Take the opportunity to move on from cryptodome

Cryptodome is redundant with cryptography, which we need anyway..

confluent_server/builddeb

@@ -36,9 +36,9 @@ shopt -s extglob
 cd deb_dist/!(*.orig)/
 if [ "$OPKGNAME" = "confluent-server" ]; then
     if grep noble /etc/os-release; then
-        sed -i 's/^\(Depends:.*\)/\1, confluent-client, python3-lxml, python3-eficompressor, python3-pycryptodome, python3-websocket, python3-msgpack, python3-aiohttp, python3-pyparsing, python3-asyncssh, python3-pysnmp-lextudio, python3-libarchive-c, confluent-vtbufferd, python3-netifaces, python3-yaml, python3-dateutil, python3-numpy, python3-pillow/' debian/control
+        sed -i 's/^\(Depends:.*\)/\1, confluent-client, python3-lxml, python3-eficompressor, python3-cryptography, python3-websocket, python3-msgpack, python3-aiohttp, python3-pyparsing, python3-asyncssh, python3-pysnmp-lextudio, python3-libarchive-c, confluent-vtbufferd, python3-netifaces, python3-yaml, python3-dateutil, python3-numpy, python3-pillow/' debian/control
     else
-        sed -i 's/^\(Depends:.*\)/\1, confluent-client, python3-lxml, python3-eficompressor, python3-pycryptodome, python3-websocket, python3-msgpack, python3-aiohttp, python3-pyparsing, python3-asyncssh, python3-pysnmp4, python3-libarchive-c, confluent-vtbufferd, python3-netifaces, python3-yaml, python3-dateutil, python3-crypt-r, python3-numpy, python3-pillow/' debian/control
+        sed -i 's/^\(Depends:.*\)/\1, confluent-client, python3-lxml, python3-eficompressor, python3-cryptography, python3-websocket, python3-msgpack, python3-aiohttp, python3-pyparsing, python3-asyncssh, python3-pysnmp4, python3-libarchive-c, confluent-vtbufferd, python3-netifaces, python3-yaml, python3-dateutil, python3-crypt-r, python3-numpy, python3-pillow/' debian/control
     fi
     echo 'confluent_client confluent-client' >> debian/pydist-overrides
 

confluent_server/confluent/auth.py

@@ -21,10 +21,7 @@
 
 import asyncio
 import confluent.config.configmanager as configmanager
-try:
-    import Cryptodome.Protocol.KDF as KDF
-except ImportError:
-    import Crypto.Protocol.KDF as KDF
+
 from concurrent.futures import ProcessPoolExecutor
 from fnmatch import fnmatch
 import hashlib
@@ -379,8 +376,9 @@ def pam_check(pwe, user, passphrase):
     return usergood
 
 def _apply_pbkdf(passphrase, salt):
-    return KDF.PBKDF2(passphrase, salt, 32, 10000,
-                      lambda p, s: hmac.new(p, s, hashlib.sha256).digest())
+    if not isinstance(passphrase, bytes):
+        passphrase = passphrase.encode('utf-8')
+    return hashlib.pbkdf2_hmac('sha256', passphrase, salt, 10000, dklen=32)
 
 
 def _clean_authworkers():

confluent_server/confluent/config/configmanager.py

@@ -42,16 +42,8 @@
 # by passphrase and optionally TPM
 
 #TODO:asyncmerge: compare and resolve more carefully
-try:
-    import Cryptodome.Protocol.KDF as KDF
-    from Cryptodome.Cipher import AES
-    from Cryptodome.Hash import HMAC
-    from Cryptodome.Hash import SHA256
-except ImportError:
-    import Crypto.Protocol.KDF as KDF
-    from Crypto.Cipher import AES
-    from Crypto.Hash import HMAC
-    from Crypto.Hash import SHA256
+from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+from cryptography.hazmat.backends import default_backend
 try:
     import anydbm as dbm
 except ModuleNotFoundError:
@@ -86,6 +78,7 @@ import errno
 import socket
 import fnmatch
 import hashlib
+import hmac as hmac_mod
 import json
 import msgpack
 import operator
@@ -205,10 +198,10 @@ def _derive_keys(password, salt):
     #implement our specific combination of pbkdf2 transforms to get at
     #key.  We bump the iterations up because we can afford to
     #TODO: WORKERPOOL PBKDF2 is expensive
-    tmpkey = KDF.PBKDF2(password, salt, 32, 50000,
-                        lambda p, s: HMAC.new(p, s, SHA256).digest())
-    finalkey = KDF.PBKDF2(tmpkey, salt, 32, 50000,
-                          lambda p, s: HMAC.new(p, s, SHA256).digest())
+    if not isinstance(password, bytes):
+        password = password.encode('utf-8')
+    tmpkey = hashlib.pbkdf2_hmac('sha256', password, salt, 50000, dklen=32)
+    finalkey = hashlib.pbkdf2_hmac('sha256', tmpkey, salt, 50000, dklen=32)
     return finalkey[:16], finalkey[16:]
 
 
@@ -503,13 +496,13 @@ def decrypt_value(cryptvalue,
         key = _masterkey
         integritykey = _masterintegritykey
     if len(cryptvalue) == 3:
-        check_hmac = HMAC.new(integritykey, cipherdata, SHA256).digest()
+        check_hmac = hmac_mod.new(integritykey, cipherdata, hashlib.sha256).digest()
         if hmac != check_hmac:
-            check_hmac = HMAC.new(integritykey, cipherdata + iv, SHA256).digest()
+            check_hmac = hmac_mod.new(integritykey, cipherdata + iv, hashlib.sha256).digest()
         if hmac != check_hmac:
             raise Exception("bad HMAC value on crypted value")
-        decrypter = AES.new(key, AES.MODE_CBC, iv)
-        value = decrypter.decrypt(cipherdata)
+        decrypter = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()).decryptor()
+        value = decrypter.update(cipherdata) + decrypter.finalize()
         padsize = bytearray(value)[-1]
         pad = value[-padsize:]
         # Note that I cannot grasp what could be done with a subliminal
@@ -519,9 +512,8 @@ def decrypt_value(cryptvalue,
                 raise Exception("bad padding in encrypted value")
         return value[0:-padsize]
     else:
-        decrypter = AES.new(key, AES.MODE_GCM, nonce=iv)
-        value = decrypter.decrypt(cipherdata)
-        decrypter.verify(hmac)
+        decrypter = Cipher(algorithms.AES(key), modes.GCM(iv, hmac), backend=default_backend()).decryptor()
+        value = decrypter.update(cipherdata) + decrypter.finalize()
         return value
 
 
@@ -604,10 +596,11 @@ def crypt_value(value,
             init_masterkey()
         key = _masterkey
     iv = os.urandom(12)
-    crypter = AES.new(key, AES.MODE_GCM, nonce=iv)
+    crypter = Cipher(algorithms.AES(key), modes.GCM(iv), backend=default_backend()).encryptor()
     if not isinstance(value, bytes):
         value = value.encode('utf-8')
-    cryptval, hmac = crypter.encrypt_and_digest(value)
+    cryptval = crypter.update(value) + crypter.finalize()
+    hmac = crypter.tag
     return iv, cryptval, hmac, b'\x02'
 
 
@@ -1754,10 +1747,10 @@ class ConfigManager(object):
             if attribute == 'password':
                 salt = os.urandom(8)
                 #TODO: WORKERPOOL, offload password set to a worker
-                crypted = KDF.PBKDF2(
-                    attributemap[attribute], salt, 32, 10000,
-                    lambda p, s: HMAC.new(p, s, SHA256).digest()
-                )
+                pw = attributemap[attribute]
+                if not isinstance(pw, bytes):
+                    pw = pw.encode('utf-8')
+                crypted = hashlib.pbkdf2_hmac('sha256', pw, salt, 10000, dklen=32)
                 user['cryptpass'] = (salt, crypted)
             else:
                 user[attribute] = attributemap[attribute]

confluent_server/confluent_server.spec.tmpl

@@ -18,10 +18,10 @@ Prefix: %{_prefix}
 BuildArch: noarch
 Requires: confluent_vtbufferd
 %if "%{dist}" == ".el9"
-Requires: python3-asyncssh, python3-pycryptodomex >= 3.4.7, confluent_client == %{version}, python3-pyparsing, python3-webauthn, python3-netifaces, python3-pyasn1 >= 0.2.3, python3-pysnmp >= 4.3.4, python3-lxml, python3-eficompressor, python3-setuptools, python3-dateutil, python3-cffi, python3-pyOpenSSL python3-msgpack python3-libarchive-c python3-yaml python3-yarl python3-aiohttp openssl iproute
+Requires: python3-asyncssh, python3-cryptography, confluent_client == %{version}, python3-pyparsing, python3-webauthn, python3-netifaces, python3-pyasn1 >= 0.2.3, python3-pysnmp >= 4.3.4, python3-lxml, python3-eficompressor, python3-setuptools, python3-dateutil, python3-cffi, python3-pyOpenSSL python3-msgpack python3-libarchive-c python3-yaml python3-yarl python3-aiohttp openssl iproute
 %else
 %if "%{dist}" == ".el10"
-Requires: python3-asyncssh, python3-pycryptodomex >= 3.4.7, confluent_client == %{version}, python3-pyparsing, python3-webauthn python3-psutil, python3-pyasn1 >= 0.2.3, python3-pysnmp >= 4.3.4, python3-lxml,python3-setuptools, python3-dateutil, python3-cffi, python3-pyOpenSSL python3-msgpack python3-libarchive-c python3-yaml openssl iproute python3-yarl python3-aiohttp
+Requires: python3-asyncssh, python3-cryptography, confluent_client == %{version}, python3-pyparsing, python3-webauthn python3-psutil, python3-pyasn1 >= 0.2.3, python3-pysnmp >= 4.3.4, python3-lxml,python3-setuptools, python3-dateutil, python3-cffi, python3-pyOpenSSL python3-msgpack python3-libarchive-c python3-yaml openssl iproute python3-yarl python3-aiohttp
 %endif
 %endif