svn commit: r556973 - in head/security/py-cryptography: . files files/openssl102u
Kubilay Kocak
koobs at FreeBSD.org
Fri Dec 4 11:31:24 UTC 2020
Author: koobs
Date: Fri Dec 4 11:31:22 2020
New Revision: 556973
URL: https://svnweb.freebsd.org/changeset/ports/556973
Log:
security/py-cryptography: Update to 2.9.2 [2]
- Remove patch-PR4855, upstreamed [1]
- Remove asn1crypto, no longer an install_requires (RUN_DEPENDS) [1]
- Add workaround for OpenSSL 1.0.2u/t when building for FreeBSD
11.3-STABLE and 11.4-RELEASE/STABLE. [2]
Changelog:
https://github.com/pyca/cryptography/blob/2.9.2/CHANGELOG.rst
HUGE thank you to Kai for running through extensive QA and producing the
final changeset.
PR: 245929
Submitted by: Daniel <daniel.engberg.lists pyret.net> [1]
Submitted by: kai [2]
MFH: No (backward incompatiblities, substantial dependents count)
Added:
head/security/py-cryptography/files/openssl102u/
head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py (contents, props changed)
head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py (contents, props changed)
head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py (contents, props changed)
Deleted:
head/security/py-cryptography/files/patch-PR4855
Modified:
head/security/py-cryptography/Makefile
head/security/py-cryptography/distinfo
Modified: head/security/py-cryptography/Makefile
==============================================================================
--- head/security/py-cryptography/Makefile Fri Dec 4 11:12:04 2020 (r556972)
+++ head/security/py-cryptography/Makefile Fri Dec 4 11:31:22 2020 (r556973)
@@ -2,7 +2,7 @@
# $FreeBSD$
PORTNAME= cryptography
-PORTVERSION= 2.6.1
+PORTVERSION= 2.9.2
CATEGORIES= security python
MASTER_SITES= CHEESESHOP
PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
@@ -16,8 +16,7 @@ LICENSE_FILE_APACHE20= ${WRKSRC}/LICENSE.APACHE
LICENSE_FILE_BSD3CLAUSE= ${WRKSRC}/LICENSE.BSD
BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR}
-RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}asn1crypto>=0.21.0:devel/py-asn1crypto@${PY_FLAVOR} \
- ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
+RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
${PY_ENUM34} \
${PY_IPADDRESS} \
${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR}
@@ -28,15 +27,32 @@ TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography-vect
${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \
${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR}
-# Python 2.7, 3.4-3.7
+# Python 2.7, 3.5-3.8
USES= compiler:env python ssl
USE_PYTHON= autoplist concurrent distutils
CFLAGS+= -I${OPENSSLINC}
LDFLAGS+= -L${OPENSSLLIB}
+TEST_ENV= PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
+
.include <bsd.port.pre.mk>
+# OpenSSL 1.0.2t got some curve matching parameter code backported before it
+# has reached its End-of-Life and security/py-cryptography already had some
+# code to handle this case, but it assumed OpenSSL 1.1.0+ .
+#
+# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
+# clear: It isn't a security fix but rather a workaround to handle unnamed but
+# really named curves with OpenSSL 1.0.2t/u .
+.if ${OPSYS} == FreeBSD && ${SSL_DEFAULT} == "base"
+. if ${OSVERSION} >= 1103500 && ${OSVERSION} < 1200085
+# 1103500 352193 2019-09-10 11.3-STABLE got OpenSSL 1.0.2t
+# 1200085 339270 2018-10-19 12.0-STABLE got OpenSSL 1.1.1
+EXTRA_PATCHES= ${PATCHDIR}/openssl102u
+. endif
+.endif
+
.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
post-patch:
@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \
@@ -47,6 +63,6 @@ post-install:
${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so
do-test:
- @cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test
+ @cd ${WRKSRC} && ${SETENV} ${TEST_ENV} ${PYTHON_CMD} -m pytest -q -v -rs -o addopts=
.include <bsd.port.post.mk>
Modified: head/security/py-cryptography/distinfo
==============================================================================
--- head/security/py-cryptography/distinfo Fri Dec 4 11:12:04 2020 (r556972)
+++ head/security/py-cryptography/distinfo Fri Dec 4 11:31:22 2020 (r556973)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1551354433
-SHA256 (cryptography-2.6.1.tar.gz) = 26c821cbeb683facb966045e2064303029d572a87ee69ca5a1bf54bf55f93ca6
-SIZE (cryptography-2.6.1.tar.gz) = 491580
+TIMESTAMP = 1596263213
+SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
+SIZE (cryptography-2.9.2.tar.gz) = 517571
Added: head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py Fri Dec 4 11:31:22 2020 (r556973)
@@ -0,0 +1,26 @@
+Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
+
+PR #5362
+
+Obtained from:
+https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
+
+--- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC
++++ src/_cffi_src/openssl/cryptography.py
+@@ -47,6 +47,8 @@ INCLUDES = """
+ (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
++#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
++ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+@@ -68,6 +70,7 @@ INCLUDES = """
+
+ TYPES = """
+ static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
++static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
+ static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+ static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
+
Added: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py Fri Dec 4 11:31:22 2020 (r556973)
@@ -0,0 +1,29 @@
+Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
+
+PR #5362
+
+Obtained from:
+https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
+
+--- src/cryptography/hazmat/backends/openssl/backend.py.orig 2020-04-22 22:27:48 UTC
++++ src/cryptography/hazmat/backends/openssl/backend.py
+@@ -1515,8 +1515,19 @@ class Backend(object):
+
+ def _ec_key_new_by_curve(self, curve):
+ curve_nid = self._elliptic_curve_to_nid(curve)
++ return self._ec_key_new_by_curve_nid(curve_nid)
++
++ def _ec_key_new_by_curve_nid(self, curve_nid):
+ ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
+ self.openssl_assert(ec_cdata != self._ffi.NULL)
++ # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
++ # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
++ # we can remove this as it's done automatically when getting an EC_KEY
++ # from new_by_curve_name
++ # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
++ self._lib.EC_KEY_set_asn1_flag(
++ ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
++ )
+ return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
+
+ def load_der_ocsp_request(self, data):
Added: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py Fri Dec 4 11:31:22 2020 (r556973)
@@ -0,0 +1,32 @@
+Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
+
+PR #5362
+
+Obtained from:
+https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
+
+--- src/cryptography/hazmat/backends/openssl/ec.py.orig 2020-04-22 22:26:51 UTC
++++ src/cryptography/hazmat/backends/openssl/ec.py
+@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
+ # explicitly encoded a curve with the same parameters as a named curve.
+ # Don't do that.
+ if (
+- backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
++ backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
+ backend._lib.EC_GROUP_get_asn1_flag(group) == 0
+ ):
+ raise NotImplementedError(
+@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
+ self._backend.openssl_assert(group != self._backend._ffi.NULL)
+
+ curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
+-
+- public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
+- self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
+- public_ec_key = self._backend._ffi.gc(
+- public_ec_key, self._backend._lib.EC_KEY_free
+- )
++ public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
+
+ point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
+ self._backend.openssl_assert(point != self._backend._ffi.NULL)
More information about the svn-ports-all
mailing list