git: c380909c8060 - main - security/py-cryptography: copy port to -legacy variant prior to update
Date: Sat, 22 Jul 2023 07:48:39 UTC
The branch main has been updated by tcberner: URL: https://cgit.FreeBSD.org/ports/commit/?id=c380909c8060259c0eb8aa067de08534677924b4 commit c380909c8060259c0eb8aa067de08534677924b4 Author: Tobias C. Berner <tcberner@FreeBSD.org> AuthorDate: 2023-07-22 05:51:54 +0000 Commit: Tobias C. Berner <tcberner@FreeBSD.org> CommitDate: 2023-07-22 07:46:37 +0000 security/py-cryptography: copy port to -legacy variant prior to update A future commit will update to security/py-cryptography will introduce a rust dependency. PR: 254853 --- security/Makefile | 1 + security/py-cryptography-legacy/Makefile | 51 ++++ security/py-cryptography-legacy/distinfo | 3 + .../py-cryptography-legacy/files/patch-libressl | 316 +++++++++++++++++++++ .../py-cryptography-legacy/files/patch-setup.py | 55 ++++ security/py-cryptography-legacy/pkg-descr | 7 + 6 files changed, 433 insertions(+) diff --git a/security/Makefile b/security/Makefile index e6b0233a393c..dfc527001195 100644 --- a/security/Makefile +++ b/security/Makefile @@ -885,6 +885,7 @@ SUBDIR += py-coincurve SUBDIR += py-cpe SUBDIR += py-cryptography + SUBDIR += py-cryptography-legacy SUBDIR += py-cryptography-vectors SUBDIR += py-ctypescrypto SUBDIR += py-cybox diff --git a/security/py-cryptography-legacy/Makefile b/security/py-cryptography-legacy/Makefile new file mode 100644 index 000000000000..0e9421c19323 --- /dev/null +++ b/security/py-cryptography-legacy/Makefile @@ -0,0 +1,51 @@ +PORTNAME= cryptography +PORTVERSION= 3.4.8 +PORTREVISION= 1 +PORTEPOCH= 1 +CATEGORIES= security python +MASTER_SITES= PYPI +PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} +PKGNAMESUFFIX= -legacy + +MAINTAINER= sunpoet@FreeBSD.org +COMMENT= Cryptographic recipes and primitives for Python developers +WWW= https://github.com/pyca/cryptography + +LICENSE= APACHE20 BSD3CLAUSE +LICENSE_COMB= dual +LICENSE_FILE_APACHE20= ${WRKSRC}/LICENSE.APACHE +LICENSE_FILE_BSD3CLAUSE=${WRKSRC}/LICENSE.BSD + +BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.12:devel/py-cffi@${PY_FLAVOR} +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.12:devel/py-cffi@${PY_FLAVOR} +TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography-vectors>=${PORTVERSION}:security/py-cryptography-vectors@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}hypothesis>=1.11.4:devel/py-hypothesis@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}iso8601>=0:devel/py-iso8601@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pretend>=0:devel/py-pretend@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pytest-cov>=0:devel/py-pytest-cov@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pytest-subtests>=0:devel/py-pytest-subtests@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pytest-xdist>=0,1:devel/py-pytest-xdist@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}pytz>=0,1:devel/py-pytz@${PY_FLAVOR} \ + ${PYTHON_PKGNAMEPREFIX}sqlite3>=0:databases/py-sqlite3@${PY_FLAVOR} + +USES= compiler:env cpe python ssl +USE_PYTHON= autoplist concurrent distutils pytest + +CFLAGS+= -I${OPENSSLINC} +LDFLAGS+= -L${OPENSSLLIB} +MAKE_ENV= CRYPTOGRAPHY_DONT_BUILD_RUST=1 +TEST_ENV= PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR} + +CPE_VENDOR= cryptography_project + +.include <bsd.port.pre.mk> + +.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42 +post-patch: + @${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' ${WRKSRC}/src/_cffi_src/build_openssl.py +.endif + +post-install: + ${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name '*.so' -exec ${STRIP_CMD} {} + + +.include <bsd.port.post.mk> diff --git a/security/py-cryptography-legacy/distinfo b/security/py-cryptography-legacy/distinfo new file mode 100644 index 000000000000..cb800cc11b12 --- /dev/null +++ b/security/py-cryptography-legacy/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1652122693 +SHA256 (cryptography-3.4.8.tar.gz) = 94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c +SIZE (cryptography-3.4.8.tar.gz) = 546907 diff --git a/security/py-cryptography-legacy/files/patch-libressl b/security/py-cryptography-legacy/files/patch-libressl new file mode 100644 index 000000000000..b9bc1e535d63 --- /dev/null +++ b/security/py-cryptography-legacy/files/patch-libressl @@ -0,0 +1,316 @@ +--- src/_cffi_src/openssl/crypto.py.orig 2023-03-22 07:29:15 UTC ++++ src/_cffi_src/openssl/crypto.py +@@ -74,11 +74,8 @@ CUSTOMIZATIONS = """ + # define OPENSSL_DIR SSLEAY_DIR + #endif + ++static const long Cryptography_HAS_OPENSSL_CLEANUP = 1; + #if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_OPENSSL_CLEANUP = 0; +- +-void (*OPENSSL_cleanup)(void) = NULL; +- + /* This function has a significantly different signature pre-1.1.0. since it is + * for testing only, we don't bother to expose it on older OpenSSLs. + */ +@@ -89,7 +86,6 @@ int (*Cryptography_CRYPTO_set_mem_functions)( + void (*)(void *, const char *, int)) = NULL; + + #else +-static const long Cryptography_HAS_OPENSSL_CLEANUP = 1; + static const long Cryptography_HAS_MEM_FUNCTIONS = 1; + + int Cryptography_CRYPTO_set_mem_functions( +--- src/_cffi_src/openssl/cryptography.py.orig 2021-08-24 17:17:17 UTC ++++ src/_cffi_src/openssl/cryptography.py +@@ -33,17 +33,17 @@ INCLUDES = """ + #endif + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ +- (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER >= 0x1010006f + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ +- (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x101000af + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \ +- (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x10101000 + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \ +- (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x10101020 + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \ +- (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL) +-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \ ++ OPENSSL_VERSION_NUMBER < 0x10101040 ++#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \ + !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING) + #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1 + #else +--- src/_cffi_src/openssl/dh.py.orig 2021-08-24 17:17:17 UTC ++++ src/_cffi_src/openssl/dh.py +@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-#ifndef DH_CHECK_Q_NOT_PRIME +-#define DH_CHECK_Q_NOT_PRIME 0x10 +-#endif +- +-#ifndef DH_CHECK_INVALID_Q_VALUE +-#define DH_CHECK_INVALID_Q_VALUE 0x20 +-#endif +- +-#ifndef DH_CHECK_INVALID_J_VALUE +-#define DH_CHECK_INVALID_J_VALUE 0x40 +-#endif +- +-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */ +- +-/*- +- * Check that p is a safe prime and +- * if g is 2, 3 or 5, check that it is a suitable generator +- * where +- * for 2, p mod 24 == 11 +- * for 3, p mod 12 == 5 +- * for 5, p mod 10 == 3 or 7 +- * should hold. +- */ +- +-int Cryptography_DH_check(const DH *dh, int *ret) +-{ +- int ok = 0, r; +- BN_CTX *ctx = NULL; +- BN_ULONG l; +- BIGNUM *t1 = NULL, *t2 = NULL; +- +- *ret = 0; +- ctx = BN_CTX_new(); +- if (ctx == NULL) +- goto err; +- BN_CTX_start(ctx); +- t1 = BN_CTX_get(ctx); +- if (t1 == NULL) +- goto err; +- t2 = BN_CTX_get(ctx); +- if (t2 == NULL) +- goto err; +- +- if (dh->q) { +- if (BN_cmp(dh->g, BN_value_one()) <= 0) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- else if (BN_cmp(dh->g, dh->p) >= 0) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- else { +- /* Check g^q == 1 mod p */ +- if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) +- goto err; +- if (!BN_is_one(t1)) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } +- r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_Q_NOT_PRIME; +- /* Check p == 1 mod q i.e. q divides p - 1 */ +- if (!BN_div(t1, t2, dh->p, dh->q, ctx)) +- goto err; +- if (!BN_is_one(t2)) +- *ret |= DH_CHECK_INVALID_Q_VALUE; +- if (dh->j && BN_cmp(dh->j, t1)) +- *ret |= DH_CHECK_INVALID_J_VALUE; +- +- } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { +- l = BN_mod_word(dh->p, 24); +- if (l == (BN_ULONG)-1) +- goto err; +- if (l != 11) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { +- l = BN_mod_word(dh->p, 10); +- if (l == (BN_ULONG)-1) +- goto err; +- if ((l != 3) && (l != 7)) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } else +- *ret |= DH_UNABLE_TO_CHECK_GENERATOR; +- +- r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_P_NOT_PRIME; +- else if (!dh->q) { +- if (!BN_rshift1(t1, dh->p)) +- goto err; +- r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_P_NOT_SAFE_PRIME; +- } +- ok = 1; +- err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } +- return (ok); +-} +-#else + int Cryptography_DH_check(const DH *dh, int *ret) { + return DH_check(dh, ret); + } +-#endif + + /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */ + /* Define our own to simplify support across all versions. */ +--- src/_cffi_src/openssl/fips.py.orig 2021-08-24 17:17:17 UTC ++++ src/_cffi_src/openssl/fips.py +@@ -17,11 +17,5 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_FIPS = 0; +-int (*FIPS_mode_set)(int) = NULL; +-int (*FIPS_mode)(void) = NULL; +-#else + static const long Cryptography_HAS_FIPS = 1; +-#endif + """ +--- src/_cffi_src/openssl/ocsp.py.orig 2021-08-24 17:17:17 UTC ++++ src/_cffi_src/openssl/ocsp.py +@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char * + + CUSTOMIZATIONS = """ + #if ( \ +- !CRYPTOGRAPHY_IS_LIBRESSL && \ + CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + ) + /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct +@@ -104,62 +103,15 @@ struct ocsp_basic_response_st { + }; + #endif + +-#if CRYPTOGRAPHY_IS_LIBRESSL +-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */ +-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) +-{ +- return single->certId; +-} +-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs( +- const OCSP_BASICRESP *bs) +-{ +- return bs->certs; +-} +-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, +- const ASN1_OCTET_STRING **pid, +- const X509_NAME **pname) +-{ +- const OCSP_RESPID *rid = bs->tbsResponseData->responderId; +- +- if (rid->type == V_OCSP_RESPID_NAME) { +- *pname = rid->value.byName; +- *pid = NULL; +- } else if (rid->type == V_OCSP_RESPID_KEY) { +- *pid = rid->value.byKey; +- *pname = NULL; +- } else { +- return 0; +- } +- return 1; +-} +-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( +- const OCSP_BASICRESP* bs) +-{ +- return bs->tbsResponseData->producedAt; +-} +-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) +-{ +- return bs->signature; +-} +-#endif +- + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J + const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs) + { +-#if CRYPTOGRAPHY_IS_LIBRESSL +- return bs->signatureAlgorithm; +-#else + return &bs->signatureAlgorithm; +-#endif + } + + const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) + { +-#if CRYPTOGRAPHY_IS_LIBRESSL +- return bs->tbsResponseData; +-#else + return &bs->tbsResponseData; +-#endif + } + #endif + """ +--- src/_cffi_src/openssl/ssl.py.orig 2021-08-24 17:17:17 UTC ++++ src/_cffi_src/openssl/ssl.py +@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """ + // users have upgraded. PersistentlyDeprecated2020 + static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; + +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_VERIFIED_CHAIN = 0; +-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; +-#else + static const long Cryptography_HAS_VERIFIED_CHAIN = 1; +-#endif + + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 + static const long Cryptography_HAS_KEYLOG = 0; +@@ -586,8 +581,6 @@ static const long TLS_ST_OK = 0; + #endif + + #if CRYPTOGRAPHY_IS_LIBRESSL +-static const long SSL_OP_NO_DTLSv1 = 0; +-static const long SSL_OP_NO_DTLSv1_2 = 0; + long (*DTLS_set_link_mtu)(SSL *, long) = NULL; + long (*DTLS_get_link_min_mtu)(SSL *) = NULL; + #endif +--- src/_cffi_src/openssl/x509.py.orig 2021-08-24 17:02:37 UTC ++++ src/_cffi_src/openssl/x509.py +@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-int i2d_re_X509_tbs(X509 *x, unsigned char **pp) +-{ +- /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 +- but older OpenSSLs don't have the enc ASN1_ENCODING member in the +- X509 struct. Setting modified to 1 marks the encoding +- (x->cert_info->enc.enc) as invalid, but since the entire struct isn't +- present we don't care. */ +- return i2d_X509_CINF(x->cert_info, pp); +-} +-#endif +- + /* Being kept around for pyOpenSSL */ + X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { + return X509_REVOKED_dup(rev); + } +-/* Added in 1.1.0 but we need it in all versions now due to the great +- opaquing. */ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +-{ +- req->req_info->enc.modified = 1; +- return i2d_X509_REQ_INFO(req->req_info, pp); +-} +-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { +- crl->crl->enc.modified = 1; +- return i2d_X509_CRL_INFO(crl->crl, pp); +-} +-#endif + """ diff --git a/security/py-cryptography-legacy/files/patch-setup.py b/security/py-cryptography-legacy/files/patch-setup.py new file mode 100644 index 000000000000..7e15e74dffd4 --- /dev/null +++ b/security/py-cryptography-legacy/files/patch-setup.py @@ -0,0 +1,55 @@ +--- setup.py.orig 2021-03-25 17:19:57 UTC ++++ setup.py +@@ -10,23 +10,7 @@ import sys + + from setuptools import find_packages, setup + +-try: +- from setuptools_rust import RustExtension +-except ImportError: +- print( +- """ +- =============================DEBUG ASSISTANCE========================== +- If you are seeing an error here please try the following to +- successfully install cryptography: + +- Upgrade to the latest pip and try again. This will fix errors for most +- users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip +- =============================DEBUG ASSISTANCE========================== +- """ +- ) +- raise +- +- + base_dir = os.path.dirname(__file__) + src_dir = os.path.join(base_dir, "src") + +@@ -41,9 +25,8 @@ with open(os.path.join(src_dir, "cryptography", "__abo + + # `install_requirements` and `setup_requirements` must be kept in sync with + # `pyproject.toml` +-setuptools_rust = "setuptools-rust>=0.11.4" + install_requirements = ["cffi>=1.12"] +-setup_requirements = install_requirements + [setuptools_rust] ++setup_requirements = install_requirements + + if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"): + rust_extensions = [] +@@ -129,9 +112,6 @@ try: + "twine >= 1.12.0", + "sphinxcontrib-spelling >= 4.0.1", + ], +- "sdist": [ +- setuptools_rust, +- ], + "pep8test": [ + "black", + "flake8", +@@ -149,7 +129,6 @@ try: + "src/_cffi_src/build_openssl.py:ffi", + "src/_cffi_src/build_padding.py:ffi", + ], +- rust_extensions=rust_extensions, + ) + except: # noqa: E722 + # Note: This is a bare exception that re-raises so that we don't interfere diff --git a/security/py-cryptography-legacy/pkg-descr b/security/py-cryptography-legacy/pkg-descr new file mode 100644 index 000000000000..67482a5841b8 --- /dev/null +++ b/security/py-cryptography-legacy/pkg-descr @@ -0,0 +1,7 @@ +cryptography is a package which provides cryptographic recipes and primitives to +Python developers. Our goal is for it to be your "cryptographic standard +library". It supports Python 3.6+ and PyPy3 7.2+. + +cryptography includes both high level recipes and low level interfaces to common +cryptographic algorithms such as symmetric ciphers, message digests, and key +derivation functions.