Re: git: f482d5d27c1a - main - security/py-cryptography: Fix runtime /w libressl

In reply to: Felix Palmen : "git: f482d5d27c1a - main - security/py-cryptography: Fix runtime /w libressl"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Po-Chuan Hsieh <sunpoet_at_sunpoet.net>
Date: Mon, 27 Mar 2023 14:04:17 UTC
On Sun, Mar 12, 2023 at 4:48 PM Felix Palmen <zirias@freebsd.org> wrote:

> The branch main has been updated by zirias:
>
> URL:
> https://cgit.FreeBSD.org/ports/commit/?id=f482d5d27c1afbbc3b9ed65d31c7eba92fe04393
>
> commit f482d5d27c1afbbc3b9ed65d31c7eba92fe04393
> Author:     Felix Palmen <zirias@FreeBSD.org>
> AuthorDate: 2023-02-25 06:52:40 +0000
> Commit:     Felix Palmen <zirias@FreeBSD.org>
> CommitDate: 2023-03-12 08:47:06 +0000
>
>     security/py-cryptography: Fix runtime /w libressl
>
>     When built with LibreSSL, a few symbols were missing, so consumers
>     failed at runtime.
>
>     PR:                     269705
>     Approved by:            sunpoet (maintainer, timeout)
>

To be clear, there is no maintainer timeout on Phabricator.
And I'm OK with LibreSSL fixes.


>     Approved by:            tcberner (mentor, implicit: libressl)
>     Differential Revision:  https://reviews.freebsd.org/D38765
> ---
>  security/py-cryptography/Makefile               |  1 +
>  security/py-cryptography/files/patch-libressl35 | 41
> ++++++++++++++++++-------
>  2 files changed, 31 insertions(+), 11 deletions(-)
>
> diff --git a/security/py-cryptography/Makefile
> b/security/py-cryptography/Makefile
> index 64b8cb08caea..8f06002fbf3c 100644
> --- a/security/py-cryptography/Makefile
> +++ b/security/py-cryptography/Makefile
> @@ -1,5 +1,6 @@
>  PORTNAME=      cryptography
>  PORTVERSION=   3.4.8
> +PORTREVISION=  1
>  PORTEPOCH=     1
>  CATEGORIES=    security python
>  MASTER_SITES=  PYPI
> diff --git a/security/py-cryptography/files/patch-libressl35
> b/security/py-cryptography/files/patch-libressl35
> index d0b7d798dc7a..84c9f44a3350 100644
> --- a/security/py-cryptography/files/patch-libressl35
> +++ b/security/py-cryptography/files/patch-libressl35
> @@ -144,6 +144,30 @@
>
>   /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */
>   /* Define our own to simplify support across all versions. */
> +--- src/_cffi_src/openssl/evp.py.orig  2023-02-24 07:28:50 UTC
> ++++ src/_cffi_src/openssl/evp.py
> +@@ -203,7 +203,20 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *,
> cons
> +                                       size_t) = NULL;
> + #endif
> +
> +-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
> ++#if CRYPTOGRAPHY_IS_LIBRESSL
> ++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
> ++static const long Cryptography_HAS_RAW_KEY = 0;
> ++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
> ++int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
> ++EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned
> char *,
> ++                                       size_t) = NULL;
> ++EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned
> char *,
> ++                                      size_t) = NULL;
> ++int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
> ++                                    size_t *) = NULL;
> ++int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
> ++                                   size_t *) = NULL;
> ++#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
> + static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
> + static const long Cryptography_HAS_RAW_KEY = 0;
> + static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
>  --- src/_cffi_src/openssl/fips.py.orig 2022-10-17 11:12:47 UTC
>  +++ src/_cffi_src/openssl/fips.py
>  @@ -17,11 +17,5 @@ int FIPS_mode(void);
> @@ -246,20 +270,15 @@
>
>   #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
>   static const long Cryptography_HAS_KEYLOG = 0;
> -@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1;
> - static const long Cryptography_HAS_TLS_ST = 0;
> - static const long TLS_ST_BEFORE = 0;
> - static const long TLS_ST_OK = 0;
> --#endif
> --
> --#if CRYPTOGRAPHY_IS_LIBRESSL
> +@@ -586,8 +581,6 @@ static const long Cryptography_HAS_TLS_ST = 1;
> + #endif
> +
> + #if CRYPTOGRAPHY_IS_LIBRESSL
>  -static const long SSL_OP_NO_DTLSv1 = 0;
>  -static const long SSL_OP_NO_DTLSv1_2 = 0;
> --long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
> --long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
> + long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
> + long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
>   #endif
> -
> - static const long Cryptography_HAS_DTLS = 1;
>  --- src/_cffi_src/openssl/x509.py.orig 2022-10-17 11:26:23 UTC
>  +++ src/_cffi_src/openssl/x509.py
>  @@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const
> A
>
>