From nobody Fri Nov 04 11:21:49 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4N3dW16xKjz4hlVZ;
	Fri,  4 Nov 2022 11:21:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4N3dW16mt1z3mPZ;
	Fri,  4 Nov 2022 11:21:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1667560909;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jNbkoZVp4TpJRXwaPjRpmZq9s1cOnAsx0sZ3jxKsfuc=;
	b=Hm008iYsaXF9e4LkWkUnoWC59C3AfljklMchTzWKqiwa6PnysH6gOSC658JUQ5YSC9MhbG
	YpT7uryokPPR/Qqp5P3r3WJt24aTTpVyFJWJ16g3Uw75Zudtnyh4uRo+PYZV/puleqLR5b
	xJkOdto+YQbhG3FRp/raFqSWt7CtX5rhK4yTHHz8cVQGLVDg0wRyESPSWjjlM47ByWQ91l
	X/aD1uaInH4nz+gPjSeLgaDLQ62ArXE4GO8lxa63yE64N9IuLR4EUAA3fn5k+Y2SA4Kix7
	5gOYd8Rr74dV9rrJIfRLh6lits8VcJhPYwZbajyW6g93fPmZqaie/uajys3TCQ==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4N3dW15q6Dz1DSL;
	Fri,  4 Nov 2022 11:21:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2A4BLn8a052027;
	Fri, 4 Nov 2022 11:21:49 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2A4BLnTU052026;
	Fri, 4 Nov 2022 11:21:49 GMT
	(envelope-from git)
Date: Fri, 4 Nov 2022 11:21:49 GMT
Message-Id: <202211041121.2A4BLnTU052026@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Felix Palmen <zirias@FreeBSD.org>
Subject: git: 14ff8de7061e - main - security/py-cryptography: Fix build w/ libressl3.5
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: zirias
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 14ff8de7061e894a5ee46ad2091be5cd04f548b9
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1667560909;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jNbkoZVp4TpJRXwaPjRpmZq9s1cOnAsx0sZ3jxKsfuc=;
	b=dU9ZZsP4j+PjAP4sXhhMdVB7V1b1sJ98UoAAgr890XWMwHnoLZJFZwo/GX2iQtLj8wRz0k
	kRBAOGmqNDpFHR7V1XhC1YYoHLJGw1D8N313cdDbS2crr2tisX1iMYn4+MowulDAeMLfvF
	WwRBJU43FIZesAj+xGqgIcwUorkuiA0HBeRlHurCTfl+edjQc7ESLOpyJNRTcGtjbicyD1
	WdNDykeYbNQVE6tfLy7BpEn7gkqrpYNff2LBfMTVgs9h8RB7046n5yaSgbdKBRxyDE+ftt
	lqVpfBij7DBNDDegyjfkGOYSlkFuCk6w+cfWzLEubsw0ykoNv6a4aInuu8ZLiw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1667560909; a=rsa-sha256; cv=none;
	b=AXyWvPUNtrcC0GBKiKMZpSAOuCkQEldOm0gfKc8by+4+/jiLLCR35rFVDgQJEK/Qy9a6A/
	F7w4PCCHjJWZ1sPYhgoBqQVOK5f1SMZANDFMfqdOZ90sRyD7gTUTI0DQJDMpL9y1fd8QgL
	5vt3OaDKQ9zW/o4bA6lvJCLM8d4kh93leXnhM01luvtqDUOUOGbmkXIqoTs3Sq1WsmP/PD
	K+Kb1JmsSC6i6pcSYG+JCG0guYRdGUg9EDl/kan+FLfFhCEw7HVyG6Z91Ycym70LNJjJiG
	N0Wcfz+mCeIZaN0sbU1+TrM70yEriiAxu+wxOpCG7e2rddi8toRa8tckRgakMA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by zirias:

URL: https://cgit.FreeBSD.org/ports/commit/?id=14ff8de7061e894a5ee46ad2091be5cd04f548b9

commit 14ff8de7061e894a5ee46ad2091be5cd04f548b9
Author:     Felix Palmen <zirias@FreeBSD.org>
AuthorDate: 2022-10-17 11:28:48 +0000
Commit:     Felix Palmen <zirias@FreeBSD.org>
CommitDate: 2022-11-04 11:21:28 +0000

    security/py-cryptography: Fix build w/ libressl3.5
    
    Approved by:            sunpoet (maintainer, timeout), tcberner (mentor)
    Differential Revision:  https://reviews.freebsd.org/D37049
---
 .../files/patch-Fix-build-with-LibreSSL-3.3.2-5988 |  62 -----------
 .../files/patch-Support-LibreSSL-3.4.0-6360        |  98 -----------------
 .../patch-src___cffi__src_openssl_cryptography.py  |  26 +++++
 .../files/patch-src___cffi__src_openssl_dh.py      | 120 +++++++++++++++++++++
 .../files/patch-src___cffi__src_openssl_fips.py    |  14 +++
 .../files/patch-src___cffi__src_openssl_ocsp.py    |  73 +++++++++++++
 .../files/patch-src___cffi__src_openssl_ssl.py     |  29 +++++
 .../files/patch-src___cffi__src_openssl_x509.py    |  36 +++++++
 8 files changed, 298 insertions(+), 160 deletions(-)

diff --git a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
deleted file mode 100644
index deb9c6408832..000000000000
--- a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
+++ /dev/null
@@ -1,62 +0,0 @@
-From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001
-From: Charlie Li <vishwin@users.noreply.github.com>
-Date: Mon, 19 Apr 2021 18:38:38 -0400
-Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988)
-
-* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS*
-
-While here, bump CI
-
-* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS*
-
-DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2
-
-* Switch to LESS_THAN context for LibreSSL 3.3.2
-
-While here, fix indents
-
-* Remove extra C variable declaration
-
-The variable is not actually used from Python
----
- .github/workflows/ci.yml              | 2 +-
- src/_cffi_src/openssl/cryptography.py | 7 +++++++
- src/_cffi_src/openssl/ssl.py          | 2 ++
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
-index e2b5a132..b9c7a793 100644
---- src/_cffi_src/openssl/cryptography.py
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -32,6 +32,13 @@ INCLUDES = """
- #include <Winsock2.h>
- #endif
- 
-+#if CRYPTOGRAPHY_IS_LIBRESSL
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
-+    (LIBRESSL_VERSION_NUMBER < 0x3030200f)
-+#else
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
-+#endif
-+
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
- 
-diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
-index 11a7d63a..081ef041 100644
---- src/_cffi_src/openssl/ssl.py
-+++ src/_cffi_src/openssl/ssl.py
-@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0;
- #endif
- 
- #if CRYPTOGRAPHY_IS_LIBRESSL
-+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332
- static const long SSL_OP_NO_DTLSv1 = 0;
- static const long SSL_OP_NO_DTLSv1_2 = 0;
-+#endif
- long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
- long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
- #endif
--- 
-2.31.1
-
diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
deleted file mode 100644
index a8bb6dc6da43..000000000000
--- a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
+++ /dev/null
@@ -1,98 +0,0 @@
-From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
-From: Charlie Li <vishwin@users.noreply.github.com>
-Date: Sun, 3 Oct 2021 00:20:31 -0400
-Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
-
-* Add LibreSSL 3.4.0 to CI
-
-* Add a LibreSSL 3.4.0 guard
-
-Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
-
-* DTLS_get_data_mtu does not exist in LibreSSL
-
-* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
-
-* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
-
-* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
-
-While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
----
- .github/workflows/ci.yml              |  6 ++++--
- src/_cffi_src/openssl/cryptography.py |  3 +++
- src/_cffi_src/openssl/evp.py          | 15 ++++++++++-----
- src/_cffi_src/openssl/ssl.py          |  3 ++-
- 4 files changed, 19 insertions(+), 8 deletions(-)
-
-diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
-index 878d22d8..821ddc9f 100644
---- src/_cffi_src/openssl/cryptography.py
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -36,8 +36,11 @@ INCLUDES = """
- #if CRYPTOGRAPHY_IS_LIBRESSL
- #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
-     (LIBRESSL_VERSION_NUMBER < 0x3030200f)
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
-+    (LIBRESSL_VERSION_NUMBER < 0x3040000f)
- #else
- #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
- #endif
- 
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
-index ab7cfeb3..cad3339a 100644
---- src/_cffi_src/openssl/evp.py
-+++ src/_cffi_src/openssl/evp.py
-@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
-                                       size_t) = NULL;
- #endif
- 
--#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-+    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
- static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
--static const long Cryptography_HAS_RAW_KEY = 0;
--static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
--int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
- int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
-                       const unsigned char *tbs, size_t) = NULL;
- int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
-                         const unsigned char *, size_t) = NULL;
-+#else
-+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
-+#endif
-+
-+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-+static const long Cryptography_HAS_RAW_KEY = 0;
-+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
-+int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
- EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
-                                        size_t) = NULL;
- EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
-@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
- int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
-                                    size_t *) = NULL;
- #else
--static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
- static const long Cryptography_HAS_RAW_KEY = 1;
- static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
- #endif
-diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
-index ca275e91..0830a463 100644
---- src/_cffi_src/openssl/ssl.py
-+++ src/_cffi_src/openssl/ssl.py
-@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
- SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
- #endif
- 
--#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-+    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
- static const long Cryptography_HAS_TLSv1_3 = 0;
- static const long SSL_OP_NO_TLSv1_3 = 0;
- static const long SSL_VERIFY_POST_HANDSHAKE = 0;
--- 
-2.32.0
-
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py
new file mode 100644
index 000000000000..93fb2478c76d
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py
@@ -0,0 +1,26 @@
+--- src/_cffi_src/openssl/cryptography.py.orig	2022-10-17 10:52:36 UTC
++++ src/_cffi_src/openssl/cryptography.py
+@@ -33,17 +33,17 @@ INCLUDES = """
+ #endif
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+-    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER >= 0x1010006f
+ 
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+-    (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x101000af
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
+-    (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x10101000
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
+-    (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x10101020
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
+-    (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
+-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
++    OPENSSL_VERSION_NUMBER < 0x10101040
++#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \
+     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
+ #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
+ #else
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py
new file mode 100644
index 000000000000..c54f653a5e05
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py
@@ -0,0 +1,120 @@
+--- src/_cffi_src/openssl/dh.py.orig	2022-10-17 11:10:57 UTC
++++ src/_cffi_src/openssl/dh.py
+@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-#ifndef DH_CHECK_Q_NOT_PRIME
+-#define DH_CHECK_Q_NOT_PRIME            0x10
+-#endif
+-
+-#ifndef DH_CHECK_INVALID_Q_VALUE
+-#define DH_CHECK_INVALID_Q_VALUE        0x20
+-#endif
+-
+-#ifndef DH_CHECK_INVALID_J_VALUE
+-#define DH_CHECK_INVALID_J_VALUE        0x40
+-#endif
+-
+-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */
+-
+-/*-
+- * Check that p is a safe prime and
+- * if g is 2, 3 or 5, check that it is a suitable generator
+- * where
+- * for 2, p mod 24 == 11
+- * for 3, p mod 12 == 5
+- * for 5, p mod 10 == 3 or 7
+- * should hold.
+- */
+-
+-int Cryptography_DH_check(const DH *dh, int *ret)
+-{
+-    int ok = 0, r;
+-    BN_CTX *ctx = NULL;
+-    BN_ULONG l;
+-    BIGNUM *t1 = NULL, *t2 = NULL;
+-
+-    *ret = 0;
+-    ctx = BN_CTX_new();
+-    if (ctx == NULL)
+-        goto err;
+-    BN_CTX_start(ctx);
+-    t1 = BN_CTX_get(ctx);
+-    if (t1 == NULL)
+-        goto err;
+-    t2 = BN_CTX_get(ctx);
+-    if (t2 == NULL)
+-        goto err;
+-
+-    if (dh->q) {
+-        if (BN_cmp(dh->g, BN_value_one()) <= 0)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        else if (BN_cmp(dh->g, dh->p) >= 0)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        else {
+-            /* Check g^q == 1 mod p */
+-            if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
+-                goto err;
+-            if (!BN_is_one(t1))
+-                *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        }
+-        r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
+-        if (r < 0)
+-            goto err;
+-        if (!r)
+-            *ret |= DH_CHECK_Q_NOT_PRIME;
+-        /* Check p == 1 mod q  i.e. q divides p - 1 */
+-        if (!BN_div(t1, t2, dh->p, dh->q, ctx))
+-            goto err;
+-        if (!BN_is_one(t2))
+-            *ret |= DH_CHECK_INVALID_Q_VALUE;
+-        if (dh->j && BN_cmp(dh->j, t1))
+-            *ret |= DH_CHECK_INVALID_J_VALUE;
+-
+-    } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
+-        l = BN_mod_word(dh->p, 24);
+-        if (l == (BN_ULONG)-1)
+-            goto err;
+-        if (l != 11)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-    } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
+-        l = BN_mod_word(dh->p, 10);
+-        if (l == (BN_ULONG)-1)
+-            goto err;
+-        if ((l != 3) && (l != 7))
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-    } else
+-        *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
+-
+-    r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
+-    if (r < 0)
+-        goto err;
+-    if (!r)
+-        *ret |= DH_CHECK_P_NOT_PRIME;
+-    else if (!dh->q) {
+-        if (!BN_rshift1(t1, dh->p))
+-            goto err;
+-        r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
+-        if (r < 0)
+-            goto err;
+-        if (!r)
+-            *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
+-    }
+-    ok = 1;
+- err:
+-    if (ctx != NULL) {
+-        BN_CTX_end(ctx);
+-        BN_CTX_free(ctx);
+-    }
+-    return (ok);
+-}
+-#else
+ int Cryptography_DH_check(const DH *dh, int *ret) {
+     return DH_check(dh, ret);
+ }
+-#endif
+ 
+ /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */
+ /* Define our own to simplify support across all versions. */
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py
new file mode 100644
index 000000000000..f947a6698d78
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py
@@ -0,0 +1,14 @@
+--- src/_cffi_src/openssl/fips.py.orig	2022-10-17 11:12:47 UTC
++++ src/_cffi_src/openssl/fips.py
+@@ -17,11 +17,5 @@ int FIPS_mode(void);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_FIPS = 0;
+-int (*FIPS_mode_set)(int) = NULL;
+-int (*FIPS_mode)(void) = NULL;
+-#else
+ static const long Cryptography_HAS_FIPS = 1;
+-#endif
+ """
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py
new file mode 100644
index 000000000000..edbbfc2309ee
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py
@@ -0,0 +1,73 @@
+--- src/_cffi_src/openssl/ocsp.py.orig	2022-10-17 11:14:50 UTC
++++ src/_cffi_src/openssl/ocsp.py
+@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char *
+ 
+ CUSTOMIZATIONS = """
+ #if ( \
+-    !CRYPTOGRAPHY_IS_LIBRESSL && \
+     CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+     )
+ /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
+@@ -104,62 +103,15 @@ struct ocsp_basic_response_st {
+ };
+ #endif
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
+-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+-{
+-    return single->certId;
+-}
+-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(
+-    const OCSP_BASICRESP *bs)
+-{
+-    return bs->certs;
+-}
+-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
+-                      const ASN1_OCTET_STRING **pid,
+-                      const X509_NAME **pname)
+-{
+-    const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+-
+-    if (rid->type == V_OCSP_RESPID_NAME) {
+-        *pname = rid->value.byName;
+-        *pid = NULL;
+-    } else if (rid->type == V_OCSP_RESPID_KEY) {
+-        *pid = rid->value.byKey;
+-        *pname = NULL;
+-    } else {
+-        return 0;
+-    }
+-    return 1;
+-}
+-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+-    const OCSP_BASICRESP* bs)
+-{
+-    return bs->tbsResponseData->producedAt;
+-}
+-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
+-{
+-    return bs->signature;
+-}
+-#endif
+-
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
+ const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-    return bs->signatureAlgorithm;
+-#else
+     return &bs->signatureAlgorithm;
+-#endif
+ }
+ 
+ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-    return bs->tbsResponseData;
+-#else
+     return &bs->tbsResponseData;
+-#endif
+ }
+ #endif
+ """
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py
new file mode 100644
index 000000000000..80d153a39da8
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py
@@ -0,0 +1,29 @@
+--- src/_cffi_src/openssl/ssl.py.orig	2022-10-17 11:17:08 UTC
++++ src/_cffi_src/openssl/ssl.py
+@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """
+ // users have upgraded. PersistentlyDeprecated2020
+ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
+-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
+-#else
+ static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
+-#endif
+ 
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+ static const long Cryptography_HAS_KEYLOG = 0;
+@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1;
+ static const long Cryptography_HAS_TLS_ST = 0;
+ static const long TLS_ST_BEFORE = 0;
+ static const long TLS_ST_OK = 0;
+-#endif
+-
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long SSL_OP_NO_DTLSv1 = 0;
+-static const long SSL_OP_NO_DTLSv1_2 = 0;
+-long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
+-long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
+ #endif
+ 
+ static const long Cryptography_HAS_DTLS = 1;
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py
new file mode 100644
index 000000000000..e3cc928337c2
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py
@@ -0,0 +1,36 @@
+--- src/_cffi_src/openssl/x509.py.orig	2022-10-17 11:26:23 UTC
++++ src/_cffi_src/openssl/x509.py
+@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
+-{
+-    /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1
+-       but older OpenSSLs don't have the enc ASN1_ENCODING member in the
+-       X509 struct.  Setting modified to 1 marks the encoding
+-       (x->cert_info->enc.enc) as invalid, but since the entire struct isn't
+-       present we don't care. */
+-    return i2d_X509_CINF(x->cert_info, pp);
+-}
+-#endif
+-
+ /* Being kept around for pyOpenSSL */
+ X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
+     return X509_REVOKED_dup(rev);
+ }
+-/* Added in 1.1.0 but we need it in all versions now due to the great
+-   opaquing. */
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+-{
+-    req->req_info->enc.modified = 1;
+-    return i2d_X509_REQ_INFO(req->req_info, pp);
+-}
+-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
+-    crl->crl->enc.modified = 1;
+-    return i2d_X509_CRL_INFO(crl->crl, pp);
+-}
+-#endif
+ """