Some of the comments I found elsewhere suggested this is unnecessary with OpenSSL 1.1+. Is this truly needed?

The commit message/revision description needs updating, BTW.

LGTM, but I think @jhb’s suggestion about using static functions or macros with forward looking names would be a good potential investment, but that doesn’t need to be done here or now.

Sounds good to me! From https://www.openssl.org/docs/man3.1/man3/SSL_CTX_set_ecdh_auto.html :

I've been going back and forth a lot over the wording and APIs in use because I've been refining my understanding upon reading the manpages and tried to get things consistent across the board to aid with program UX 😅.
The existing code was also misleading/incorrect in terms of how the limits were calculated and enforced, too: it should have been 256, not 112 -- I have no idea why someone chose the number 112.

Include appropriate headers for new APIs in use

Consistently use bytes or bits in calculations

Make the minimum required RSA bits 256, not 112.

Update values and messages used when testing pubkey limits

Remove all pre-3.0 related ifdefs.

In D40273#917094, @emaste wrote:

(Copied from the GitHub pull request) So far I am aiming for minimal diffs, and plan to make another pass over everything later on including updates to use OpenSSL 3 APIs. In particular I don't want to delete SSL_library_init(); if other pre-OpenSSL-1.1 code remains (I haven't checked whether or not it does, yet).

Submitted as https://github.com/corecode/dma/pull/126 .

Ah, it’s not fixed upstream yet. I can submit the patch if that’s ok.

Can we also update this third-party package to a version that supports OpenSSL 3?

Update with @sunpoet's patch from https://people.freebsd.org/~sunpoet/patch/security-py-cryptography.txt .

Take back so I can update the diff.

@sunpoet : I'm going to pass this review to you, given that you're the more current maintainer and you have a patch out for updating to 40.0.1. Please feel free to abandon the review if you it's being addressed elsewhere or you don't feel this is necessary.

John: do you have any more comments I should follow up on?

This built successfully with poudriere on 13.1-RELEASE-p7/amd64. It also passed the exp-run according to @antoine: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270161#c1 .

Fix typo in previous revision regarding version pinning.

Add a minimum required test-vectors version and a comment noting why the version is pinned.

Address comments re: 3.11 support.

patch-setup.py isn't strictly required I suppose. I can remove it from the diff, if need be.

This is a bit of additional boilerplate that would be nice to DRY. Not needed now, but it would be a good idea to create a for-loop that generates test cases for gtar/non-gtar within atf_init_test_cases, if possible.

The changes that needed to be removed are based on complaints from the developer checks printed out by stage-qa, BTW: I naively heeded the advice from stage-qa post build, which is why I introduced the checks: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=270035 .

Merged as https://reviews.freebsd.org/rGe4520c8bd1d3 .