diff --git a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 deleted file mode 100644 --- a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 +++ /dev/null @@ -1,62 +0,0 @@ -From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001 -From: Charlie Li -Date: Mon, 19 Apr 2021 18:38:38 -0400 -Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988) - -* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS* - -While here, bump CI - -* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS* - -DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2 - -* Switch to LESS_THAN context for LibreSSL 3.3.2 - -While here, fix indents - -* Remove extra C variable declaration - -The variable is not actually used from Python ---- - .github/workflows/ci.yml | 2 +- - src/_cffi_src/openssl/cryptography.py | 7 +++++++ - src/_cffi_src/openssl/ssl.py | 2 ++ - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py -index e2b5a132..b9c7a793 100644 ---- src/_cffi_src/openssl/cryptography.py -+++ src/_cffi_src/openssl/cryptography.py -@@ -32,6 +32,13 @@ INCLUDES = """ - #include - #endif - -+#if CRYPTOGRAPHY_IS_LIBRESSL -+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \ -+ (LIBRESSL_VERSION_NUMBER < 0x3030200f) -+#else -+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0) -+#endif -+ - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) - -diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py -index 11a7d63a..081ef041 100644 ---- src/_cffi_src/openssl/ssl.py -+++ src/_cffi_src/openssl/ssl.py -@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0; - #endif - - #if CRYPTOGRAPHY_IS_LIBRESSL -+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 - static const long SSL_OP_NO_DTLSv1 = 0; - static const long SSL_OP_NO_DTLSv1_2 = 0; -+#endif - long (*DTLS_set_link_mtu)(SSL *, long) = NULL; - long (*DTLS_get_link_min_mtu)(SSL *) = NULL; - #endif --- -2.31.1 - diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 deleted file mode 100644 --- a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 +++ /dev/null @@ -1,98 +0,0 @@ -From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001 -From: Charlie Li -Date: Sun, 3 Oct 2021 00:20:31 -0400 -Subject: [PATCH] Support LibreSSL 3.4.0 (#6360) - -* Add LibreSSL 3.4.0 to CI - -* Add a LibreSSL 3.4.0 guard - -Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0. - -* DTLS_get_data_mtu does not exist in LibreSSL - -* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+ - -* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL - -* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL - -While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended. ---- - .github/workflows/ci.yml | 6 ++++-- - src/_cffi_src/openssl/cryptography.py | 3 +++ - src/_cffi_src/openssl/evp.py | 15 ++++++++++----- - src/_cffi_src/openssl/ssl.py | 3 ++- - 4 files changed, 19 insertions(+), 8 deletions(-) - -diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py -index 878d22d8..821ddc9f 100644 ---- src/_cffi_src/openssl/cryptography.py -+++ src/_cffi_src/openssl/cryptography.py -@@ -36,8 +36,11 @@ INCLUDES = """ - #if CRYPTOGRAPHY_IS_LIBRESSL - #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \ - (LIBRESSL_VERSION_NUMBER < 0x3030200f) -+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \ -+ (LIBRESSL_VERSION_NUMBER < 0x3040000f) - #else - #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0) -+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0) - #endif - - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ -diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py -index ab7cfeb3..cad3339a 100644 ---- src/_cffi_src/openssl/evp.py -+++ src/_cffi_src/openssl/evp.py -@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *, - size_t) = NULL; - #endif - --#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 -+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ -+ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) - static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0; --static const long Cryptography_HAS_RAW_KEY = 0; --static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; --int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; - int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *, - const unsigned char *tbs, size_t) = NULL; - int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t, - const unsigned char *, size_t) = NULL; -+#else -+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1; -+#endif -+ -+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 -+static const long Cryptography_HAS_RAW_KEY = 0; -+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; -+int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; - EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *, - size_t) = NULL; - EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *, -@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *, - int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *, - size_t *) = NULL; - #else --static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1; - static const long Cryptography_HAS_RAW_KEY = 1; - static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1; - #endif -diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py -index ca275e91..0830a463 100644 ---- src/_cffi_src/openssl/ssl.py -+++ src/_cffi_src/openssl/ssl.py -@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL; - SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL; - #endif - --#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 -+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ -+ (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) - static const long Cryptography_HAS_TLSv1_3 = 0; - static const long SSL_OP_NO_TLSv1_3 = 0; - static const long SSL_VERIFY_POST_HANDSHAKE = 0; --- -2.32.0 - diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py new file mode 100644 --- /dev/null +++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_cryptography.py @@ -0,0 +1,26 @@ +--- src/_cffi_src/openssl/cryptography.py.orig 2022-10-17 10:52:36 UTC ++++ src/_cffi_src/openssl/cryptography.py +@@ -33,17 +33,17 @@ INCLUDES = """ + #endif + + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ +- (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER >= 0x1010006f + + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ +- (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x101000af + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \ +- (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x10101000 + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \ +- (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL) ++ OPENSSL_VERSION_NUMBER < 0x10101020 + #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \ +- (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL) +-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \ ++ OPENSSL_VERSION_NUMBER < 0x10101040 ++#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \ + !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING) + #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1 + #else diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py new file mode 100644 --- /dev/null +++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_dh.py @@ -0,0 +1,120 @@ +--- src/_cffi_src/openssl/dh.py.orig 2022-10-17 11:10:57 UTC ++++ src/_cffi_src/openssl/dh.py +@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-#ifndef DH_CHECK_Q_NOT_PRIME +-#define DH_CHECK_Q_NOT_PRIME 0x10 +-#endif +- +-#ifndef DH_CHECK_INVALID_Q_VALUE +-#define DH_CHECK_INVALID_Q_VALUE 0x20 +-#endif +- +-#ifndef DH_CHECK_INVALID_J_VALUE +-#define DH_CHECK_INVALID_J_VALUE 0x40 +-#endif +- +-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */ +- +-/*- +- * Check that p is a safe prime and +- * if g is 2, 3 or 5, check that it is a suitable generator +- * where +- * for 2, p mod 24 == 11 +- * for 3, p mod 12 == 5 +- * for 5, p mod 10 == 3 or 7 +- * should hold. +- */ +- +-int Cryptography_DH_check(const DH *dh, int *ret) +-{ +- int ok = 0, r; +- BN_CTX *ctx = NULL; +- BN_ULONG l; +- BIGNUM *t1 = NULL, *t2 = NULL; +- +- *ret = 0; +- ctx = BN_CTX_new(); +- if (ctx == NULL) +- goto err; +- BN_CTX_start(ctx); +- t1 = BN_CTX_get(ctx); +- if (t1 == NULL) +- goto err; +- t2 = BN_CTX_get(ctx); +- if (t2 == NULL) +- goto err; +- +- if (dh->q) { +- if (BN_cmp(dh->g, BN_value_one()) <= 0) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- else if (BN_cmp(dh->g, dh->p) >= 0) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- else { +- /* Check g^q == 1 mod p */ +- if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx)) +- goto err; +- if (!BN_is_one(t1)) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } +- r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_Q_NOT_PRIME; +- /* Check p == 1 mod q i.e. q divides p - 1 */ +- if (!BN_div(t1, t2, dh->p, dh->q, ctx)) +- goto err; +- if (!BN_is_one(t2)) +- *ret |= DH_CHECK_INVALID_Q_VALUE; +- if (dh->j && BN_cmp(dh->j, t1)) +- *ret |= DH_CHECK_INVALID_J_VALUE; +- +- } else if (BN_is_word(dh->g, DH_GENERATOR_2)) { +- l = BN_mod_word(dh->p, 24); +- if (l == (BN_ULONG)-1) +- goto err; +- if (l != 11) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } else if (BN_is_word(dh->g, DH_GENERATOR_5)) { +- l = BN_mod_word(dh->p, 10); +- if (l == (BN_ULONG)-1) +- goto err; +- if ((l != 3) && (l != 7)) +- *ret |= DH_NOT_SUITABLE_GENERATOR; +- } else +- *ret |= DH_UNABLE_TO_CHECK_GENERATOR; +- +- r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_P_NOT_PRIME; +- else if (!dh->q) { +- if (!BN_rshift1(t1, dh->p)) +- goto err; +- r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL); +- if (r < 0) +- goto err; +- if (!r) +- *ret |= DH_CHECK_P_NOT_SAFE_PRIME; +- } +- ok = 1; +- err: +- if (ctx != NULL) { +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); +- } +- return (ok); +-} +-#else + int Cryptography_DH_check(const DH *dh, int *ret) { + return DH_check(dh, ret); + } +-#endif + + /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */ + /* Define our own to simplify support across all versions. */ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py new file mode 100644 --- /dev/null +++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_fips.py @@ -0,0 +1,14 @@ +--- src/_cffi_src/openssl/fips.py.orig 2022-10-17 11:12:47 UTC ++++ src/_cffi_src/openssl/fips.py +@@ -17,11 +17,5 @@ int FIPS_mode(void); + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_FIPS = 0; +-int (*FIPS_mode_set)(int) = NULL; +-int (*FIPS_mode)(void) = NULL; +-#else + static const long Cryptography_HAS_FIPS = 1; +-#endif + """ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py new file mode 100644 --- /dev/null +++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_ocsp.py @@ -0,0 +1,73 @@ +--- src/_cffi_src/openssl/ocsp.py.orig 2022-10-17 11:14:50 UTC ++++ src/_cffi_src/openssl/ocsp.py +@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char * + + CUSTOMIZATIONS = """ + #if ( \ +- !CRYPTOGRAPHY_IS_LIBRESSL && \ + CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \ + ) + /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct +@@ -104,62 +103,15 @@ struct ocsp_basic_response_st { + }; + #endif + +-#if CRYPTOGRAPHY_IS_LIBRESSL +-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */ +-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) +-{ +- return single->certId; +-} +-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs( +- const OCSP_BASICRESP *bs) +-{ +- return bs->certs; +-} +-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, +- const ASN1_OCTET_STRING **pid, +- const X509_NAME **pname) +-{ +- const OCSP_RESPID *rid = bs->tbsResponseData->responderId; +- +- if (rid->type == V_OCSP_RESPID_NAME) { +- *pname = rid->value.byName; +- *pid = NULL; +- } else if (rid->type == V_OCSP_RESPID_KEY) { +- *pid = rid->value.byKey; +- *pname = NULL; +- } else { +- return 0; +- } +- return 1; +-} +-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( +- const OCSP_BASICRESP* bs) +-{ +- return bs->tbsResponseData->producedAt; +-} +-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs) +-{ +- return bs->signature; +-} +-#endif +- + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J + const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs) + { +-#if CRYPTOGRAPHY_IS_LIBRESSL +- return bs->signatureAlgorithm; +-#else + return &bs->signatureAlgorithm; +-#endif + } + + const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs) + { +-#if CRYPTOGRAPHY_IS_LIBRESSL +- return bs->tbsResponseData; +-#else + return &bs->tbsResponseData; +-#endif + } + #endif + """ diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py new file mode 100644 --- /dev/null +++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_ssl.py @@ -0,0 +1,29 @@ +--- src/_cffi_src/openssl/ssl.py.orig 2022-10-17 11:17:08 UTC ++++ src/_cffi_src/openssl/ssl.py +@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """ + // users have upgraded. PersistentlyDeprecated2020 + static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; + +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long Cryptography_HAS_VERIFIED_CHAIN = 0; +-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; +-#else + static const long Cryptography_HAS_VERIFIED_CHAIN = 1; +-#endif + + #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 + static const long Cryptography_HAS_KEYLOG = 0; +@@ -583,13 +578,6 @@ static const long Cryptography_HAS_TLS_ST = 1; + static const long Cryptography_HAS_TLS_ST = 0; + static const long TLS_ST_BEFORE = 0; + static const long TLS_ST_OK = 0; +-#endif +- +-#if CRYPTOGRAPHY_IS_LIBRESSL +-static const long SSL_OP_NO_DTLSv1 = 0; +-static const long SSL_OP_NO_DTLSv1_2 = 0; +-long (*DTLS_set_link_mtu)(SSL *, long) = NULL; +-long (*DTLS_get_link_min_mtu)(SSL *) = NULL; + #endif + + static const long Cryptography_HAS_DTLS = 1; diff --git a/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py new file mode 100644 --- /dev/null +++ b/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py @@ -0,0 +1,36 @@ +--- src/_cffi_src/openssl/x509.py.orig 2022-10-17 11:26:23 UTC ++++ src/_cffi_src/openssl/x509.py +@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A + """ + + CUSTOMIZATIONS = """ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-int i2d_re_X509_tbs(X509 *x, unsigned char **pp) +-{ +- /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 +- but older OpenSSLs don't have the enc ASN1_ENCODING member in the +- X509 struct. Setting modified to 1 marks the encoding +- (x->cert_info->enc.enc) as invalid, but since the entire struct isn't +- present we don't care. */ +- return i2d_X509_CINF(x->cert_info, pp); +-} +-#endif +- + /* Being kept around for pyOpenSSL */ + X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { + return X509_REVOKED_dup(rev); + } +-/* Added in 1.1.0 but we need it in all versions now due to the great +- opaquing. */ +-#if CRYPTOGRAPHY_IS_LIBRESSL +-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) +-{ +- req->req_info->enc.modified = 1; +- return i2d_X509_REQ_INFO(req->req_info, pp); +-} +-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) { +- crl->crl->enc.modified = 1; +- return i2d_X509_CRL_INFO(crl->crl, pp); +-} +-#endif + """