git: 929ee09863ac - 2021Q4 - security/py-cryptography: support LibreSSL 3.4.0
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 05 Oct 2021 14:42:25 UTC
The branch 2021Q4 has been updated by vishwin:
URL: https://cgit.FreeBSD.org/ports/commit/?id=929ee09863ac5d39c67651314006375ff5f2549c
commit 929ee09863ac5d39c67651314006375ff5f2549c
Author: Charlie Li <vishwin@FreeBSD.org>
AuthorDate: 2021-10-03 14:29:20 +0000
Commit: Charlie Li <vishwin@FreeBSD.org>
CommitDate: 2021-10-05 14:41:10 +0000
security/py-cryptography: support LibreSSL 3.4.0
Merged upstream as https://github.com/pyca/cryptography/pull/6360
and backported to this version.
While here, remove remaining FreeBSD 11 cruft
Approved by: fluffy (mentor), koobs (implicit: MAINTAINER_POLICY)
Differential Revision: https://reviews.freebsd.org/D32281
(cherry picked from commit 5b57210d0d0a7d74c9f8b4895907b34f2f34473d)
---
security/py-cryptography/Makefile | 14 ----
security/py-cryptography/distinfo | 2 -
.../patch-src___cffi__src_openssl_cryptography.py | 26 ------
...cryptography_hazmat_backends_openssl_backend.py | 29 -------
...-src_cryptography_hazmat_backends_openssl_ec.py | 32 -------
...88 => patch-Fix-build-with-LibreSSL-3.3.2-5988} | 0
.../files/patch-Support-LibreSSL-3.4.0-6360 | 98 ++++++++++++++++++++++
7 files changed, 98 insertions(+), 103 deletions(-)
diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile
index 18d7c316f41d..daf7f3a4d732 100644
--- a/security/py-cryptography/Makefile
+++ b/security/py-cryptography/Makefile
@@ -35,20 +35,6 @@ TEST_ENV= PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
.include <bsd.port.pre.mk>
-# OpenSSL 1.0.2t got some curve matching parameter code backported before it
-# has reached its End-of-Life and security/py-cryptography already had some
-# code to handle this case, but it assumed OpenSSL 1.1.0+ .
-#
-# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
-# clear: It isn't a security fix but rather a workaround to handle unnamed but
-# really named curves with OpenSSL 1.0.2t/u .
-
-# We need to keep old py-cryptography and py-openssl for 11.x release
-# due to outdated OpenSSL version in base
-
-# Apply LibreSSL upstream patch that conflicts with above patch for 2.9.2
-EXTRA_PATCHES= ${PATCHDIR}/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
-
.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
post-patch:
@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \
diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo
index d7062e6364f6..a2ec74471294 100644
--- a/security/py-cryptography/distinfo
+++ b/security/py-cryptography/distinfo
@@ -1,5 +1,3 @@
TIMESTAMP = 1614253508
-SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
-SIZE (cryptography-2.9.2.tar.gz) = 517571
SHA256 (cryptography-3.3.2.tar.gz) = 5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed
SIZE (cryptography-3.3.2.tar.gz) = 539883
diff --git a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
deleted file mode 100644
index bf5d425142e6..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
+++ /dev/null
@@ -1,26 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -47,6 +47,8 @@ INCLUDES = """
- (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
- (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
-+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
-+ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
- (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-@@ -68,6 +70,7 @@ INCLUDES = """
-
- TYPES = """
- static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
-+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
- static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
- static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
-
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
deleted file mode 100644
index fc9701242a42..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
+++ /dev/null
@@ -1,29 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/cryptography/hazmat/backends/openssl/backend.py.orig 2020-04-22 22:27:48 UTC
-+++ src/cryptography/hazmat/backends/openssl/backend.py
-@@ -1515,8 +1515,19 @@ class Backend(object):
-
- def _ec_key_new_by_curve(self, curve):
- curve_nid = self._elliptic_curve_to_nid(curve)
-+ return self._ec_key_new_by_curve_nid(curve_nid)
-+
-+ def _ec_key_new_by_curve_nid(self, curve_nid):
- ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
- self.openssl_assert(ec_cdata != self._ffi.NULL)
-+ # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
-+ # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
-+ # we can remove this as it's done automatically when getting an EC_KEY
-+ # from new_by_curve_name
-+ # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
-+ self._lib.EC_KEY_set_asn1_flag(
-+ ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
-+ )
- return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
-
- def load_der_ocsp_request(self, data):
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
deleted file mode 100644
index 4c155c1d7b2d..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
+++ /dev/null
@@ -1,32 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/cryptography/hazmat/backends/openssl/ec.py.orig 2020-04-22 22:26:51 UTC
-+++ src/cryptography/hazmat/backends/openssl/ec.py
-@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
- # explicitly encoded a curve with the same parameters as a named curve.
- # Don't do that.
- if (
-- backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
-+ backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
- backend._lib.EC_GROUP_get_asn1_flag(group) == 0
- ):
- raise NotImplementedError(
-@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
- self._backend.openssl_assert(group != self._backend._ffi.NULL)
-
- curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
--
-- public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
-- self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
-- public_ec_key = self._backend._ffi.gc(
-- public_ec_key, self._backend._lib.EC_KEY_free
-- )
-+ public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
-
- point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
- self._backend.openssl_assert(point != self._backend._ffi.NULL)
diff --git a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
similarity index 100%
rename from security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
rename to security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
new file mode 100644
index 000000000000..a8bb6dc6da43
--- /dev/null
+++ b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
@@ -0,0 +1,98 @@
+From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
+From: Charlie Li <vishwin@users.noreply.github.com>
+Date: Sun, 3 Oct 2021 00:20:31 -0400
+Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
+
+* Add LibreSSL 3.4.0 to CI
+
+* Add a LibreSSL 3.4.0 guard
+
+Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
+
+* DTLS_get_data_mtu does not exist in LibreSSL
+
+* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
+
+* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
+
+* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
+
+While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
+---
+ .github/workflows/ci.yml | 6 ++++--
+ src/_cffi_src/openssl/cryptography.py | 3 +++
+ src/_cffi_src/openssl/evp.py | 15 ++++++++++-----
+ src/_cffi_src/openssl/ssl.py | 3 ++-
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
+index 878d22d8..821ddc9f 100644
+--- src/_cffi_src/openssl/cryptography.py
++++ src/_cffi_src/openssl/cryptography.py
+@@ -36,8 +36,11 @@ INCLUDES = """
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
+ (LIBRESSL_VERSION_NUMBER < 0x3030200f)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
++ (LIBRESSL_VERSION_NUMBER < 0x3040000f)
+ #else
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
+ #endif
+
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
+index ab7cfeb3..cad3339a 100644
+--- src/_cffi_src/openssl/evp.py
++++ src/_cffi_src/openssl/evp.py
+@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
+ size_t) = NULL;
+ #endif
+
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
+-static const long Cryptography_HAS_RAW_KEY = 0;
+-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
+-int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
+ const unsigned char *tbs, size_t) = NULL;
+ int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
+ const unsigned char *, size_t) = NULL;
++#else
++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
++#endif
++
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++static const long Cryptography_HAS_RAW_KEY = 0;
++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
++int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
+ size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
+@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
+ int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
+ size_t *) = NULL;
+ #else
+-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
+ static const long Cryptography_HAS_RAW_KEY = 1;
+ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
+ #endif
+diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
+index ca275e91..0830a463 100644
+--- src/_cffi_src/openssl/ssl.py
++++ src/_cffi_src/openssl/ssl.py
+@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
+ SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
+ #endif
+
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_TLSv1_3 = 0;
+ static const long SSL_OP_NO_TLSv1_3 = 0;
+ static const long SSL_VERIFY_POST_HANDSHAKE = 0;
+--
+2.32.0
+