cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/py-cryptography: Fix build w/ libressl3.5

Browse Source 
Approved by:		sunpoet (maintainer, timeout), tcberner (mentor)
Differential Revision:	https://reviews.freebsd.org/D37049
This commit is contained in:
Felix Palmen 2022-10-17 13:28:48 +02:00
parent 1ff5d3caa4
commit 14ff8de706
8 changed files with 298 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
View File

@ -1,62 +0,0 @@
From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001
From: Charlie Li <vishwin@users.noreply.github.com>
Date: Mon, 19 Apr 2021 18:38:38 -0400
Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988)
* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS*
While here, bump CI
* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS*
DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2
* Switch to LESS_THAN context for LibreSSL 3.3.2
While here, fix indents
* Remove extra C variable declaration
The variable is not actually used from Python
---
.github/workflows/ci.yml | 2 +-
src/_cffi_src/openssl/cryptography.py | 7 +++++++
src/_cffi_src/openssl/ssl.py | 2 ++
3 files changed, 10 insertions(+), 1 deletion(-)
diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
index e2b5a132..b9c7a793 100644
--- src/_cffi_src/openssl/cryptography.py
+++ src/_cffi_src/openssl/cryptography.py
@@ -32,6 +32,13 @@ INCLUDES = """
#include <Winsock2.h>
#endif
+#if CRYPTOGRAPHY_IS_LIBRESSL
+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
+ (LIBRESSL_VERSION_NUMBER < 0x3030200f)
+#else
+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
+#endif
+
#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
(OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
index 11a7d63a..081ef041 100644
--- src/_cffi_src/openssl/ssl.py
+++ src/_cffi_src/openssl/ssl.py
@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0;
#endif
#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332
static const long SSL_OP_NO_DTLSv1 = 0;
static const long SSL_OP_NO_DTLSv1_2 = 0;
+#endif
long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
#endif
--
2.31.1

98
security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
View File

@ -1,98 +0,0 @@
From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
From: Charlie Li <vishwin@users.noreply.github.com>
Date: Sun, 3 Oct 2021 00:20:31 -0400
Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
* Add LibreSSL 3.4.0 to CI
* Add a LibreSSL 3.4.0 guard
Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
* DTLS_get_data_mtu does not exist in LibreSSL
* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
---
.github/workflows/ci.yml | 6 ++++--
src/_cffi_src/openssl/cryptography.py | 3 +++
src/_cffi_src/openssl/evp.py | 15 ++++++++++-----
src/_cffi_src/openssl/ssl.py | 3 ++-
4 files changed, 19 insertions(+), 8 deletions(-)
diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
index 878d22d8..821ddc9f 100644
--- src/_cffi_src/openssl/cryptography.py
+++ src/_cffi_src/openssl/cryptography.py
@@ -36,8 +36,11 @@ INCLUDES = """
#if CRYPTOGRAPHY_IS_LIBRESSL
#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
(LIBRESSL_VERSION_NUMBER < 0x3030200f)
+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
+ (LIBRESSL_VERSION_NUMBER < 0x3040000f)
#else
#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
#endif
#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
index ab7cfeb3..cad3339a 100644
--- src/_cffi_src/openssl/evp.py
+++ src/_cffi_src/openssl/evp.py
@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
size_t) = NULL;
#endif
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
+ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
-static const long Cryptography_HAS_RAW_KEY = 0;
-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
-int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
const unsigned char *tbs, size_t) = NULL;
int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
const unsigned char *, size_t) = NULL;
+#else
+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+static const long Cryptography_HAS_RAW_KEY = 0;
+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
+int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
size_t) = NULL;
EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
size_t *) = NULL;
#else
-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
static const long Cryptography_HAS_RAW_KEY = 1;
static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
#endif
diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
index ca275e91..0830a463 100644
--- src/_cffi_src/openssl/ssl.py
+++ src/_cffi_src/openssl/ssl.py
@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
#endif
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
+ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
static const long Cryptography_HAS_TLSv1_3 = 0;
static const long SSL_OP_NO_TLSv1_3 = 0;
static const long SSL_VERIFY_POST_HANDSHAKE = 0;
--
2.32.0

26
security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py Normal file
View File

@ -0,0 +1,26 @@
--- src/_cffi_src/openssl/cryptography.py.orig 2022-10-17 10:52:36 UTC
+++ src/_cffi_src/openssl/cryptography.py
@@ -33,17 +33,17 @@ INCLUDES = """
#endif
#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
- (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+ OPENSSL_VERSION_NUMBER >= 0x1010006f
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
- (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
+ OPENSSL_VERSION_NUMBER < 0x101000af
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
- (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)
+ OPENSSL_VERSION_NUMBER < 0x10101000
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
- (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
+ OPENSSL_VERSION_NUMBER < 0x10101020
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
- (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
+ OPENSSL_VERSION_NUMBER < 0x10101040
+#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \
!defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
#define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
#else

120
security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py Normal file
View File

@ -0,0 +1,120 @@
--- src/_cffi_src/openssl/dh.py.orig 2022-10-17 11:10:57 UTC
+++ src/_cffi_src/openssl/dh.py
@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);
"""
CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_LIBRESSL
-#ifndef DH_CHECK_Q_NOT_PRIME
-#define DH_CHECK_Q_NOT_PRIME 0x10
-#endif
-
-#ifndef DH_CHECK_INVALID_Q_VALUE
-#define DH_CHECK_INVALID_Q_VALUE 0x20
-#endif
-
-#ifndef DH_CHECK_INVALID_J_VALUE
-#define DH_CHECK_INVALID_J_VALUE 0x40
-#endif
-
-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */
-
-/*-
- * Check that p is a safe prime and
- * if g is 2, 3 or 5, check that it is a suitable generator
- * where
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5
- * for 5, p mod 10 == 3 or 7
- * should hold.
- */
-
-int Cryptography_DH_check(const DH *dh, int *ret)
-{
- int ok = 0, r;
- BN_CTX *ctx = NULL;
- BN_ULONG l;
- BIGNUM *t1 = NULL, *t2 = NULL;
-
- *ret = 0;
- ctx = BN_CTX_new();
- if (ctx == NULL)
- goto err;
- BN_CTX_start(ctx);
- t1 = BN_CTX_get(ctx);
- if (t1 == NULL)
- goto err;
- t2 = BN_CTX_get(ctx);
- if (t2 == NULL)
- goto err;
-
- if (dh->q) {
- if (BN_cmp(dh->g, BN_value_one()) <= 0)
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- else if (BN_cmp(dh->g, dh->p) >= 0)
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- else {
- /* Check g^q == 1 mod p */
- if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
- goto err;
- if (!BN_is_one(t1))
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- }
- r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
- if (r < 0)
- goto err;
- if (!r)
- *ret |= DH_CHECK_Q_NOT_PRIME;
- /* Check p == 1 mod q i.e. q divides p - 1 */
- if (!BN_div(t1, t2, dh->p, dh->q, ctx))
- goto err;
- if (!BN_is_one(t2))
- *ret |= DH_CHECK_INVALID_Q_VALUE;
- if (dh->j && BN_cmp(dh->j, t1))
- *ret |= DH_CHECK_INVALID_J_VALUE;
-
- } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
- l = BN_mod_word(dh->p, 24);
- if (l == (BN_ULONG)-1)
- goto err;
- if (l != 11)
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
- l = BN_mod_word(dh->p, 10);
- if (l == (BN_ULONG)-1)
- goto err;
- if ((l != 3) && (l != 7))
- *ret |= DH_NOT_SUITABLE_GENERATOR;
- } else
- *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
-
- r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
- if (r < 0)
- goto err;
- if (!r)
- *ret |= DH_CHECK_P_NOT_PRIME;
- else if (!dh->q) {
- if (!BN_rshift1(t1, dh->p))
- goto err;
- r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
- if (r < 0)
- goto err;
- if (!r)
- *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
- }
- ok = 1;
- err:
- if (ctx != NULL) {
- BN_CTX_end(ctx);
- BN_CTX_free(ctx);
- }
- return (ok);
-}
-#else
int Cryptography_DH_check(const DH *dh, int *ret) {
return DH_check(dh, ret);
}
-#endif
/* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */
/* Define our own to simplify support across all versions. */

14
security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py Normal file
View File

@ -0,0 +1,14 @@
--- src/_cffi_src/openssl/fips.py.orig 2022-10-17 11:12:47 UTC
+++ src/_cffi_src/openssl/fips.py
@@ -17,11 +17,5 @@ int FIPS_mode(void);
"""
CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_LIBRESSL
-static const long Cryptography_HAS_FIPS = 0;
-int (*FIPS_mode_set)(int) = NULL;
-int (*FIPS_mode)(void) = NULL;
-#else
static const long Cryptography_HAS_FIPS = 1;
-#endif
"""

73
security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py Normal file
View File

@ -0,0 +1,73 @@
--- src/_cffi_src/openssl/ocsp.py.orig 2022-10-17 11:14:50 UTC
+++ src/_cffi_src/openssl/ocsp.py
@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char *
CUSTOMIZATIONS = """
#if ( \
- !CRYPTOGRAPHY_IS_LIBRESSL && \
CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
)
/* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
@@ -104,62 +103,15 @@ struct ocsp_basic_response_st {
};
#endif
-#if CRYPTOGRAPHY_IS_LIBRESSL
-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
-{
- return single->certId;
-}
-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(
- const OCSP_BASICRESP *bs)
-{
- return bs->certs;
-}
-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
- const ASN1_OCTET_STRING **pid,
- const X509_NAME **pname)
-{
- const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
-
- if (rid->type == V_OCSP_RESPID_NAME) {
- *pname = rid->value.byName;
- *pid = NULL;
- } else if (rid->type == V_OCSP_RESPID_KEY) {
- *pid = rid->value.byKey;
- *pname = NULL;
- } else {
- return 0;
- }
- return 1;
-}
-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
- const OCSP_BASICRESP* bs)
-{
- return bs->tbsResponseData->producedAt;
-}
-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
-{
- return bs->signature;
-}
-#endif
-
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
{
-#if CRYPTOGRAPHY_IS_LIBRESSL
- return bs->signatureAlgorithm;
-#else
return &bs->signatureAlgorithm;
-#endif
}
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
{
-#if CRYPTOGRAPHY_IS_LIBRESSL
- return bs->tbsResponseData;
-#else
return &bs->tbsResponseData;
-#endif
}
#endif
"""

29
security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py Normal file
View File

@ -0,0 +1,29 @@
--- src/_cffi_src/openssl/ssl.py.orig 2022-10-17 11:17:08 UTC
+++ src/_cffi_src/openssl/ssl.py
@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """
// users have upgraded. PersistentlyDeprecated2020
static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
-#if CRYPTOGRAPHY_IS_LIBRESSL
-static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
-#else
static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
-#endif
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
static const long Cryptography_HAS_KEYLOG = 0;
@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1;
static const long Cryptography_HAS_TLS_ST = 0;
static const long TLS_ST_BEFORE = 0;
static const long TLS_ST_OK = 0;
-#endif
-
-#if CRYPTOGRAPHY_IS_LIBRESSL
-static const long SSL_OP_NO_DTLSv1 = 0;
-static const long SSL_OP_NO_DTLSv1_2 = 0;
-long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
-long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
#endif
static const long Cryptography_HAS_DTLS = 1;

36
security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py Normal file
View File

@ -0,0 +1,36 @@
--- src/_cffi_src/openssl/x509.py.orig 2022-10-17 11:26:23 UTC
+++ src/_cffi_src/openssl/x509.py
@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A
"""
CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_LIBRESSL
-int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
-{
- /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1
- but older OpenSSLs don't have the enc ASN1_ENCODING member in the
- X509 struct. Setting modified to 1 marks the encoding
- (x->cert_info->enc.enc) as invalid, but since the entire struct isn't
- present we don't care. */
- return i2d_X509_CINF(x->cert_info, pp);
-}
-#endif
-
/* Being kept around for pyOpenSSL */
X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
return X509_REVOKED_dup(rev);
}
-/* Added in 1.1.0 but we need it in all versions now due to the great
- opaquing. */
-#if CRYPTOGRAPHY_IS_LIBRESSL
-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
-{
- req->req_info->enc.modified = 1;
- return i2d_X509_REQ_INFO(req->req_info, pp);
-}
-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
- crl->crl->enc.modified = 1;
- return i2d_X509_CRL_INFO(crl->crl, pp);
-}
-#endif
"""