Date: Fri, 4 Dec 2020 11:31:23 +0000 (UTC) From: Kubilay Kocak <koobs@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r556973 - in head/security/py-cryptography: . files files/openssl102u Message-ID: <202012041131.0B4BVNUv003044@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: koobs Date: Fri Dec 4 11:31:22 2020 New Revision: 556973 URL: https://svnweb.freebsd.org/changeset/ports/556973 Log: security/py-cryptography: Update to 2.9.2 [2] - Remove patch-PR4855, upstreamed [1] - Remove asn1crypto, no longer an install_requires (RUN_DEPENDS) [1] - Add workaround for OpenSSL 1.0.2u/t when building for FreeBSD 11.3-STABLE and 11.4-RELEASE/STABLE. [2] Changelog: https://github.com/pyca/cryptography/blob/2.9.2/CHANGELOG.rst HUGE thank you to Kai for running through extensive QA and producing the final changeset. PR: 245929 Submitted by: Daniel <daniel.engberg.lists pyret.net> [1] Submitted by: kai [2] MFH: No (backward incompatiblities, substantial dependents count) Added: head/security/py-cryptography/files/openssl102u/ head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py (contents, props changed) head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py (contents, props changed) head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py (contents, props changed) Deleted: head/security/py-cryptography/files/patch-PR4855 Modified: head/security/py-cryptography/Makefile head/security/py-cryptography/distinfo Modified: head/security/py-cryptography/Makefile ============================================================================== --- head/security/py-cryptography/Makefile Fri Dec 4 11:12:04 2020 (r556972) +++ head/security/py-cryptography/Makefile Fri Dec 4 11:31:22 2020 (r556973) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= cryptography -PORTVERSION= 2.6.1 +PORTVERSION= 2.9.2 CATEGORIES= security python MASTER_SITES= CHEESESHOP PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} @@ -16,8 +16,7 @@ LICENSE_FILE_APACHE20= ${WRKSRC}/LICENSE.APACHE LICENSE_FILE_BSD3CLAUSE= ${WRKSRC}/LICENSE.BSD BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}asn1crypto>=0.21.0:devel/py-asn1crypto@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \ +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \ ${PY_ENUM34} \ ${PY_IPADDRESS} \ ${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR} @@ -28,15 +27,32 @@ TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography-vect ${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR} -# Python 2.7, 3.4-3.7 +# Python 2.7, 3.5-3.8 USES= compiler:env python ssl USE_PYTHON= autoplist concurrent distutils CFLAGS+= -I${OPENSSLINC} LDFLAGS+= -L${OPENSSLLIB} +TEST_ENV= PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR} + .include <bsd.port.pre.mk> +# OpenSSL 1.0.2t got some curve matching parameter code backported before it +# has reached its End-of-Life and security/py-cryptography already had some +# code to handle this case, but it assumed OpenSSL 1.1.0+ . +# +# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be +# clear: It isn't a security fix but rather a workaround to handle unnamed but +# really named curves with OpenSSL 1.0.2t/u . +.if ${OPSYS} == FreeBSD && ${SSL_DEFAULT} == "base" +. if ${OSVERSION} >= 1103500 && ${OSVERSION} < 1200085 +# 1103500 352193 2019-09-10 11.3-STABLE got OpenSSL 1.0.2t +# 1200085 339270 2018-10-19 12.0-STABLE got OpenSSL 1.1.1 +EXTRA_PATCHES= ${PATCHDIR}/openssl102u +. endif +.endif + .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42 post-patch: @${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \ @@ -47,6 +63,6 @@ post-install: ${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so do-test: - @cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test + @cd ${WRKSRC} && ${SETENV} ${TEST_ENV} ${PYTHON_CMD} -m pytest -q -v -rs -o addopts= .include <bsd.port.post.mk> Modified: head/security/py-cryptography/distinfo ============================================================================== --- head/security/py-cryptography/distinfo Fri Dec 4 11:12:04 2020 (r556972) +++ head/security/py-cryptography/distinfo Fri Dec 4 11:31:22 2020 (r556973) @@ -1,3 +1,3 @@ -TIMESTAMP = 1551354433 -SHA256 (cryptography-2.6.1.tar.gz) = 26c821cbeb683facb966045e2064303029d572a87ee69ca5a1bf54bf55f93ca6 -SIZE (cryptography-2.6.1.tar.gz) = 491580 +TIMESTAMP = 1596263213 +SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229 +SIZE (cryptography-2.9.2.tar.gz) = 517571 Added: head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py Fri Dec 4 11:31:22 2020 (r556973) @@ -0,0 +1,26 @@ +Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves + +PR #5362 + +Obtained from: +https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 + +--- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC ++++ src/_cffi_src/openssl/cryptography.py +@@ -47,6 +47,8 @@ INCLUDES = """ + (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL) + #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) ++#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \ ++ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL) + #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ +@@ -68,6 +70,7 @@ INCLUDES = """ + + TYPES = """ + static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER; ++static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER; + static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; + static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; + Added: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py Fri Dec 4 11:31:22 2020 (r556973) @@ -0,0 +1,29 @@ +Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves + +PR #5362 + +Obtained from: +https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 + +--- src/cryptography/hazmat/backends/openssl/backend.py.orig 2020-04-22 22:27:48 UTC ++++ src/cryptography/hazmat/backends/openssl/backend.py +@@ -1515,8 +1515,19 @@ class Backend(object): + + def _ec_key_new_by_curve(self, curve): + curve_nid = self._elliptic_curve_to_nid(curve) ++ return self._ec_key_new_by_curve_nid(curve_nid) ++ ++ def _ec_key_new_by_curve_nid(self, curve_nid): + ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid) + self.openssl_assert(ec_cdata != self._ffi.NULL) ++ # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is ++ # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2 ++ # we can remove this as it's done automatically when getting an EC_KEY ++ # from new_by_curve_name ++ # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER ++ self._lib.EC_KEY_set_asn1_flag( ++ ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE ++ ) + return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) + + def load_der_ocsp_request(self, data): Added: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py Fri Dec 4 11:31:22 2020 (r556973) @@ -0,0 +1,32 @@ +Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves + +PR #5362 + +Obtained from: +https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 + +--- src/cryptography/hazmat/backends/openssl/ec.py.orig 2020-04-22 22:26:51 UTC ++++ src/cryptography/hazmat/backends/openssl/ec.py +@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key): + # explicitly encoded a curve with the same parameters as a named curve. + # Don't do that. + if ( +- backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and ++ backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and + backend._lib.EC_GROUP_get_asn1_flag(group) == 0 + ): + raise NotImplementedError( +@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object): + self._backend.openssl_assert(group != self._backend._ffi.NULL) + + curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group) +- +- public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid) +- self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL) +- public_ec_key = self._backend._ffi.gc( +- public_ec_key, self._backend._lib.EC_KEY_free +- ) ++ public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid) + + point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) + self._backend.openssl_assert(point != self._backend._ffi.NULL)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202012041131.0B4BVNUv003044>