Date: Tue, 5 Oct 2021 14:42:25 GMT From: Charlie Li <vishwin@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org Subject: git: 929ee09863ac - 2021Q4 - security/py-cryptography: support LibreSSL 3.4.0 Message-ID: <202110051442.195EgPQQ015561@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch 2021Q4 has been updated by vishwin: URL: https://cgit.FreeBSD.org/ports/commit/?id=929ee09863ac5d39c67651314006375ff5f2549c commit 929ee09863ac5d39c67651314006375ff5f2549c Author: Charlie Li <vishwin@FreeBSD.org> AuthorDate: 2021-10-03 14:29:20 +0000 Commit: Charlie Li <vishwin@FreeBSD.org> CommitDate: 2021-10-05 14:41:10 +0000 security/py-cryptography: support LibreSSL 3.4.0 Merged upstream as https://github.com/pyca/cryptography/pull/6360 and backported to this version. While here, remove remaining FreeBSD 11 cruft Approved by: fluffy (mentor), koobs (implicit: MAINTAINER_POLICY) Differential Revision: https://reviews.freebsd.org/D32281 (cherry picked from commit 5b57210d0d0a7d74c9f8b4895907b34f2f34473d) --- security/py-cryptography/Makefile | 14 ---- security/py-cryptography/distinfo | 2 - .../patch-src___cffi__src_openssl_cryptography.py | 26 ------ ...cryptography_hazmat_backends_openssl_backend.py | 29 ------- ...-src_cryptography_hazmat_backends_openssl_ec.py | 32 ------- ...88 => patch-Fix-build-with-LibreSSL-3.3.2-5988} | 0 .../files/patch-Support-LibreSSL-3.4.0-6360 | 98 ++++++++++++++++++++++ 7 files changed, 98 insertions(+), 103 deletions(-) diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile index 18d7c316f41d..daf7f3a4d732 100644 --- a/security/py-cryptography/Makefile +++ b/security/py-cryptography/Makefile @@ -35,20 +35,6 @@ TEST_ENV= PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR} .include <bsd.port.pre.mk> -# OpenSSL 1.0.2t got some curve matching parameter code backported before it -# has reached its End-of-Life and security/py-cryptography already had some -# code to handle this case, but it assumed OpenSSL 1.1.0+ . -# -# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be -# clear: It isn't a security fix but rather a workaround to handle unnamed but -# really named curves with OpenSSL 1.0.2t/u . - -# We need to keep old py-cryptography and py-openssl for 11.x release -# due to outdated OpenSSL version in base - -# Apply LibreSSL upstream patch that conflicts with above patch for 2.9.2 -EXTRA_PATCHES= ${PATCHDIR}/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 - .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42 post-patch: @${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \ diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo index d7062e6364f6..a2ec74471294 100644 --- a/security/py-cryptography/distinfo +++ b/security/py-cryptography/distinfo @@ -1,5 +1,3 @@ TIMESTAMP = 1614253508 -SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229 -SIZE (cryptography-2.9.2.tar.gz) = 517571 SHA256 (cryptography-3.3.2.tar.gz) = 5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed SIZE (cryptography-3.3.2.tar.gz) = 539883 diff --git a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py deleted file mode 100644 index bf5d425142e6..000000000000 --- a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py +++ /dev/null @@ -1,26 +0,0 @@ -Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves - -PR #5362 - -Obtained from: -https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 - ---- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC -+++ src/_cffi_src/openssl/cryptography.py -@@ -47,6 +47,8 @@ INCLUDES = """ - (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL) - #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) -+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \ -+ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL) - #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ -@@ -68,6 +70,7 @@ INCLUDES = """ - - TYPES = """ - static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER; -+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER; - static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; - static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; - diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py deleted file mode 100644 index fc9701242a42..000000000000 --- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py +++ /dev/null @@ -1,29 +0,0 @@ -Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves - -PR #5362 - -Obtained from: -https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 - ---- src/cryptography/hazmat/backends/openssl/backend.py.orig 2020-04-22 22:27:48 UTC -+++ src/cryptography/hazmat/backends/openssl/backend.py -@@ -1515,8 +1515,19 @@ class Backend(object): - - def _ec_key_new_by_curve(self, curve): - curve_nid = self._elliptic_curve_to_nid(curve) -+ return self._ec_key_new_by_curve_nid(curve_nid) -+ -+ def _ec_key_new_by_curve_nid(self, curve_nid): - ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid) - self.openssl_assert(ec_cdata != self._ffi.NULL) -+ # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is -+ # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2 -+ # we can remove this as it's done automatically when getting an EC_KEY -+ # from new_by_curve_name -+ # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER -+ self._lib.EC_KEY_set_asn1_flag( -+ ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE -+ ) - return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) - - def load_der_ocsp_request(self, data): diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py deleted file mode 100644 index 4c155c1d7b2d..000000000000 --- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py +++ /dev/null @@ -1,32 +0,0 @@ -Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves - -PR #5362 - -Obtained from: -https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 - ---- src/cryptography/hazmat/backends/openssl/ec.py.orig 2020-04-22 22:26:51 UTC -+++ src/cryptography/hazmat/backends/openssl/ec.py -@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key): - # explicitly encoded a curve with the same parameters as a named curve. - # Don't do that. - if ( -- backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and -+ backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and - backend._lib.EC_GROUP_get_asn1_flag(group) == 0 - ): - raise NotImplementedError( -@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object): - self._backend.openssl_assert(group != self._backend._ffi.NULL) - - curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group) -- -- public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid) -- self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL) -- public_ec_key = self._backend._ffi.gc( -- public_ec_key, self._backend._lib.EC_KEY_free -- ) -+ public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid) - - point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) - self._backend.openssl_assert(point != self._backend._ffi.NULL) diff --git a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 similarity index 100% rename from security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 rename to security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 new file mode 100644 index 000000000000..a8bb6dc6da43 --- /dev/null +++ b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 @@ -0,0 +1,98 @@ +From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001 +From: Charlie Li <vishwin@users.noreply.github.com> +Date: Sun, 3 Oct 2021 00:20:31 -0400 +Subject: [PATCH] Support LibreSSL 3.4.0 (#6360) + +* Add LibreSSL 3.4.0 to CI + +* Add a LibreSSL 3.4.0 guard + +Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0. + +* DTLS_get_data_mtu does not exist in LibreSSL + +* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+ + +* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL + +* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL + +While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended. +--- + .github/workflows/ci.yml | 6 ++++-- + src/_cffi_src/openssl/cryptography.py | 3 +++ + src/_cffi_src/openssl/evp.py | 15 ++++++++++----- + src/_cffi_src/openssl/ssl.py | 3 ++- + 4 files changed, 19 insertions(+), 8 deletions(-) + +diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py +index 878d22d8..821ddc9f 100644 +--- src/_cffi_src/openssl/cryptography.py ++++ src/_cffi_src/openssl/cryptography.py +@@ -36,8 +36,11 @@ INCLUDES = """ + #if CRYPTOGRAPHY_IS_LIBRESSL + #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \ + (LIBRESSL_VERSION_NUMBER < 0x3030200f) ++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \ ++ (LIBRESSL_VERSION_NUMBER < 0x3040000f) + #else + #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0) ++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0) + #endif + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ +diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py +index ab7cfeb3..cad3339a 100644 +--- src/_cffi_src/openssl/evp.py ++++ src/_cffi_src/openssl/evp.py +@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *, + size_t) = NULL; + #endif + +-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 ++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ ++ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) + static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0; +-static const long Cryptography_HAS_RAW_KEY = 0; +-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; +-int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; + int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *, + const unsigned char *tbs, size_t) = NULL; + int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t, + const unsigned char *, size_t) = NULL; ++#else ++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1; ++#endif ++ ++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 ++static const long Cryptography_HAS_RAW_KEY = 0; ++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; ++int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; + EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *, + size_t) = NULL; + EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *, +@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *, + int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *, + size_t *) = NULL; + #else +-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1; + static const long Cryptography_HAS_RAW_KEY = 1; + static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1; + #endif +diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py +index ca275e91..0830a463 100644 +--- src/_cffi_src/openssl/ssl.py ++++ src/_cffi_src/openssl/ssl.py +@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL; + SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL; + #endif + +-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 ++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ ++ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) + static const long Cryptography_HAS_TLSv1_3 = 0; + static const long SSL_OP_NO_TLSv1_3 = 0; + static const long SSL_VERIFY_POST_HANDSHAKE = 0; +-- +2.32.0 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202110051442.195EgPQQ015561>