git: c380909c8060 - main - security/py-cryptography: copy port to -legacy variant prior to update

From: Tobias C. Berner <tcberner_at_FreeBSD.org>
Date: Sat, 22 Jul 2023 07:48:39 UTC
The branch main has been updated by tcberner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c380909c8060259c0eb8aa067de08534677924b4

commit c380909c8060259c0eb8aa067de08534677924b4
Author:     Tobias C. Berner <tcberner@FreeBSD.org>
AuthorDate: 2023-07-22 05:51:54 +0000
Commit:     Tobias C. Berner <tcberner@FreeBSD.org>
CommitDate: 2023-07-22 07:46:37 +0000

    security/py-cryptography: copy port to -legacy variant prior to update
    
    A future commit will update to security/py-cryptography will introduce a
    rust dependency.
    
    PR:             254853
---
 security/Makefile                                  |   1 +
 security/py-cryptography-legacy/Makefile           |  51 ++++
 security/py-cryptography-legacy/distinfo           |   3 +
 .../py-cryptography-legacy/files/patch-libressl    | 316 +++++++++++++++++++++
 .../py-cryptography-legacy/files/patch-setup.py    |  55 ++++
 security/py-cryptography-legacy/pkg-descr          |   7 +
 6 files changed, 433 insertions(+)

diff --git a/security/Makefile b/security/Makefile
index e6b0233a393c..dfc527001195 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -885,6 +885,7 @@
     SUBDIR += py-coincurve
     SUBDIR += py-cpe
     SUBDIR += py-cryptography
+    SUBDIR += py-cryptography-legacy
     SUBDIR += py-cryptography-vectors
     SUBDIR += py-ctypescrypto
     SUBDIR += py-cybox
diff --git a/security/py-cryptography-legacy/Makefile b/security/py-cryptography-legacy/Makefile
new file mode 100644
index 000000000000..0e9421c19323
--- /dev/null
+++ b/security/py-cryptography-legacy/Makefile
@@ -0,0 +1,51 @@
+PORTNAME=	cryptography
+PORTVERSION=	3.4.8
+PORTREVISION=	1
+PORTEPOCH=	1
+CATEGORIES=	security python
+MASTER_SITES=	PYPI
+PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
+PKGNAMESUFFIX=	-legacy
+
+MAINTAINER=	sunpoet@FreeBSD.org
+COMMENT=	Cryptographic recipes and primitives for Python developers
+WWW=		https://github.com/pyca/cryptography
+
+LICENSE=	APACHE20 BSD3CLAUSE
+LICENSE_COMB=	dual
+LICENSE_FILE_APACHE20=	${WRKSRC}/LICENSE.APACHE
+LICENSE_FILE_BSD3CLAUSE=${WRKSRC}/LICENSE.BSD
+
+BUILD_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cffi>=1.12:devel/py-cffi@${PY_FLAVOR}
+RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cffi>=1.12:devel/py-cffi@${PY_FLAVOR}
+TEST_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cryptography-vectors>=${PORTVERSION}:security/py-cryptography-vectors@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}hypothesis>=1.11.4:devel/py-hypothesis@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}iso8601>=0:devel/py-iso8601@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}pretend>=0:devel/py-pretend@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}pytest-cov>=0:devel/py-pytest-cov@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}pytest-subtests>=0:devel/py-pytest-subtests@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}pytest-xdist>=0,1:devel/py-pytest-xdist@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}pytz>=0,1:devel/py-pytz@${PY_FLAVOR} \
+		${PYTHON_PKGNAMEPREFIX}sqlite3>=0:databases/py-sqlite3@${PY_FLAVOR}
+
+USES=		compiler:env cpe python ssl
+USE_PYTHON=	autoplist concurrent distutils pytest
+
+CFLAGS+=	-I${OPENSSLINC}
+LDFLAGS+=	-L${OPENSSLLIB}
+MAKE_ENV=	CRYPTOGRAPHY_DONT_BUILD_RUST=1
+TEST_ENV=	PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR}
+
+CPE_VENDOR=	cryptography_project
+
+.include <bsd.port.pre.mk>
+
+.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
+post-patch:
+	@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' ${WRKSRC}/src/_cffi_src/build_openssl.py
+.endif
+
+post-install:
+	${FIND} ${STAGEDIR}${PYTHON_SITELIBDIR} -name '*.so' -exec ${STRIP_CMD} {} +
+
+.include <bsd.port.post.mk>
diff --git a/security/py-cryptography-legacy/distinfo b/security/py-cryptography-legacy/distinfo
new file mode 100644
index 000000000000..cb800cc11b12
--- /dev/null
+++ b/security/py-cryptography-legacy/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1652122693
+SHA256 (cryptography-3.4.8.tar.gz) = 94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c
+SIZE (cryptography-3.4.8.tar.gz) = 546907
diff --git a/security/py-cryptography-legacy/files/patch-libressl b/security/py-cryptography-legacy/files/patch-libressl
new file mode 100644
index 000000000000..b9bc1e535d63
--- /dev/null
+++ b/security/py-cryptography-legacy/files/patch-libressl
@@ -0,0 +1,316 @@
+--- src/_cffi_src/openssl/crypto.py.orig	2023-03-22 07:29:15 UTC
++++ src/_cffi_src/openssl/crypto.py
+@@ -74,11 +74,8 @@ CUSTOMIZATIONS = """
+ # define OPENSSL_DIR             SSLEAY_DIR
+ #endif
+ 
++static const long Cryptography_HAS_OPENSSL_CLEANUP = 1;
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_OPENSSL_CLEANUP = 0;
+-
+-void (*OPENSSL_cleanup)(void) = NULL;
+-
+ /* This function has a significantly different signature pre-1.1.0. since it is
+  * for testing only, we don't bother to expose it on older OpenSSLs.
+  */
+@@ -89,7 +86,6 @@ int (*Cryptography_CRYPTO_set_mem_functions)(
+     void (*)(void *, const char *, int)) = NULL;
+ 
+ #else
+-static const long Cryptography_HAS_OPENSSL_CLEANUP = 1;
+ static const long Cryptography_HAS_MEM_FUNCTIONS = 1;
+ 
+ int Cryptography_CRYPTO_set_mem_functions(
+--- src/_cffi_src/openssl/cryptography.py.orig	2021-08-24 17:17:17 UTC
++++ src/_cffi_src/openssl/cryptography.py
+@@ -33,17 +33,17 @@ INCLUDES = """
+ #endif
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+-    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER >= 0x1010006f
+ 
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+-    (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x101000af
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \
+-    (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x10101000
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
+-    (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
++    OPENSSL_VERSION_NUMBER < 0x10101020
+ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
+-    (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
+-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
++    OPENSSL_VERSION_NUMBER < 0x10101040
++#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \
+     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
+ #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
+ #else
+--- src/_cffi_src/openssl/dh.py.orig	2021-08-24 17:17:17 UTC
++++ src/_cffi_src/openssl/dh.py
+@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-#ifndef DH_CHECK_Q_NOT_PRIME
+-#define DH_CHECK_Q_NOT_PRIME            0x10
+-#endif
+-
+-#ifndef DH_CHECK_INVALID_Q_VALUE
+-#define DH_CHECK_INVALID_Q_VALUE        0x20
+-#endif
+-
+-#ifndef DH_CHECK_INVALID_J_VALUE
+-#define DH_CHECK_INVALID_J_VALUE        0x40
+-#endif
+-
+-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */
+-
+-/*-
+- * Check that p is a safe prime and
+- * if g is 2, 3 or 5, check that it is a suitable generator
+- * where
+- * for 2, p mod 24 == 11
+- * for 3, p mod 12 == 5
+- * for 5, p mod 10 == 3 or 7
+- * should hold.
+- */
+-
+-int Cryptography_DH_check(const DH *dh, int *ret)
+-{
+-    int ok = 0, r;
+-    BN_CTX *ctx = NULL;
+-    BN_ULONG l;
+-    BIGNUM *t1 = NULL, *t2 = NULL;
+-
+-    *ret = 0;
+-    ctx = BN_CTX_new();
+-    if (ctx == NULL)
+-        goto err;
+-    BN_CTX_start(ctx);
+-    t1 = BN_CTX_get(ctx);
+-    if (t1 == NULL)
+-        goto err;
+-    t2 = BN_CTX_get(ctx);
+-    if (t2 == NULL)
+-        goto err;
+-
+-    if (dh->q) {
+-        if (BN_cmp(dh->g, BN_value_one()) <= 0)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        else if (BN_cmp(dh->g, dh->p) >= 0)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        else {
+-            /* Check g^q == 1 mod p */
+-            if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
+-                goto err;
+-            if (!BN_is_one(t1))
+-                *ret |= DH_NOT_SUITABLE_GENERATOR;
+-        }
+-        r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
+-        if (r < 0)
+-            goto err;
+-        if (!r)
+-            *ret |= DH_CHECK_Q_NOT_PRIME;
+-        /* Check p == 1 mod q  i.e. q divides p - 1 */
+-        if (!BN_div(t1, t2, dh->p, dh->q, ctx))
+-            goto err;
+-        if (!BN_is_one(t2))
+-            *ret |= DH_CHECK_INVALID_Q_VALUE;
+-        if (dh->j && BN_cmp(dh->j, t1))
+-            *ret |= DH_CHECK_INVALID_J_VALUE;
+-
+-    } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
+-        l = BN_mod_word(dh->p, 24);
+-        if (l == (BN_ULONG)-1)
+-            goto err;
+-        if (l != 11)
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-    } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
+-        l = BN_mod_word(dh->p, 10);
+-        if (l == (BN_ULONG)-1)
+-            goto err;
+-        if ((l != 3) && (l != 7))
+-            *ret |= DH_NOT_SUITABLE_GENERATOR;
+-    } else
+-        *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
+-
+-    r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
+-    if (r < 0)
+-        goto err;
+-    if (!r)
+-        *ret |= DH_CHECK_P_NOT_PRIME;
+-    else if (!dh->q) {
+-        if (!BN_rshift1(t1, dh->p))
+-            goto err;
+-        r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
+-        if (r < 0)
+-            goto err;
+-        if (!r)
+-            *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
+-    }
+-    ok = 1;
+- err:
+-    if (ctx != NULL) {
+-        BN_CTX_end(ctx);
+-        BN_CTX_free(ctx);
+-    }
+-    return (ok);
+-}
+-#else
+ int Cryptography_DH_check(const DH *dh, int *ret) {
+     return DH_check(dh, ret);
+ }
+-#endif
+ 
+ /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */
+ /* Define our own to simplify support across all versions. */
+--- src/_cffi_src/openssl/fips.py.orig	2021-08-24 17:17:17 UTC
++++ src/_cffi_src/openssl/fips.py
+@@ -17,11 +17,5 @@ int FIPS_mode(void);
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_FIPS = 0;
+-int (*FIPS_mode_set)(int) = NULL;
+-int (*FIPS_mode)(void) = NULL;
+-#else
+ static const long Cryptography_HAS_FIPS = 1;
+-#endif
+ """
+--- src/_cffi_src/openssl/ocsp.py.orig	2021-08-24 17:17:17 UTC
++++ src/_cffi_src/openssl/ocsp.py
+@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char *
+ 
+ CUSTOMIZATIONS = """
+ #if ( \
+-    !CRYPTOGRAPHY_IS_LIBRESSL && \
+     CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+     )
+ /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
+@@ -104,62 +103,15 @@ struct ocsp_basic_response_st {
+ };
+ #endif
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
+-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+-{
+-    return single->certId;
+-}
+-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(
+-    const OCSP_BASICRESP *bs)
+-{
+-    return bs->certs;
+-}
+-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
+-                      const ASN1_OCTET_STRING **pid,
+-                      const X509_NAME **pname)
+-{
+-    const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+-
+-    if (rid->type == V_OCSP_RESPID_NAME) {
+-        *pname = rid->value.byName;
+-        *pid = NULL;
+-    } else if (rid->type == V_OCSP_RESPID_KEY) {
+-        *pid = rid->value.byKey;
+-        *pname = NULL;
+-    } else {
+-        return 0;
+-    }
+-    return 1;
+-}
+-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+-    const OCSP_BASICRESP* bs)
+-{
+-    return bs->tbsResponseData->producedAt;
+-}
+-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
+-{
+-    return bs->signature;
+-}
+-#endif
+-
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J
+ const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-    return bs->signatureAlgorithm;
+-#else
+     return &bs->signatureAlgorithm;
+-#endif
+ }
+ 
+ const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+ {
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-    return bs->tbsResponseData;
+-#else
+     return &bs->tbsResponseData;
+-#endif
+ }
+ #endif
+ """
+--- src/_cffi_src/openssl/ssl.py.orig	2021-08-24 17:17:17 UTC
++++ src/_cffi_src/openssl/ssl.py
+@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """
+ // users have upgraded. PersistentlyDeprecated2020
+ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
+ 
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
+-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
+-#else
+ static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
+-#endif
+ 
+ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+ static const long Cryptography_HAS_KEYLOG = 0;
+@@ -586,8 +581,6 @@ static const long TLS_ST_OK = 0;
+ #endif
+ 
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+-static const long SSL_OP_NO_DTLSv1 = 0;
+-static const long SSL_OP_NO_DTLSv1_2 = 0;
+ long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
+ long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
+ #endif
+--- src/_cffi_src/openssl/x509.py.orig	2021-08-24 17:02:37 UTC
++++ src/_cffi_src/openssl/x509.py
+@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A
+ """
+ 
+ CUSTOMIZATIONS = """
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
+-{
+-    /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1
+-       but older OpenSSLs don't have the enc ASN1_ENCODING member in the
+-       X509 struct.  Setting modified to 1 marks the encoding
+-       (x->cert_info->enc.enc) as invalid, but since the entire struct isn't
+-       present we don't care. */
+-    return i2d_X509_CINF(x->cert_info, pp);
+-}
+-#endif
+-
+ /* Being kept around for pyOpenSSL */
+ X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
+     return X509_REVOKED_dup(rev);
+ }
+-/* Added in 1.1.0 but we need it in all versions now due to the great
+-   opaquing. */
+-#if CRYPTOGRAPHY_IS_LIBRESSL
+-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
+-{
+-    req->req_info->enc.modified = 1;
+-    return i2d_X509_REQ_INFO(req->req_info, pp);
+-}
+-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
+-    crl->crl->enc.modified = 1;
+-    return i2d_X509_CRL_INFO(crl->crl, pp);
+-}
+-#endif
+ """
diff --git a/security/py-cryptography-legacy/files/patch-setup.py b/security/py-cryptography-legacy/files/patch-setup.py
new file mode 100644
index 000000000000..7e15e74dffd4
--- /dev/null
+++ b/security/py-cryptography-legacy/files/patch-setup.py
@@ -0,0 +1,55 @@
+--- setup.py.orig	2021-03-25 17:19:57 UTC
++++ setup.py
+@@ -10,23 +10,7 @@ import sys
+ 
+ from setuptools import find_packages, setup
+ 
+-try:
+-    from setuptools_rust import RustExtension
+-except ImportError:
+-    print(
+-        """
+-        =============================DEBUG ASSISTANCE==========================
+-        If you are seeing an error here please try the following to
+-        successfully install cryptography:
+ 
+-        Upgrade to the latest pip and try again. This will fix errors for most
+-        users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
+-        =============================DEBUG ASSISTANCE==========================
+-        """
+-    )
+-    raise
+-
+-
+ base_dir = os.path.dirname(__file__)
+ src_dir = os.path.join(base_dir, "src")
+ 
+@@ -41,9 +25,8 @@ with open(os.path.join(src_dir, "cryptography", "__abo
+ 
+ # `install_requirements` and `setup_requirements` must be kept in sync with
+ # `pyproject.toml`
+-setuptools_rust = "setuptools-rust>=0.11.4"
+ install_requirements = ["cffi>=1.12"]
+-setup_requirements = install_requirements + [setuptools_rust]
++setup_requirements = install_requirements
+ 
+ if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):
+     rust_extensions = []
+@@ -129,9 +112,6 @@ try:
+                 "twine >= 1.12.0",
+                 "sphinxcontrib-spelling >= 4.0.1",
+             ],
+-            "sdist": [
+-                setuptools_rust,
+-            ],
+             "pep8test": [
+                 "black",
+                 "flake8",
+@@ -149,7 +129,6 @@ try:
+             "src/_cffi_src/build_openssl.py:ffi",
+             "src/_cffi_src/build_padding.py:ffi",
+         ],
+-        rust_extensions=rust_extensions,
+     )
+ except:  # noqa: E722
+     # Note: This is a bare exception that re-raises so that we don't interfere
diff --git a/security/py-cryptography-legacy/pkg-descr b/security/py-cryptography-legacy/pkg-descr
new file mode 100644
index 000000000000..67482a5841b8
--- /dev/null
+++ b/security/py-cryptography-legacy/pkg-descr
@@ -0,0 +1,7 @@
+cryptography is a package which provides cryptographic recipes and primitives to
+Python developers. Our goal is for it to be your "cryptographic standard
+library". It supports Python 3.6+ and PyPy3 7.2+.
+
+cryptography includes both high level recipes and low level interfaces to common
+cryptographic algorithms such as symmetric ciphers, message digests, and key
+derivation functions.