git: 14ff8de7061e - main - security/py-cryptography: Fix build w/ libressl3.5

From: Felix Palmen <zirias_at_FreeBSD.org>
Date: Fri, 04 Nov 2022 11:21:49 UTC
The branch main has been updated by zirias:

URL: https://cgit.FreeBSD.org/ports/commit/?id=14ff8de7061e894a5ee46ad2091be5cd04f548b9

commit 14ff8de7061e894a5ee46ad2091be5cd04f548b9
Author:     Felix Palmen <zirias@FreeBSD.org>
AuthorDate: 2022-10-17 11:28:48 +0000
Commit:     Felix Palmen <zirias@FreeBSD.org>
CommitDate: 2022-11-04 11:21:28 +0000

    security/py-cryptography: Fix build w/ libressl3.5
    
    Approved by:            sunpoet (maintainer, timeout), tcberner (mentor)
    Differential Revision:  https://reviews.freebsd.org/D37049
---
 .../files/patch-Fix-build-with-LibreSSL-3.3.2-5988 |  62 -----------
 .../files/patch-Support-LibreSSL-3.4.0-6360        |  98 -----------------
 .../patch-src___cffi__src_openssl_cryptography.py  |  26 +++++
 .../files/patch-src___cffi__src_openssl_dh.py      | 120 +++++++++++++++++++++
 .../files/patch-src___cffi__src_openssl_fips.py    |  14 +++
 .../files/patch-src___cffi__src_openssl_ocsp.py    |  73 +++++++++++++
 .../files/patch-src___cffi__src_openssl_ssl.py     |  29 +++++
 .../files/patch-src___cffi__src_openssl_x509.py    |  36 +++++++
 8 files changed, 298 insertions(+), 160 deletions(-)

diff --git a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
deleted file mode 100644
index deb9c6408832..000000000000
--- a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
+++ /dev/null
@@ -1,62 +0,0 @@
-From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001
-From: Charlie Li <vishwin@users.noreply.github.com>
-Date: Mon, 19 Apr 2021 18:38:38 -0400
-Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988)
-
-* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS*
-
-While here, bump CI
-
-* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS*
-
-DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2
-
-* Switch to LESS_THAN context for LibreSSL 3.3.2
-
-While here, fix indents
-
-* Remove extra C variable declaration
-
-The variable is not actually used from Python
----
- .github/workflows/ci.yml              | 2 +-
- src/_cffi_src/openssl/cryptography.py | 7 +++++++
- src/_cffi_src/openssl/ssl.py          | 2 ++
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
-index e2b5a132..b9c7a793 100644
---- src/_cffi_src/openssl/cryptography.py
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -32,6 +32,13 @@ INCLUDES = """
- #include <Winsock2.h>
- #endif
- 
-+#if CRYPTOGRAPHY_IS_LIBRESSL
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
-+    (LIBRESSL_VERSION_NUMBER < 0x3030200f)
-+#else
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
-+#endif
-+
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
- 
-diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
-index 11a7d63a..081ef041 100644
---- src/_cffi_src/openssl/ssl.py
-+++ src/_cffi_src/openssl/ssl.py
-@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0;
- #endif
- 
- #if CRYPTOGRAPHY_IS_LIBRESSL
-+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332
- static const long SSL_OP_NO_DTLSv1 = 0;
- static const long SSL_OP_NO_DTLSv1_2 = 0;
-+#endif
- long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
- long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
- #endif
--- 
-2.31.1
-
diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
deleted file mode 100644
index a8bb6dc6da43..000000000000
--- a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
+++ /dev/null
@@ -1,98 +0,0 @@
-From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
-From: Charlie Li <vishwin@users.noreply.github.com>
-Date: Sun, 3 Oct 2021 00:20:31 -0400
-Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
-
-* Add LibreSSL 3.4.0 to CI
-
-* Add a LibreSSL 3.4.0 guard
-
-Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
-
-* DTLS_get_data_mtu does not exist in LibreSSL
-
-* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
-
-* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
-
-* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
-
-While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
----
- .github/workflows/ci.yml              |  6 ++++--
- src/_cffi_src/openssl/cryptography.py |  3 +++
- src/_cffi_src/openssl/evp.py          | 15 ++++++++++-----
- src/_cffi_src/openssl/ssl.py          |  3 ++-
- 4 files changed, 19 insertions(+), 8 deletions(-)
-
-diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
-index 878d22d8..821ddc9f 100644
---- src/_cffi_src/openssl/cryptography.py
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -36,8 +36,11 @@ INCLUDES = """
- #if CRYPTOGRAPHY_IS_LIBRESSL
- #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
-     (LIBRESSL_VERSION_NUMBER < 0x3030200f)
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
-+    (LIBRESSL_VERSION_NUMBER < 0x3040000f)
- #else
- #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
-+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
- #endif
- 
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
-index ab7cfeb3..cad3339a 100644
---- src/_cffi_src/openssl/evp.py
-+++ src/_cffi_src/openssl/evp.py
-@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
-                                       size_t) = NULL;
- #endif
- 
--#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-+    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
- static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
--static const long Cryptography_HAS_RAW_KEY = 0;
--static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
--int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
- int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
-                       const unsigned char *tbs, size_t) = NULL;
- int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
-                         const unsigned char *, size_t) = NULL;
-+#else
-+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
-+#endif
-+
-+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-+static const long Cryptography_HAS_RAW_KEY = 0;
-+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
-+int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
- EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
-                                        size_t) = NULL;
- EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
-@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
- int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
-                                    size_t *) = NULL;
- #else
--static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
- static const long Cryptography_HAS_RAW_KEY = 1;
- static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
- #endif
-diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
-index ca275e91..0830a463 100644
---- src/_cffi_src/openssl/ssl.py
-+++ src/_cffi_src/openssl/ssl.py
-@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
- SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
- #endif
- 
--#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
-+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
-+    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
- static const long Cryptography_HAS_TLSv1_3 = 0;
- static const long SSL_OP_NO_TLSv1_3 = 0;
- static const long SSL_VERIFY_POST_HANDSHAKE = 0;
--- 
-2.32.0
-
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py
new file mode 100644
index 000000000000..93fb2478c76d
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py
@@ -0,0 +1,26 @@
+--- src/_cffi_src/openssl/cryptography.py.orig	2022-10-17 10:52:36 UTC
++++ src/_cffi_src/openssl/cryptography.py
+@@ -33,17 +33,17 @@ INCLUDES = """
+ #endif
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+-    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER >= 0x1010006f
+ 
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+-    (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x101000af
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
+-    (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x10101000
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
+-    (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x10101020
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
+-    (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
+-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
++    OPENSSL_VERSION_NUMBER < 0x10101040
++#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \
+     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
+ #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
+ #else
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py
new file mode 100644
index 000000000000..c54f653a5e05
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py
@@ -0,0 +1,120 @@
+--- src/_cffi_src/openssl/dh.py.orig	2022-10-17 11:10:57 UTC
++++ src/_cffi_src/openssl/dh.py
+@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-#ifndef DH_CHECK_Q_NOT_PRIME
+-#define DH_CHECK_Q_NOT_PRIME            0x10
+-#endif
+-
+-#ifndef DH_CHECK_INVALID_Q_VALUE
+-#define DH_CHECK_INVALID_Q_VALUE        0x20
+-#endif
+-
+-#ifndef DH_CHECK_INVALID_J_VALUE
+-#define DH_CHECK_INVALID_J_VALUE        0x40
+-#endif
+-
+-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */
+-
+-/*-
+- * Check that p is a safe prime and
+- * if g is 2, 3 or 5, check that it is a suitable generator
+- * where
+- * for 2, p mod 24 == 11
+- * for 3, p mod 12 == 5
+- * for 5, p mod 10 == 3 or 7
+- * should hold.
+- */
+-
+-int Cryptography_DH_check(const DH *dh, int *ret)
+-{
+-    int ok = 0, r;
+-    BN_CTX *ctx = NULL;
+-    BN_ULONG l;
+-    BIGNUM *t1 = NULL, *t2 = NULL;
+-
+-    *ret = 0;
+-    ctx = BN_CTX_new();
+-    if (ctx == NULL)
+-        goto err;
+-    BN_CTX_start(ctx);
+-    t1 = BN_CTX_get(ctx);
+-    if (t1 == NULL)
+-        goto err;
+-    t2 = BN_CTX_get(ctx);
+-    if (t2 == NULL)
+-        goto err;
+-
+-    if (dh->q) {
+-        if (BN_cmp(dh->g, BN_value_one()) <= 0)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        else if (BN_cmp(dh->g, dh->p) >= 0)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        else {
+-            /* Check g^q == 1 mod p */
+-            if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
+-                goto err;
+-            if (!BN_is_one(t1))
+-                *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        }
+-        r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
+-        if (r < 0)
+-            goto err;
+-        if (!r)
+-            *ret |= DH_CHECK_Q_NOT_PRIME;
+-        /* Check p == 1 mod q  i.e. q divides p - 1 */
+-        if (!BN_div(t1, t2, dh->p, dh->q, ctx))
+-            goto err;
+-        if (!BN_is_one(t2))
+-            *ret |= DH_CHECK_INVALID_Q_VALUE;
+-        if (dh->j && BN_cmp(dh->j, t1))
+-            *ret |= DH_CHECK_INVALID_J_VALUE;
+-
+-    } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
+-        l = BN_mod_word(dh->p, 24);
+-        if (l == (BN_ULONG)-1)
+-            goto err;
+-        if (l != 11)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-    } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
+-        l = BN_mod_word(dh->p, 10);
+-        if (l == (BN_ULONG)-1)
+-            goto err;
+-        if ((l != 3) && (l != 7))
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-    } else
+-        *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
+-
+-    r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
+-    if (r < 0)
+-        goto err;
+-    if (!r)
+-        *ret |= DH_CHECK_P_NOT_PRIME;
+-    else if (!dh->q) {
+-        if (!BN_rshift1(t1, dh->p))
+-            goto err;
+-        r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
+-        if (r < 0)
+-            goto err;
+-        if (!r)
+-            *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
+-    }
+-    ok = 1;
+- err:
+-    if (ctx != NULL) {
+-        BN_CTX_end(ctx);
+-        BN_CTX_free(ctx);
+-    }
+-    return (ok);
+-}
+-#else
+ int Cryptography_DH_check(const DH *dh, int *ret) {
+     return DH_check(dh, ret);
+ }
+-#endif
+ 
+ /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */
+ /* Define our own to simplify support across all versions. */
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py
new file mode 100644
index 000000000000..f947a6698d78
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py
@@ -0,0 +1,14 @@
+--- src/_cffi_src/openssl/fips.py.orig	2022-10-17 11:12:47 UTC
++++ src/_cffi_src/openssl/fips.py
+@@ -17,11 +17,5 @@ int FIPS_mode(void);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_FIPS = 0;
+-int (*FIPS_mode_set)(int) = NULL;
+-int (*FIPS_mode)(void) = NULL;
+-#else
+ static const long Cryptography_HAS_FIPS = 1;
+-#endif
+ """
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py
new file mode 100644
index 000000000000..edbbfc2309ee
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py
@@ -0,0 +1,73 @@
+--- src/_cffi_src/openssl/ocsp.py.orig	2022-10-17 11:14:50 UTC
++++ src/_cffi_src/openssl/ocsp.py
+@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char *
+ 
+ CUSTOMIZATIONS = """
+ #if ( \
+-    !CRYPTOGRAPHY_IS_LIBRESSL && \
+     CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+     )
+ /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
+@@ -104,62 +103,15 @@ struct ocsp_basic_response_st {
+ };
+ #endif
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
+-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+-{
+-    return single->certId;
+-}
+-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(
+-    const OCSP_BASICRESP *bs)
+-{
+-    return bs->certs;
+-}
+-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
+-                      const ASN1_OCTET_STRING **pid,
+-                      const X509_NAME **pname)
+-{
+-    const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+-
+-    if (rid->type == V_OCSP_RESPID_NAME) {
+-        *pname = rid->value.byName;
+-        *pid = NULL;
+-    } else if (rid->type == V_OCSP_RESPID_KEY) {
+-        *pid = rid->value.byKey;
+-        *pname = NULL;
+-    } else {
+-        return 0;
+-    }
+-    return 1;
+-}
+-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+-    const OCSP_BASICRESP* bs)
+-{
+-    return bs->tbsResponseData->producedAt;
+-}
+-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
+-{
+-    return bs->signature;
+-}
+-#endif
+-
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
+ const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-    return bs->signatureAlgorithm;
+-#else
+     return &bs->signatureAlgorithm;
+-#endif
+ }
+ 
+ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-    return bs->tbsResponseData;
+-#else
+     return &bs->tbsResponseData;
+-#endif
+ }
+ #endif
+ """
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py
new file mode 100644
index 000000000000..80d153a39da8
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py
@@ -0,0 +1,29 @@
+--- src/_cffi_src/openssl/ssl.py.orig	2022-10-17 11:17:08 UTC
++++ src/_cffi_src/openssl/ssl.py
+@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """
+ // users have upgraded. PersistentlyDeprecated2020
+ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
+-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
+-#else
+ static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
+-#endif
+ 
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+ static const long Cryptography_HAS_KEYLOG = 0;
+@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1;
+ static const long Cryptography_HAS_TLS_ST = 0;
+ static const long TLS_ST_BEFORE = 0;
+ static const long TLS_ST_OK = 0;
+-#endif
+-
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long SSL_OP_NO_DTLSv1 = 0;
+-static const long SSL_OP_NO_DTLSv1_2 = 0;
+-long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
+-long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
+ #endif
+ 
+ static const long Cryptography_HAS_DTLS = 1;
diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py
new file mode 100644
index 000000000000..e3cc928337c2
--- /dev/null
+++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py
@@ -0,0 +1,36 @@
+--- src/_cffi_src/openssl/x509.py.orig	2022-10-17 11:26:23 UTC
++++ src/_cffi_src/openssl/x509.py
+@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
+-{
+-    /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1
+-       but older OpenSSLs don't have the enc ASN1_ENCODING member in the
+-       X509 struct.  Setting modified to 1 marks the encoding
+-       (x->cert_info->enc.enc) as invalid, but since the entire struct isn't
+-       present we don't care. */
+-    return i2d_X509_CINF(x->cert_info, pp);
+-}
+-#endif
+-
+ /* Being kept around for pyOpenSSL */
+ X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
+     return X509_REVOKED_dup(rev);
+ }
+-/* Added in 1.1.0 but we need it in all versions now due to the great
+-   opaquing. */
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+-{
+-    req->req_info->enc.modified = 1;
+-    return i2d_X509_REQ_INFO(req->req_info, pp);
+-}
+-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
+-    crl->crl->enc.modified = 1;
+-    return i2d_X509_CRL_INFO(crl->crl, pp);
+-}
+-#endif
+ """