D32281.diff
No OneTemporary
Actions

Size

11 KB

Referenced Files

None

Subscribers

None

D32281.diff
View Options

	diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile
	--- a/security/py-cryptography/Makefile
	+++ b/security/py-cryptography/Makefile
	@@ -35,20 +35,6 @@

	.include <bsd.port.pre.mk>

	-# OpenSSL 1.0.2t got some curve matching parameter code backported before it
	-# has reached its End-of-Life and security/py-cryptography already had some
	-# code to handle this case, but it assumed OpenSSL 1.1.0+ .
	-#
	-# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
	-# clear: It isn't a security fix but rather a workaround to handle unnamed but
	-# really named curves with OpenSSL 1.0.2t/u .
	-
	-# We need to keep old py-cryptography and py-openssl for 11.x release
	-# due to outdated OpenSSL version in base
	-
	-# Apply LibreSSL upstream patch that conflicts with above patch for 2.9.2
	-EXTRA_PATCHES= ${PATCHDIR}/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
	-
	.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
	post-patch:
	@${REINPLACE_CMD} -e 's\|"-Wno-error=sign-conversion"\|\|' \
	diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo
	--- a/security/py-cryptography/distinfo
	+++ b/security/py-cryptography/distinfo
	@@ -1,5 +1,3 @@
	TIMESTAMP = 1614253508
	-SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
	-SIZE (cryptography-2.9.2.tar.gz) = 517571
	SHA256 (cryptography-3.3.2.tar.gz) = 5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed
	SIZE (cryptography-3.3.2.tar.gz) = 539883
	diff --git a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
	deleted file mode 100644
	--- a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
	+++ /dev/null
	@@ -1,26 +0,0 @@
	-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
	-
	-PR #5362
	-
	-Obtained from:
	-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
	-
	---- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC
	-+++ src/_cffi_src/openssl/cryptography.py
	-@@ -47,6 +47,8 @@ INCLUDES = """
	- (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
	- #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
	- (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
	-+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
	-+ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
	- #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
	- (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
	- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
	-@@ -68,6 +70,7 @@ INCLUDES = """
	-
	- TYPES = """
	- static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
	-+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
	- static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
	- static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
	-
	diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
	deleted file mode 100644
	--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
	+++ /dev/null
	@@ -1,29 +0,0 @@
	-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
	-
	-PR #5362
	-
	-Obtained from:
	-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
	-
	---- src/cryptography/hazmat/backends/openssl/backend.py.orig 2020-04-22 22:27:48 UTC
	-+++ src/cryptography/hazmat/backends/openssl/backend.py
	-@@ -1515,8 +1515,19 @@ class Backend(object):
	-
	- def _ec_key_new_by_curve(self, curve):
	- curve_nid = self._elliptic_curve_to_nid(curve)
	-+ return self._ec_key_new_by_curve_nid(curve_nid)
	-+
	-+ def _ec_key_new_by_curve_nid(self, curve_nid):
	- ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
	- self.openssl_assert(ec_cdata != self._ffi.NULL)
	-+ # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
	-+ # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
	-+ # we can remove this as it's done automatically when getting an EC_KEY
	-+ # from new_by_curve_name
	-+ # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
	-+ self._lib.EC_KEY_set_asn1_flag(
	-+ ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
	-+ )
	- return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
	-
	- def load_der_ocsp_request(self, data):
	diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
	deleted file mode 100644
	--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
	+++ /dev/null
	@@ -1,32 +0,0 @@
	-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
	-
	-PR #5362
	-
	-Obtained from:
	-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
	-
	---- src/cryptography/hazmat/backends/openssl/ec.py.orig 2020-04-22 22:26:51 UTC
	-+++ src/cryptography/hazmat/backends/openssl/ec.py
	-@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
	- # explicitly encoded a curve with the same parameters as a named curve.
	- # Don't do that.
	- if (
	-- backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
	-+ backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
	- backend._lib.EC_GROUP_get_asn1_flag(group) == 0
	- ):
	- raise NotImplementedError(
	-@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
	- self._backend.openssl_assert(group != self._backend._ffi.NULL)
	-
	- curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
	--
	-- public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
	-- self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
	-- public_ec_key = self._backend._ffi.gc(
	-- public_ec_key, self._backend._lib.EC_KEY_free
	-- )
	-+ public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
	-
	- point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
	- self._backend.openssl_assert(point != self._backend._ffi.NULL)
	diff --git a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
	rename from security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
	rename to security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
	diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
	new file mode 100644
	--- /dev/null
	+++ b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
	@@ -0,0 +1,98 @@
	+From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
	+From: Charlie Li <vishwin@users.noreply.github.com>
	+Date: Sun, 3 Oct 2021 00:20:31 -0400
	+Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
	+
	+* Add LibreSSL 3.4.0 to CI
	+
	+* Add a LibreSSL 3.4.0 guard
	+
	+Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
	+
	+* DTLS_get_data_mtu does not exist in LibreSSL
	+
	+* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
	+
	+* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
	+
	+* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
	+
	+While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
	+---
	+ .github/workflows/ci.yml \| 6 ++++--
	+ src/_cffi_src/openssl/cryptography.py \| 3 +++
	+ src/_cffi_src/openssl/evp.py \| 15 ++++++++++-----
	+ src/_cffi_src/openssl/ssl.py \| 3 ++-
	+ 4 files changed, 19 insertions(+), 8 deletions(-)
	+
	+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
	+index 878d22d8..821ddc9f 100644
	+--- src/_cffi_src/openssl/cryptography.py
	++++ src/_cffi_src/openssl/cryptography.py
	+@@ -36,8 +36,11 @@ INCLUDES = """
	+ #if CRYPTOGRAPHY_IS_LIBRESSL
	+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
	+ (LIBRESSL_VERSION_NUMBER < 0x3030200f)
	++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
	++ (LIBRESSL_VERSION_NUMBER < 0x3040000f)
	+ #else
	+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
	++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
	+ #endif
	+
	+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
	+diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
	+index ab7cfeb3..cad3339a 100644
	+--- src/_cffi_src/openssl/evp.py
	++++ src/_cffi_src/openssl/evp.py
	+@@ -203,15 +203,21 @@ int (EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY , const unsigned char *,
	+ size_t) = NULL;
	+ #endif
	+
	+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
	++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \|\| \
	++ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
	+ static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
	+-static const long Cryptography_HAS_RAW_KEY = 0;
	+-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
	+-int (EVP_DigestFinalXOF)(EVP_MD_CTX , unsigned char *, size_t) = NULL;
	+ int (EVP_DigestSign)(EVP_MD_CTX , unsigned char , size_t ,
	+ const unsigned char *tbs, size_t) = NULL;
	+ int (EVP_DigestVerify)(EVP_MD_CTX , const unsigned char *, size_t,
	+ const unsigned char *, size_t) = NULL;
	++#else
	++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
	++#endif
	++
	++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
	++static const long Cryptography_HAS_RAW_KEY = 0;
	++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
	++int (EVP_DigestFinalXOF)(EVP_MD_CTX , unsigned char *, size_t) = NULL;
	+ EVP_PKEY (EVP_PKEY_new_raw_private_key)(int, ENGINE , const unsigned char ,
	+ size_t) = NULL;
	+ EVP_PKEY (EVP_PKEY_new_raw_public_key)(int, ENGINE , const unsigned char ,
	+@@ -221,7 +227,6 @@ int (EVP_PKEY_get_raw_private_key)(const EVP_PKEY , unsigned char *,
	+ int (EVP_PKEY_get_raw_public_key)(const EVP_PKEY , unsigned char *,
	+ size_t *) = NULL;
	+ #else
	+-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
	+ static const long Cryptography_HAS_RAW_KEY = 1;
	+ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
	+ #endif
	+diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
	+index ca275e91..0830a463 100644
	+--- src/_cffi_src/openssl/ssl.py
	++++ src/_cffi_src/openssl/ssl.py
	+@@ -678,7 +678,8 @@ int (SSL_set_tlsext_use_srtp)(SSL , const char *) = NULL;
	+ SRTP_PROTECTION_PROFILE * (SSL_get_selected_srtp_profile)(SSL ) = NULL;
	+ #endif
	+
	+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
	++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \|\| \
	++ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
	+ static const long Cryptography_HAS_TLSv1_3 = 0;
	+ static const long SSL_OP_NO_TLSv1_3 = 0;
	+ static const long SSL_VERIFY_POST_HANDSHAKE = 0;
	+--
	+2.32.0
	+

File Metadata

Mime Type: text/plain
Expires: Mon, Jan 20, 11:04 PM (17 h, 31 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 15987981
Default Alt Text: D32281.diff (11 KB)

D32281.diffNo OneTemporaryActions

D32281.diffView Options

File Metadata

Event Timeline

D32281.diff
No OneTemporary
Actions

D32281.diff
View Options