git: 403f201a1461 - main - security/py-cryptography-legacy: fix OpenSSL >= 3.0 compat
Date: Thu, 30 May 2024 09:59:29 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=403f201a1461fd26f026f2c8d3e67f1481908362
commit 403f201a1461fd26f026f2c8d3e67f1481908362
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2024-05-30 09:48:22 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2024-05-30 09:53:54 +0000
security/py-cryptography-legacy: fix OpenSSL >= 3.0 compat
py-cryptography-legacy still references functions that have been
removed in OpenSSL 3.0, and fails to load openssl.abi3.so at run-time because
it lacks ERR_GET_FUNC (reported) and FIPS_mode (masked by first error),
and later because py-openssl feeds our utils/deprecated() an
unsupported name=<some string> keyword argument.
https://www.openssl.org/docs/man3.0/man7/migration_guide.html
is the basis for fixes #1 and #2
removed, because OpenSSL 3.0 removed function codes from the error.
In our own binding, leave the err_func attribute in, but set it
to a constant 0.
(patch-src___cffi* and patch-*binding.py)
and FIPS_mode_set, which need rework. (patch-libressl)
our utils/deprecated() function does not support, so steal
the utils function from py-cryptography 42.0.7,1, drop the
argument and return type annotations for consistency.
(patch-src_cryptography_utils.py)
This is sufficient to fix run-time errors for py-certbot on my
FreeBSD 14.0-RELEASE-p6 amd64 server with Python 3.11,
which I set to default to py-cryptography-legacy.
PR: 272935
(and bug linkage will reflect changes in PRs 273770, 272885)
Approved by: portmgr@ (just-fix-it blanket approval)
MFH: 2024Q2
---
security/py-cryptography-legacy/Makefile | 2 +-
.../py-cryptography-legacy/files/patch-libressl | 21 +++++++++-------
.../files/patch-src___cffi__src_openssl_err.py | 13 ++++++++++
...cryptography_hazmat_bindings_openssl_binding.py | 15 ++++++++++++
.../files/patch-src_cryptography_utils.py | 28 ++++++++++++++++++++++
5 files changed, 70 insertions(+), 9 deletions(-)
diff --git a/security/py-cryptography-legacy/Makefile b/security/py-cryptography-legacy/Makefile
index 3ce998682727..30e7a21cc290 100644
--- a/security/py-cryptography-legacy/Makefile
+++ b/security/py-cryptography-legacy/Makefile
@@ -1,6 +1,6 @@
PORTNAME= cryptography
PORTVERSION= 3.4.8
-PORTREVISION= 2
+PORTREVISION= 3
PORTEPOCH= 1
CATEGORIES= security python
MASTER_SITES= PYPI
diff --git a/security/py-cryptography-legacy/files/patch-libressl b/security/py-cryptography-legacy/files/patch-libressl
index b9bc1e535d63..31a802026e1b 100644
--- a/security/py-cryptography-legacy/files/patch-libressl
+++ b/security/py-cryptography-legacy/files/patch-libressl
@@ -1,4 +1,4 @@
---- src/_cffi_src/openssl/crypto.py.orig 2023-03-22 07:29:15 UTC
+--- src/_cffi_src/openssl/crypto.py.orig 2021-08-24 17:02:37 UTC
+++ src/_cffi_src/openssl/crypto.py
@@ -74,11 +74,8 @@ CUSTOMIZATIONS = """
# define OPENSSL_DIR SSLEAY_DIR
@@ -49,7 +49,7 @@
#else
--- src/_cffi_src/openssl/dh.py.orig 2021-08-24 17:17:17 UTC
+++ src/_cffi_src/openssl/dh.py
-@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);
+@@ -37,117 +37,9 @@ CUSTOMIZATIONS = """
"""
CUSTOMIZATIONS = """
@@ -169,21 +169,26 @@
/* Define our own to simplify support across all versions. */
--- src/_cffi_src/openssl/fips.py.orig 2021-08-24 17:17:17 UTC
+++ src/_cffi_src/openssl/fips.py
-@@ -17,11 +17,5 @@ int FIPS_mode(void);
+@@ -12,16 +12,8 @@ FUNCTIONS = """
+ """
+
+ FUNCTIONS = """
+-int FIPS_mode_set(int);
+-int FIPS_mode(void);
"""
CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_LIBRESSL
--static const long Cryptography_HAS_FIPS = 0;
+ static const long Cryptography_HAS_FIPS = 0;
-int (*FIPS_mode_set)(int) = NULL;
-int (*FIPS_mode)(void) = NULL;
-#else
- static const long Cryptography_HAS_FIPS = 1;
+-static const long Cryptography_HAS_FIPS = 1;
-#endif
"""
--- src/_cffi_src/openssl/ocsp.py.orig 2021-08-24 17:17:17 UTC
+++ src/_cffi_src/openssl/ocsp.py
-@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char *
+@@ -77,7 +77,6 @@ CUSTOMIZATIONS = """
CUSTOMIZATIONS = """
#if ( \
@@ -256,7 +261,7 @@
"""
--- src/_cffi_src/openssl/ssl.py.orig 2021-08-24 17:17:17 UTC
+++ src/_cffi_src/openssl/ssl.py
-@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """
+@@ -515,12 +515,7 @@ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1
// users have upgraded. PersistentlyDeprecated2020
static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
@@ -280,7 +285,7 @@
#endif
--- src/_cffi_src/openssl/x509.py.orig 2021-08-24 17:02:37 UTC
+++ src/_cffi_src/openssl/x509.py
-@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A
+@@ -276,33 +276,8 @@ CUSTOMIZATIONS = """
"""
CUSTOMIZATIONS = """
diff --git a/security/py-cryptography-legacy/files/patch-src___cffi__src_openssl_err.py b/security/py-cryptography-legacy/files/patch-src___cffi__src_openssl_err.py
new file mode 100644
index 000000000000..fed5fe1cf1a7
--- /dev/null
+++ b/security/py-cryptography-legacy/files/patch-src___cffi__src_openssl_err.py
@@ -0,0 +1,13 @@
+https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Removal-of-function-code-from-the-error-codes
+states that the ERR_GET_FUNC() "macro" was removed, so follow suit:
+
+--- src/_cffi_src/openssl/err.py.orig 2021-08-24 17:17:17 UTC
++++ src/_cffi_src/openssl/err.py
+@@ -39,7 +39,6 @@ int ERR_GET_LIB(unsigned long);
+ void ERR_put_error(int, int, int, const char *, int);
+
+ int ERR_GET_LIB(unsigned long);
+-int ERR_GET_FUNC(unsigned long);
+ int ERR_GET_REASON(unsigned long);
+
+ """
diff --git a/security/py-cryptography-legacy/files/patch-src_cryptography_hazmat_bindings_openssl_binding.py b/security/py-cryptography-legacy/files/patch-src_cryptography_hazmat_bindings_openssl_binding.py
new file mode 100644
index 000000000000..da25fa61681a
--- /dev/null
+++ b/security/py-cryptography-legacy/files/patch-src_cryptography_hazmat_bindings_openssl_binding.py
@@ -0,0 +1,15 @@
+https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Removal-of-function-code-from-the-error-codes
+states that the code is always 0, so do just that and forgo the call of a
+nonexistent function.
+
+--- src/cryptography/hazmat/bindings/openssl/binding.py.orig 2021-08-24 17:17:17 UTC
++++ src/cryptography/hazmat/bindings/openssl/binding.py
+@@ -43,7 +43,7 @@ def _consume_errors(lib):
+ break
+
+ err_lib = lib.ERR_GET_LIB(code)
+- err_func = lib.ERR_GET_FUNC(code)
++ err_func = 0
+ err_reason = lib.ERR_GET_REASON(code)
+
+ errors.append(_OpenSSLError(code, err_lib, err_func, err_reason))
diff --git a/security/py-cryptography-legacy/files/patch-src_cryptography_utils.py b/security/py-cryptography-legacy/files/patch-src_cryptography_utils.py
new file mode 100644
index 000000000000..8650c280071b
--- /dev/null
+++ b/security/py-cryptography-legacy/files/patch-src_cryptography_utils.py
@@ -0,0 +1,28 @@
+Taken from ../py-cryptography source code as of
+FreeBSD ports tree 3216ed57448ee28aa6061e08839198c3e5cff5d7
+with py-cryptography-42.0.7,1, with type annotations stripped out:
+-- mandree@ 2024-05-30
+
+--- src/cryptography/utils.py.orig 2021-08-24 17:17:17 UTC
++++ src/cryptography/utils.py
+@@ -132,13 +132,15 @@ class _ModuleWithDeprecations(object):
+ return ["_module"] + dir(self._module)
+
+
+-def deprecated(value, module_name, message, warning_class):
++def deprecated(value, module_name, message, warning_class, name=None):
+ module = sys.modules[module_name]
+ if not isinstance(module, _ModuleWithDeprecations):
+- sys.modules[module_name] = _ModuleWithDeprecations(
+- module
+- ) # type: ignore[assignment]
+- return _DeprecatedValue(value, message, warning_class)
++ sys.modules[module_name] = module = _ModuleWithDeprecations(module)
++ dv = _DeprecatedValue(value, message, warning_class)
++ # Maintain backwards compatibility with `name is None` for pyOpenSSL.
++ if name is not None:
++ setattr(module, name, dv)
++ return dv
+
+
+ def cached_property(func):