From nobody Thu May 30 10:11:47 2024 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Vqhqm0x11z5MMfW; Thu, 30 May 2024 10:11:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Vqhqm0L20z4Dww; Thu, 30 May 2024 10:11:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717063908; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Hnut/3GuSwRI8De/fVy38tALhh24YCIiVGyuCrDMtlM=; b=OWse5cQgN2h2ZA3BcqghKv/fUM5nmMV9VwNufIv2wB2meXHUMyRrCa+tbtXgrzRT/BQ7EO Cgyu2rKvOajiQjix7YsVj82o8gIU/aAldlFjRwfXWE5AxIaM5+VXRTNmyKczIiSJav41JK UUXb9mmai8Pk0+UkWWM8lXnJ0HrYtez23NkJB0eXqYtUXkJqfyLWkFElPt8CpGWA1NkLqP 6f9w057Vi7SKvZnGJ5nXsCWuxFabYh5pEt0GIqX3Wgz3yQnXu3BLMHHl+AlnJwCfGlWUfD B8otSIctzE1lV5jm5SgyYntOD4iIdBz+qa40mfu5XUo0GxBn0NHjbcg8C6ZV4Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1717063908; a=rsa-sha256; cv=none; b=xG617rcSBzuXKoXOMpIdYq8lpmIIfTlT+gsLwRuC9gbnch/onqCv8pph4qyQ5JBiXD+IOb T9H8dTeRycIeG0FeJM+2RdySZdlOHx8Vn104XsKFgE+fg7vAIU+KhR1HM+Ab0kC7csGtRK 7FZ0QgoedsnWkhU4I4fSa8WRFAGbVf9IilGBLtyUJig/wiwAm6N5rgel3htO7gmjGca9U/ nqWpOJ4eDiXJqKJKekQ9S9KIORDxXCpIfvTIaGXQAiERsoHyqbckc5wFtklLNVC770gtmH iGvXiKEtJ9p0OkAonvUssBQyP+7XJhCJ0+dEbzgwU6ivEyc20Sp2rlMLZLfXyQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1717063908; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Hnut/3GuSwRI8De/fVy38tALhh24YCIiVGyuCrDMtlM=; b=Bbj5IyKUXwoZ1VUNUbrs6bidR8XHtHC0Ve9s3DE6Fl96+LbF0DJAS0qwjaeV7tTe6UJHCK gQxraf6rb0jDsNQUjAd2btCq8k4Lls40mzLh5ZnzLP2CI7huhneaAk8tYlgoYzZQnM4aZN b4hv7mpbeKXI8CsqAuYwTMzbnbF8qIULfSJz1hpAOE7Oc91TUxYCwfzFPtMwnHALM8xh6A XNTdzslslzHd7uKrUfNqACK9CXTfScSDgN2O9tN0PJJ96pVrfETKDODZiKIh/eVxXaI5JD 7tHNJDlNkHF/vx2m/5HTLdnPFiYnp9lSJgUtLrR2oS513wSvFwXaV3+/4lpLoQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Vqhql73lwzc9V; Thu, 30 May 2024 10:11:47 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44UABlXf089126; Thu, 30 May 2024 10:11:47 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44UABlcb089123; Thu, 30 May 2024 10:11:47 GMT (envelope-from git) Date: Thu, 30 May 2024 10:11:47 GMT Message-Id: <202405301011.44UABlcb089123@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Matthias Andree Subject: git: c8638b8c2df4 - 2024Q2 - security/py-cryptography-legacy: fix OpenSSL >= 3.0 compat List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-all@freebsd.org Sender: owner-dev-commits-ports-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mandree X-Git-Repository: ports X-Git-Refname: refs/heads/2024Q2 X-Git-Reftype: branch X-Git-Commit: c8638b8c2df4eeb2d94d195931794bdb1e3d8e3c Auto-Submitted: auto-generated The branch 2024Q2 has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=c8638b8c2df4eeb2d94d195931794bdb1e3d8e3c commit c8638b8c2df4eeb2d94d195931794bdb1e3d8e3c Author: Matthias Andree AuthorDate: 2024-05-30 09:48:22 +0000 Commit: Matthias Andree CommitDate: 2024-05-30 10:08:29 +0000 security/py-cryptography-legacy: fix OpenSSL >= 3.0 compat [The main branch commit log was misformatted, sorry for that.] py-cryptography-legacy still references functions that have been removed in OpenSSL 3.0, and fails to load openssl.abi3.so at run-time because it lacks ERR_GET_FUNC (reported) and FIPS_mode (masked by first error), both removed with OpenSSL 3.0, and later because py-openssl feeds our utils/deprecated() an unsupported name= keyword argument causing Python to raise an exception at call. https://www.openssl.org/docs/man3.0/man7/migration_guide.html is the basis for fixes #1 and #2 Drop reference to ERR_GET_FUNC, OpenSSL 3.0 removed function codes from the error. In our own binding, leave the err_func attribute in, but set it to a constant 0. (patch-src___cffi* and patch-*binding.py) Drop reference to FIPS_mode and FIPS_mode_set, and stop claiming FIPS support, which would need a more thorough rework. (patch-libressl) Also, backport utils/deprecated() from from py-cryptography 42.0.7,1, to support the new name=... kwarg, drop the annotations for argument and return types (for consistency). (patch-src_cryptography_utils.py) This is sufficient to fix run-time errors for py-certbot on my FreeBSD 14.0-RELEASE-p6 amd64 server with Python 3.11, which I set to default to py-cryptography-legacy. PR: 272935 (and bug linkage will reflect changes in PRs 273770, 272885) Approved by: portmgr@ (just-fix-it blanket approval) MFH: 2024Q2 (cherry picked from commit 403f201a1461fd26f026f2c8d3e67f1481908362) (with different PORTREVISION=2 so we don't get in the way of port rebuild/upgrade for next quarterly) --- security/py-cryptography-legacy/Makefile | 2 +- .../py-cryptography-legacy/files/patch-libressl | 21 +++++++++------- .../files/patch-src___cffi__src_openssl_err.py | 13 ++++++++++ ...cryptography_hazmat_bindings_openssl_binding.py | 15 ++++++++++++ .../files/patch-src_cryptography_utils.py | 28 ++++++++++++++++++++++ 5 files changed, 70 insertions(+), 9 deletions(-) diff --git a/security/py-cryptography-legacy/Makefile b/security/py-cryptography-legacy/Makefile index 0e9421c19323..af0a496d0bb5 100644 --- a/security/py-cryptography-legacy/Makefile +++ b/security/py-cryptography-legacy/Makefile @@ -1,6 +1,6 @@ PORTNAME= cryptography PORTVERSION= 3.4.8 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH= 1 CATEGORIES= security python MASTER_SITES= PYPI diff --git a/security/py-cryptography-legacy/files/patch-libressl b/security/py-cryptography-legacy/files/patch-libressl index b9bc1e535d63..31a802026e1b 100644 --- a/security/py-cryptography-legacy/files/patch-libressl +++ b/security/py-cryptography-legacy/files/patch-libressl @@ -1,4 +1,4 @@ ---- src/_cffi_src/openssl/crypto.py.orig 2023-03-22 07:29:15 UTC +--- src/_cffi_src/openssl/crypto.py.orig 2021-08-24 17:02:37 UTC +++ src/_cffi_src/openssl/crypto.py @@ -74,11 +74,8 @@ CUSTOMIZATIONS = """ # define OPENSSL_DIR SSLEAY_DIR @@ -49,7 +49,7 @@ #else --- src/_cffi_src/openssl/dh.py.orig 2021-08-24 17:17:17 UTC +++ src/_cffi_src/openssl/dh.py -@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x); +@@ -37,117 +37,9 @@ CUSTOMIZATIONS = """ """ CUSTOMIZATIONS = """ @@ -169,21 +169,26 @@ /* Define our own to simplify support across all versions. */ --- src/_cffi_src/openssl/fips.py.orig 2021-08-24 17:17:17 UTC +++ src/_cffi_src/openssl/fips.py -@@ -17,11 +17,5 @@ int FIPS_mode(void); +@@ -12,16 +12,8 @@ FUNCTIONS = """ + """ + + FUNCTIONS = """ +-int FIPS_mode_set(int); +-int FIPS_mode(void); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL --static const long Cryptography_HAS_FIPS = 0; + static const long Cryptography_HAS_FIPS = 0; -int (*FIPS_mode_set)(int) = NULL; -int (*FIPS_mode)(void) = NULL; -#else - static const long Cryptography_HAS_FIPS = 1; +-static const long Cryptography_HAS_FIPS = 1; -#endif """ --- src/_cffi_src/openssl/ocsp.py.orig 2021-08-24 17:17:17 UTC +++ src/_cffi_src/openssl/ocsp.py -@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char * +@@ -77,7 +77,6 @@ CUSTOMIZATIONS = """ CUSTOMIZATIONS = """ #if ( \ @@ -256,7 +261,7 @@ """ --- src/_cffi_src/openssl/ssl.py.orig 2021-08-24 17:17:17 UTC +++ src/_cffi_src/openssl/ssl.py -@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """ +@@ -515,12 +515,7 @@ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1 // users have upgraded. PersistentlyDeprecated2020 static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; @@ -280,7 +285,7 @@ #endif --- src/_cffi_src/openssl/x509.py.orig 2021-08-24 17:02:37 UTC +++ src/_cffi_src/openssl/x509.py -@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A +@@ -276,33 +276,8 @@ CUSTOMIZATIONS = """ """ CUSTOMIZATIONS = """ diff --git a/security/py-cryptography-legacy/files/patch-src___cffi__src_openssl_err.py b/security/py-cryptography-legacy/files/patch-src___cffi__src_openssl_err.py new file mode 100644 index 000000000000..fed5fe1cf1a7 --- /dev/null +++ b/security/py-cryptography-legacy/files/patch-src___cffi__src_openssl_err.py @@ -0,0 +1,13 @@ +https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Removal-of-function-code-from-the-error-codes +states that the ERR_GET_FUNC() "macro" was removed, so follow suit: + +--- src/_cffi_src/openssl/err.py.orig 2021-08-24 17:17:17 UTC ++++ src/_cffi_src/openssl/err.py +@@ -39,7 +39,6 @@ int ERR_GET_LIB(unsigned long); + void ERR_put_error(int, int, int, const char *, int); + + int ERR_GET_LIB(unsigned long); +-int ERR_GET_FUNC(unsigned long); + int ERR_GET_REASON(unsigned long); + + """ diff --git a/security/py-cryptography-legacy/files/patch-src_cryptography_hazmat_bindings_openssl_binding.py b/security/py-cryptography-legacy/files/patch-src_cryptography_hazmat_bindings_openssl_binding.py new file mode 100644 index 000000000000..da25fa61681a --- /dev/null +++ b/security/py-cryptography-legacy/files/patch-src_cryptography_hazmat_bindings_openssl_binding.py @@ -0,0 +1,15 @@ +https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Removal-of-function-code-from-the-error-codes +states that the code is always 0, so do just that and forgo the call of a +nonexistent function. + +--- src/cryptography/hazmat/bindings/openssl/binding.py.orig 2021-08-24 17:17:17 UTC ++++ src/cryptography/hazmat/bindings/openssl/binding.py +@@ -43,7 +43,7 @@ def _consume_errors(lib): + break + + err_lib = lib.ERR_GET_LIB(code) +- err_func = lib.ERR_GET_FUNC(code) ++ err_func = 0 + err_reason = lib.ERR_GET_REASON(code) + + errors.append(_OpenSSLError(code, err_lib, err_func, err_reason)) diff --git a/security/py-cryptography-legacy/files/patch-src_cryptography_utils.py b/security/py-cryptography-legacy/files/patch-src_cryptography_utils.py new file mode 100644 index 000000000000..8650c280071b --- /dev/null +++ b/security/py-cryptography-legacy/files/patch-src_cryptography_utils.py @@ -0,0 +1,28 @@ +Taken from ../py-cryptography source code as of +FreeBSD ports tree 3216ed57448ee28aa6061e08839198c3e5cff5d7 +with py-cryptography-42.0.7,1, with type annotations stripped out: +-- mandree@ 2024-05-30 + +--- src/cryptography/utils.py.orig 2021-08-24 17:17:17 UTC ++++ src/cryptography/utils.py +@@ -132,13 +132,15 @@ class _ModuleWithDeprecations(object): + return ["_module"] + dir(self._module) + + +-def deprecated(value, module_name, message, warning_class): ++def deprecated(value, module_name, message, warning_class, name=None): + module = sys.modules[module_name] + if not isinstance(module, _ModuleWithDeprecations): +- sys.modules[module_name] = _ModuleWithDeprecations( +- module +- ) # type: ignore[assignment] +- return _DeprecatedValue(value, message, warning_class) ++ sys.modules[module_name] = module = _ModuleWithDeprecations(module) ++ dv = _DeprecatedValue(value, message, warning_class) ++ # Maintain backwards compatibility with `name is None` for pyOpenSSL. ++ if name is not None: ++ setattr(module, name, dv) ++ return dv + + + def cached_property(func):