Exception:
|
logger.warning(
|
"hook-cryptography: failed to determine whether cryptography is using OpenSSL >= 3.0.0", exc_info=True
|
)
|
uses_openssl3, bindings_module = False, None
|
|
if uses_openssl3:
|
# Determine location of OpenSSL shared library, provided that extension module is dynamically linked against it.
|
# This requires the new PyInstaller.bindepend API from PyInstaller >= 6.0.
|
openssl_lib = None
|
if is_module_satisfies("PyInstaller >= 6.0"):
|
from PyInstaller.depend import bindepend
|
|
if compat.is_win:
|
SSL_LIB_NAME = 'libssl-3-x64.dll' if compat.is_64bits else 'libssl-3.dll'
|
elif compat.is_darwin:
|
SSL_LIB_NAME = 'libssl.3.dylib'
|
else:
|
SSL_LIB_NAME = 'libssl.so.3'
|
|
linked_libs = bindepend.get_imports(bindings_module)
|
openssl_lib = [
|
# Compare the basename of lib_name, because lib_fullpath is None if we fail to resolve the library.
|
lib_fullpath for lib_name, lib_fullpath in linked_libs if os.path.basename(lib_name) == SSL_LIB_NAME
|
]
|
openssl_lib = openssl_lib[0] if openssl_lib else None
|
else:
|
logger.warning(
|
"hook-cryptography: full support for cryptography + OpenSSL >= 3.0.0 requires PyInstaller >= 6.0"
|
)
|
|
# Check for presence of ossl-modules directory next to the OpenSSL shared library.
|
if openssl_lib:
|
logger.info("hook-cryptography: cryptography uses dynamically-linked OpenSSL: %r", openssl_lib)
|
|
openssl_lib_dir = pathlib.Path(openssl_lib).parent
|
|
# Collect whole ossl-modules directory, if it exists.
|
ossl_modules_dir = openssl_lib_dir / 'ossl-modules'
|
|
# Msys2/MinGW installations on Windows put the shared library into `bin` directory, but the modules are
|
# located in `lib` directory. Account for that possibility.
|
if not ossl_modules_dir.is_dir() and openssl_lib_dir.name == 'bin':
|
ossl_modules_dir = openssl_lib_dir.parent / 'lib' / 'ossl-modules'
|
|
# On Alpine linux, the true location of shared library is /lib directory, but the modules' directory is located
|
# in /usr/lib instead. Account for that possibility.
|
if not ossl_modules_dir.is_dir() and openssl_lib_dir == pathlib.Path('/lib'):
|
ossl_modules_dir = pathlib.Path('/usr/lib/ossl-modules')
|
|
if ossl_modules_dir.is_dir():
|
logger.debug("hook-cryptography: collecting OpenSSL modules directory: %r", str(ossl_modules_dir))
|
binaries.append((str(ossl_modules_dir), 'ossl-modules'))
|
else:
|
logger.info("hook-cryptography: cryptography does not seem to be using dynamically linked OpenSSL.")
|
