From nobody Sat Nov 19 08:17:43 2022 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NDmjg68M9z4jF1M; Sat, 19 Nov 2022 08:17:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NDmjg4b0fz4JyF; Sat, 19 Nov 2022 08:17:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668845863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QKxyVsh8DAeZH+3xQfLaLBazkoze2QGwXmi8qVJGxIk=; b=O2pE0uLsxrubs1P47EjC4ctRgJ67Blv0wwx+Os8Jb6Uflv177a8uvVmZYgwjiusvHS5/UN rWXw/1YsEOLoLgFrMfGdaFgb9JYPLeLtwpWLU6/VUnG7XZAIa4RJ2ys8go9wCSBvqie3Eg oQ6vZeYUJi07rKHBnS76YeBE443l6AjgDhnGq7OB4y7cSb6okpj4tzrht/dBSWhrji4k9n z/Rqj+yUBpGuzQj9DY15NF3fhJlRtwguMSll91zciL6mKLppgslPKFwrqzldM2QkvJ/Ci3 +vnqaGlBrCjN8BNl9rhvDtCqYoB3/HhH2N9mAsvSDh4rUdZADBUtkAeq9mcRSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1668845863; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=QKxyVsh8DAeZH+3xQfLaLBazkoze2QGwXmi8qVJGxIk=; b=wxJVBHx6BCoku/31G2wrhlvqsVpscsjPJcvAY6Pdaf/SH45n5vL1L4f9/1X7BbP4fh9IJo pkpEiLitT4fAbdTjAPrJYWKWKgvMoXbIYwqRxtoc5dnbQMITdmwWok8+iFTo84C/0NQjYW N0d/u9E9xTLVyV6zdUfwG9867xbCbWcKBLXRZkyMnbV3kzWy5Vcix5TWKCFJ2LJnvo9vUc UfrThsbwqOLl0G2FjpEtb630RhEhbLOebZbjrRcWwVHKequMlDZpP4K56grjNrISx4YGUK ir6jDYiuoyhVGpCByh+BlWONKgJ1XuoWs+DAbFWXFBRf0LFyuDCahZmOqD6W/g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1668845863; a=rsa-sha256; cv=none; b=PvXalYAe+71dConn+OUnUd4WuiXa1Y6Spb5nUh6eyicjqDS8XEFvBZdJXPpQz2SnmO8dh2 swO1DWzYGa733wOR2gn4QB5j0pNWSqQsVAh8ZInfTKmBTSioDYBvq6JCnnt3FmI07fc34G F1148gq82Mjjc71hmbjTbntmWncwAS6wcnfyhbvmv+nTO5UqSH4+nIKLZIcKRYLGqAi/Ri ODcdc94pgQ7v87dQPPmvNgiKKtqM///irakd+n0FK5RLSnnGZNKeTFdZDjsTQC9R1IYFu3 7emDN8pf5Mo6EwjtmB3FPk9khXeeJFFPtwT+CiwveKibLv93vp+d12DQlAslNQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4NDmjg3XdmzfKC; Sat, 19 Nov 2022 08:17:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2AJ8Hh1o014448; Sat, 19 Nov 2022 08:17:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2AJ8HhJJ014447; Sat, 19 Nov 2022 08:17:43 GMT (envelope-from git) Date: Sat, 19 Nov 2022 08:17:43 GMT Message-Id: <202211190817.2AJ8HhJJ014447@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Po-Chuan Hsieh Subject: git: 33d22a3e631e - main - security/py-cryptography: Rename patch files List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: sunpoet X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 33d22a3e631e98e1d4ee880f04ca7a1a14a34d34 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by sunpoet: URL: https://cgit.FreeBSD.org/ports/commit/?id=33d22a3e631e98e1d4ee880f04ca7a1a14a34d34 commit 33d22a3e631e98e1d4ee880f04ca7a1a14a34d34 Author: Po-Chuan Hsieh AuthorDate: 2022-11-19 08:12:33 +0000 Commit: Po-Chuan Hsieh CommitDate: 2022-11-19 08:12:33 +0000 security/py-cryptography: Rename patch files --- security/py-cryptography/files/patch-libressl35 | 298 +++++++++++++++++++++ .../patch-src___cffi__src_openssl_cryptography.py | 26 -- .../files/patch-src___cffi__src_openssl_dh.py | 120 --------- .../files/patch-src___cffi__src_openssl_fips.py | 14 - .../files/patch-src___cffi__src_openssl_ocsp.py | 73 ----- .../files/patch-src___cffi__src_openssl_ssl.py | 29 -- .../files/patch-src___cffi__src_openssl_x509.py | 36 --- 7 files changed, 298 insertions(+), 298 deletions(-) diff --git a/security/py-cryptography/files/patch-libressl35 b/security/py-cryptography/files/patch-libressl35 new file mode 100644 index 000000000000..d0b7d798dc7a --- /dev/null +++ b/security/py-cryptography/files/patch-libressl35 @@ -0,0 +1,298 @@ +--- src/_cffi_src/openssl/cryptography.py.orig 2022-10-17 10:52:36 UTC ++++ src/_cffi_src/openssl/cryptography.py +@@ -33,17 +33,17 @@ INCLUDES = """ + #endif + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ +- (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER >= 0x1010006f + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ +- (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x101000af + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \ +- (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x10101000 + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \ +- (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x10101020 + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \ +- (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL) +-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \ ++ OPENSSL_VERSION_NUMBER < 0x10101040 ++#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \ + !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING) + #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1 + #else +--- src/_cffi_src/openssl/dh.py.orig 2022-10-17 11:10:57 UTC ++++ src/_cffi_src/openssl/dh.py +@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-#ifndef DH_CHECK_Q_NOT_PRIME +-#define DH_CHECK_Q_NOT_PRIME 0x10 +-#endif +- +-#ifndef DH_CHECK_INVALID_Q_VALUE +-#define DH_CHECK_INVALID_Q_VALUE 0x20 +-#endif +- +-#ifndef DH_CHECK_INVALID_J_VALUE +-#define DH_CHECK_INVALID_J_VALUE 0x40 +-#endif +- +-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */ +- +-/*- +- * Check that p is a safe prime and +- * if g is 2, 3 or 5, check that it is a suitable generator +- * where +- * for 2, p mod 24 == 11 +- * for 3, p mod 12 == 5 +- * for 5, p mod 10 == 3 or 7 +- * should hold. +- */ +- +-int Cryptography_DH_check(const DH *dh, int *ret) +-{ +- int ok = 0, r; +- BN_CTX *ctx = NULL; +- BN_ULONG l; +- BIGNUM *t1 = NULL, *t2 = NULL; +- +- *ret = 0; +- ctx = BN_CTX_new(); +- if (ctx == NULL) +- goto err; +- BN_CTX_start(ctx); +- t1 = BN_CTX_get(ctx); +- if (t1 == NULL) +- goto err; +- t2 = BN_CTX_get(ctx); +- if (t2 == NULL) +- goto err; +- +- if (dh->q) { +- if (BN_cmp(dh->g, BN_value_one()) <= 0) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- else if (BN_cmp(dh->g, dh->p) >= 0) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- else { +- /* Check g^q == 1 mod p */ +- if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) +- goto err; +- if (!BN_is_one(t1)) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } +- r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_Q_NOT_PRIME; +- /* Check p == 1 mod q i.e. q divides p - 1 */ +- if (!BN_div(t1, t2, dh->p, dh->q, ctx)) +- goto err; +- if (!BN_is_one(t2)) +- *ret |= DH_CHECK_INVALID_Q_VALUE; +- if (dh->j && BN_cmp(dh->j, t1)) +- *ret |= DH_CHECK_INVALID_J_VALUE; +- +- } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { +- l = BN_mod_word(dh->p, 24); +- if (l == (BN_ULONG)-1) +- goto err; +- if (l != 11) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { +- l = BN_mod_word(dh->p, 10); +- if (l == (BN_ULONG)-1) +- goto err; +- if ((l != 3) && (l != 7)) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } else +- *ret |= DH_UNABLE_TO_CHECK_GENERATOR; +- +- r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_P_NOT_PRIME; +- else if (!dh->q) { +- if (!BN_rshift1(t1, dh->p)) +- goto err; +- r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_P_NOT_SAFE_PRIME; +- } +- ok = 1; +- err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } +- return (ok); +-} +-#else + int Cryptography_DH_check(const DH *dh, int *ret) { + return DH_check(dh, ret); + } +-#endif + + /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */ + /* Define our own to simplify support across all versions. */ +--- src/_cffi_src/openssl/fips.py.orig 2022-10-17 11:12:47 UTC ++++ src/_cffi_src/openssl/fips.py +@@ -17,11 +17,5 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_FIPS = 0; +-int (*FIPS_mode_set)(int) = NULL; +-int (*FIPS_mode)(void) = NULL; +-#else + static const long Cryptography_HAS_FIPS = 1; +-#endif + """ +--- src/_cffi_src/openssl/ocsp.py.orig 2022-10-17 11:14:50 UTC ++++ src/_cffi_src/openssl/ocsp.py +@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char * + + CUSTOMIZATIONS = """ + #if ( \ +- !CRYPTOGRAPHY_IS_LIBRESSL && \ + CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + ) + /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct +@@ -104,62 +103,15 @@ struct ocsp_basic_response_st { + }; + #endif + +-#if CRYPTOGRAPHY_IS_LIBRESSL +-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */ +-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) +-{ +- return single->certId; +-} +-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs( +- const OCSP_BASICRESP *bs) +-{ +- return bs->certs; +-} +-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, +- const ASN1_OCTET_STRING **pid, +- const X509_NAME **pname) +-{ +- const OCSP_RESPID *rid = bs->tbsResponseData->responderId; +- +- if (rid->type == V_OCSP_RESPID_NAME) { +- *pname = rid->value.byName; +- *pid = NULL; +- } else if (rid->type == V_OCSP_RESPID_KEY) { +- *pid = rid->value.byKey; +- *pname = NULL; +- } else { +- return 0; +- } +- return 1; +-} +-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( +- const OCSP_BASICRESP* bs) +-{ +- return bs->tbsResponseData->producedAt; +-} +-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) +-{ +- return bs->signature; +-} +-#endif +- + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J + const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs) + { +-#if CRYPTOGRAPHY_IS_LIBRESSL +- return bs->signatureAlgorithm; +-#else + return &bs->signatureAlgorithm; +-#endif + } + + const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) + { +-#if CRYPTOGRAPHY_IS_LIBRESSL +- return bs->tbsResponseData; +-#else + return &bs->tbsResponseData; +-#endif + } + #endif + """ +--- src/_cffi_src/openssl/ssl.py.orig 2022-10-17 11:17:08 UTC ++++ src/_cffi_src/openssl/ssl.py +@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """ + // users have upgraded. PersistentlyDeprecated2020 + static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; + +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_VERIFIED_CHAIN = 0; +-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; +-#else + static const long Cryptography_HAS_VERIFIED_CHAIN = 1; +-#endif + + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 + static const long Cryptography_HAS_KEYLOG = 0; +@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1; + static const long Cryptography_HAS_TLS_ST = 0; + static const long TLS_ST_BEFORE = 0; + static const long TLS_ST_OK = 0; +-#endif +- +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long SSL_OP_NO_DTLSv1 = 0; +-static const long SSL_OP_NO_DTLSv1_2 = 0; +-long (*DTLS_set_link_mtu)(SSL *, long) = NULL; +-long (*DTLS_get_link_min_mtu)(SSL *) = NULL; + #endif + + static const long Cryptography_HAS_DTLS = 1; +--- src/_cffi_src/openssl/x509.py.orig 2022-10-17 11:26:23 UTC ++++ src/_cffi_src/openssl/x509.py +@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-int i2d_re_X509_tbs(X509 *x, unsigned char **pp) +-{ +- /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 +- but older OpenSSLs don't have the enc ASN1_ENCODING member in the +- X509 struct. Setting modified to 1 marks the encoding +- (x->cert_info->enc.enc) as invalid, but since the entire struct isn't +- present we don't care. */ +- return i2d_X509_CINF(x->cert_info, pp); +-} +-#endif +- + /* Being kept around for pyOpenSSL */ + X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { + return X509_REVOKED_dup(rev); + } +-/* Added in 1.1.0 but we need it in all versions now due to the great +- opaquing. */ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +-{ +- req->req_info->enc.modified = 1; +- return i2d_X509_REQ_INFO(req->req_info, pp); +-} +-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { +- crl->crl->enc.modified = 1; +- return i2d_X509_CRL_INFO(crl->crl, pp); +-} +-#endif + """ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py deleted file mode 100644 index 93fb2478c76d..000000000000 --- a/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py +++ /dev/null @@ -1,26 +0,0 @@ ---- src/_cffi_src/openssl/cryptography.py.orig 2022-10-17 10:52:36 UTC -+++ src/_cffi_src/openssl/cryptography.py -@@ -33,17 +33,17 @@ INCLUDES = """ - #endif - - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ -- (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) -+ OPENSSL_VERSION_NUMBER >= 0x1010006f - - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ -- (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) -+ OPENSSL_VERSION_NUMBER < 0x101000af - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \ -- (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL) -+ OPENSSL_VERSION_NUMBER < 0x10101000 - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \ -- (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL) -+ OPENSSL_VERSION_NUMBER < 0x10101020 - #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \ -- (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL) --#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \ -+ OPENSSL_VERSION_NUMBER < 0x10101040 -+#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \ - !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING) - #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1 - #else diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py deleted file mode 100644 index c54f653a5e05..000000000000 --- a/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py +++ /dev/null @@ -1,120 +0,0 @@ ---- src/_cffi_src/openssl/dh.py.orig 2022-10-17 11:10:57 UTC -+++ src/_cffi_src/openssl/dh.py -@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x); - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL --#ifndef DH_CHECK_Q_NOT_PRIME --#define DH_CHECK_Q_NOT_PRIME 0x10 --#endif -- --#ifndef DH_CHECK_INVALID_Q_VALUE --#define DH_CHECK_INVALID_Q_VALUE 0x20 --#endif -- --#ifndef DH_CHECK_INVALID_J_VALUE --#define DH_CHECK_INVALID_J_VALUE 0x40 --#endif -- --/* DH_check implementation taken from OpenSSL 1.1.0pre6 */ -- --/*- -- * Check that p is a safe prime and -- * if g is 2, 3 or 5, check that it is a suitable generator -- * where -- * for 2, p mod 24 == 11 -- * for 3, p mod 12 == 5 -- * for 5, p mod 10 == 3 or 7 -- * should hold. -- */ -- --int Cryptography_DH_check(const DH *dh, int *ret) --{ -- int ok = 0, r; -- BN_CTX *ctx = NULL; -- BN_ULONG l; -- BIGNUM *t1 = NULL, *t2 = NULL; -- -- *ret = 0; -- ctx = BN_CTX_new(); -- if (ctx == NULL) -- goto err; -- BN_CTX_start(ctx); -- t1 = BN_CTX_get(ctx); -- if (t1 == NULL) -- goto err; -- t2 = BN_CTX_get(ctx); -- if (t2 == NULL) -- goto err; -- -- if (dh->q) { -- if (BN_cmp(dh->g, BN_value_one()) <= 0) -- *ret |= DH_NOT_SUITABLE_GENERATOR; -- else if (BN_cmp(dh->g, dh->p) >= 0) -- *ret |= DH_NOT_SUITABLE_GENERATOR; -- else { -- /* Check g^q == 1 mod p */ -- if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) -- goto err; -- if (!BN_is_one(t1)) -- *ret |= DH_NOT_SUITABLE_GENERATOR; -- } -- r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); -- if (r < 0) -- goto err; -- if (!r) -- *ret |= DH_CHECK_Q_NOT_PRIME; -- /* Check p == 1 mod q i.e. q divides p - 1 */ -- if (!BN_div(t1, t2, dh->p, dh->q, ctx)) -- goto err; -- if (!BN_is_one(t2)) -- *ret |= DH_CHECK_INVALID_Q_VALUE; -- if (dh->j && BN_cmp(dh->j, t1)) -- *ret |= DH_CHECK_INVALID_J_VALUE; -- -- } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { -- l = BN_mod_word(dh->p, 24); -- if (l == (BN_ULONG)-1) -- goto err; -- if (l != 11) -- *ret |= DH_NOT_SUITABLE_GENERATOR; -- } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { -- l = BN_mod_word(dh->p, 10); -- if (l == (BN_ULONG)-1) -- goto err; -- if ((l != 3) && (l != 7)) -- *ret |= DH_NOT_SUITABLE_GENERATOR; -- } else -- *ret |= DH_UNABLE_TO_CHECK_GENERATOR; -- -- r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); -- if (r < 0) -- goto err; -- if (!r) -- *ret |= DH_CHECK_P_NOT_PRIME; -- else if (!dh->q) { -- if (!BN_rshift1(t1, dh->p)) -- goto err; -- r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL); -- if (r < 0) -- goto err; -- if (!r) -- *ret |= DH_CHECK_P_NOT_SAFE_PRIME; -- } -- ok = 1; -- err: -- if (ctx != NULL) { -- BN_CTX_end(ctx); -- BN_CTX_free(ctx); -- } -- return (ok); --} --#else - int Cryptography_DH_check(const DH *dh, int *ret) { - return DH_check(dh, ret); - } --#endif - - /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */ - /* Define our own to simplify support across all versions. */ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py deleted file mode 100644 index f947a6698d78..000000000000 --- a/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py +++ /dev/null @@ -1,14 +0,0 @@ ---- src/_cffi_src/openssl/fips.py.orig 2022-10-17 11:12:47 UTC -+++ src/_cffi_src/openssl/fips.py -@@ -17,11 +17,5 @@ int FIPS_mode(void); - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL --static const long Cryptography_HAS_FIPS = 0; --int (*FIPS_mode_set)(int) = NULL; --int (*FIPS_mode)(void) = NULL; --#else - static const long Cryptography_HAS_FIPS = 1; --#endif - """ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py deleted file mode 100644 index edbbfc2309ee..000000000000 --- a/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py +++ /dev/null @@ -1,73 +0,0 @@ ---- src/_cffi_src/openssl/ocsp.py.orig 2022-10-17 11:14:50 UTC -+++ src/_cffi_src/openssl/ocsp.py -@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char * - - CUSTOMIZATIONS = """ - #if ( \ -- !CRYPTOGRAPHY_IS_LIBRESSL && \ - CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ - ) - /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct -@@ -104,62 +103,15 @@ struct ocsp_basic_response_st { - }; - #endif - --#if CRYPTOGRAPHY_IS_LIBRESSL --/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */ --const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) --{ -- return single->certId; --} --const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs( -- const OCSP_BASICRESP *bs) --{ -- return bs->certs; --} --int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, -- const ASN1_OCTET_STRING **pid, -- const X509_NAME **pname) --{ -- const OCSP_RESPID *rid = bs->tbsResponseData->responderId; -- -- if (rid->type == V_OCSP_RESPID_NAME) { -- *pname = rid->value.byName; -- *pid = NULL; -- } else if (rid->type == V_OCSP_RESPID_KEY) { -- *pid = rid->value.byKey; -- *pname = NULL; -- } else { -- return 0; -- } -- return 1; --} --const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( -- const OCSP_BASICRESP* bs) --{ -- return bs->tbsResponseData->producedAt; --} --const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) --{ -- return bs->signature; --} --#endif -- - #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J - const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs) - { --#if CRYPTOGRAPHY_IS_LIBRESSL -- return bs->signatureAlgorithm; --#else - return &bs->signatureAlgorithm; --#endif - } - - const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) - { --#if CRYPTOGRAPHY_IS_LIBRESSL -- return bs->tbsResponseData; --#else - return &bs->tbsResponseData; --#endif - } - #endif - """ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py deleted file mode 100644 index 80d153a39da8..000000000000 --- a/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py +++ /dev/null @@ -1,29 +0,0 @@ ---- src/_cffi_src/openssl/ssl.py.orig 2022-10-17 11:17:08 UTC -+++ src/_cffi_src/openssl/ssl.py -@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """ - // users have upgraded. PersistentlyDeprecated2020 - static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; - --#if CRYPTOGRAPHY_IS_LIBRESSL --static const long Cryptography_HAS_VERIFIED_CHAIN = 0; --Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; --#else - static const long Cryptography_HAS_VERIFIED_CHAIN = 1; --#endif - - #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 - static const long Cryptography_HAS_KEYLOG = 0; -@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1; - static const long Cryptography_HAS_TLS_ST = 0; - static const long TLS_ST_BEFORE = 0; - static const long TLS_ST_OK = 0; --#endif -- --#if CRYPTOGRAPHY_IS_LIBRESSL --static const long SSL_OP_NO_DTLSv1 = 0; --static const long SSL_OP_NO_DTLSv1_2 = 0; --long (*DTLS_set_link_mtu)(SSL *, long) = NULL; --long (*DTLS_get_link_min_mtu)(SSL *) = NULL; - #endif - - static const long Cryptography_HAS_DTLS = 1; diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py deleted file mode 100644 index e3cc928337c2..000000000000 --- a/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py +++ /dev/null @@ -1,36 +0,0 @@ ---- src/_cffi_src/openssl/x509.py.orig 2022-10-17 11:26:23 UTC -+++ src/_cffi_src/openssl/x509.py -@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A - """ - - CUSTOMIZATIONS = """ --#if CRYPTOGRAPHY_IS_LIBRESSL --int i2d_re_X509_tbs(X509 *x, unsigned char **pp) --{ -- /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 -- but older OpenSSLs don't have the enc ASN1_ENCODING member in the -- X509 struct. Setting modified to 1 marks the encoding -- (x->cert_info->enc.enc) as invalid, but since the entire struct isn't -- present we don't care. */ -- return i2d_X509_CINF(x->cert_info, pp); --} --#endif -- - /* Being kept around for pyOpenSSL */ - X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { - return X509_REVOKED_dup(rev); - } --/* Added in 1.1.0 but we need it in all versions now due to the great -- opaquing. */ --#if CRYPTOGRAPHY_IS_LIBRESSL --int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) --{ -- req->req_info->enc.modified = 1; -- return i2d_X509_REQ_INFO(req->req_info, pp); --} --int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { -- crl->crl->enc.modified = 1; -- return i2d_X509_CRL_INFO(crl->crl, pp); --} --#endif - """