Index: head/security/py-cryptography/Makefile =================================================================== --- head/security/py-cryptography/Makefile (revision 556972) +++ head/security/py-cryptography/Makefile (revision 556973) @@ -1,52 +1,68 @@ # Created by: Kubilay Kocak # $FreeBSD$ PORTNAME= cryptography -PORTVERSION= 2.6.1 +PORTVERSION= 2.9.2 CATEGORIES= security python MASTER_SITES= CHEESESHOP PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX} MAINTAINER= koobs@FreeBSD.org COMMENT= Cryptographic recipes and primitives for Python developers LICENSE= APACHE20 BSD3CLAUSE LICENSE_COMB= dual LICENSE_FILE_APACHE20= ${WRKSRC}/LICENSE.APACHE LICENSE_FILE_BSD3CLAUSE= ${WRKSRC}/LICENSE.BSD BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} -RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}asn1crypto>=0.21.0:devel/py-asn1crypto@${PY_FLAVOR} \ - ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \ +RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \ ${PY_ENUM34} \ ${PY_IPADDRESS} \ ${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR} TEST_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cryptography-vectors>=${PORTVERSION}:security/py-cryptography-vectors@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}hypothesis>=1.11.4:devel/py-hypothesis@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}iso8601>0:devel/py-iso8601@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}pretend>0:devel/py-pretend@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \ ${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR} -# Python 2.7, 3.4-3.7 +# Python 2.7, 3.5-3.8 USES= compiler:env python ssl USE_PYTHON= autoplist concurrent distutils CFLAGS+= -I${OPENSSLINC} LDFLAGS+= -L${OPENSSLLIB} +TEST_ENV= PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR} + .include +# OpenSSL 1.0.2t got some curve matching parameter code backported before it +# has reached its End-of-Life and security/py-cryptography already had some +# code to handle this case, but it assumed OpenSSL 1.1.0+ . +# +# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be +# clear: It isn't a security fix but rather a workaround to handle unnamed but +# really named curves with OpenSSL 1.0.2t/u . +.if ${OPSYS} == FreeBSD && ${SSL_DEFAULT} == "base" +. if ${OSVERSION} >= 1103500 && ${OSVERSION} < 1200085 +# 1103500 352193 2019-09-10 11.3-STABLE got OpenSSL 1.0.2t +# 1200085 339270 2018-10-19 12.0-STABLE got OpenSSL 1.1.1 +EXTRA_PATCHES= ${PATCHDIR}/openssl102u +. endif +.endif + .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42 post-patch: @${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \ ${WRKSRC}/src/_cffi_src/build_openssl.py .endif post-install: ${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so do-test: - @cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test + @cd ${WRKSRC} && ${SETENV} ${TEST_ENV} ${PYTHON_CMD} -m pytest -q -v -rs -o addopts= .include Index: head/security/py-cryptography/distinfo =================================================================== --- head/security/py-cryptography/distinfo (revision 556972) +++ head/security/py-cryptography/distinfo (revision 556973) @@ -1,3 +1,3 @@ -TIMESTAMP = 1551354433 -SHA256 (cryptography-2.6.1.tar.gz) = 26c821cbeb683facb966045e2064303029d572a87ee69ca5a1bf54bf55f93ca6 -SIZE (cryptography-2.6.1.tar.gz) = 491580 +TIMESTAMP = 1596263213 +SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229 +SIZE (cryptography-2.9.2.tar.gz) = 517571 Index: head/security/py-cryptography/files/patch-PR4855 =================================================================== --- head/security/py-cryptography/files/patch-PR4855 (revision 556972) +++ head/security/py-cryptography/files/patch-PR4855 (nonexistent) @@ -1,49 +0,0 @@ -# security/py-cryptography fails to build with libressl-2.9.1 -# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237487 -# Use generic DTLS functions added in LibreSSL 2.9.1 -# https://github.com/pyca/cryptography/pull/4855 - -index 4124dcb879..ac32fdffde 100644 ---- src/_cffi_src/openssl/cryptography.py.orig -+++ src/_cffi_src/openssl/cryptography.py -@@ -38,9 +38,12 @@ - (LIBRESSL_VERSION_NUMBER >= 0x2070000f) - #define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \ - (LIBRESSL_VERSION_NUMBER >= 0x2080000f) -+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \ -+ (LIBRESSL_VERSION_NUMBER >= 0x2090100f) - #else - #define CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER (0) - #define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0) -+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0) - #endif - - #define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \ -diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py -index 92fd1e3ec8..da21f3ce90 100644 ---- src/_cffi_src/openssl/ssl.py.orig -+++ src/_cffi_src/openssl/ssl.py -@@ -719,17 +719,20 @@ - static const long TLS_ST_OK = 0; - #endif - --#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 -+/* LibreSSL 2.9.1 added only the DTLS_*_method functions */ -+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER - static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0; - const SSL_METHOD *(*DTLS_method)(void) = NULL; - const SSL_METHOD *(*DTLS_server_method)(void) = NULL; - const SSL_METHOD *(*DTLS_client_method)(void) = NULL; -+#else -+static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1; -+#endif -+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 - static const long SSL_OP_NO_DTLSv1 = 0; - static const long SSL_OP_NO_DTLSv1_2 = 0; - long (*DTLS_set_link_mtu)(SSL *, long) = NULL; - long (*DTLS_get_link_min_mtu)(SSL *) = NULL; --#else --static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1; - #endif - - static const long Cryptography_HAS_DTLS = 1; Property changes on: head/security/py-cryptography/files/patch-PR4855 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py =================================================================== --- head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py (nonexistent) +++ head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py (revision 556973) @@ -0,0 +1,26 @@ +Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves + +PR #5362 + +Obtained from: +https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 + +--- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC ++++ src/_cffi_src/openssl/cryptography.py +@@ -47,6 +47,8 @@ INCLUDES = """ + (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL) + #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) ++#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \ ++ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL) + #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL) + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ +@@ -68,6 +70,7 @@ INCLUDES = """ + + TYPES = """ + static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER; ++static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER; + static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; + static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; + Property changes on: head/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py =================================================================== --- head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py (nonexistent) +++ head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py (revision 556973) @@ -0,0 +1,29 @@ +Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves + +PR #5362 + +Obtained from: +https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 + +--- src/cryptography/hazmat/backends/openssl/backend.py.orig 2020-04-22 22:27:48 UTC ++++ src/cryptography/hazmat/backends/openssl/backend.py +@@ -1515,8 +1515,19 @@ class Backend(object): + + def _ec_key_new_by_curve(self, curve): + curve_nid = self._elliptic_curve_to_nid(curve) ++ return self._ec_key_new_by_curve_nid(curve_nid) ++ ++ def _ec_key_new_by_curve_nid(self, curve_nid): + ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid) + self.openssl_assert(ec_cdata != self._ffi.NULL) ++ # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is ++ # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2 ++ # we can remove this as it's done automatically when getting an EC_KEY ++ # from new_by_curve_name ++ # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER ++ self._lib.EC_KEY_set_asn1_flag( ++ ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE ++ ) + return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free) + + def load_der_ocsp_request(self, data): Property changes on: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py =================================================================== --- head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py (nonexistent) +++ head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py (revision 556973) @@ -0,0 +1,32 @@ +Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves + +PR #5362 + +Obtained from: +https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79 + +--- src/cryptography/hazmat/backends/openssl/ec.py.orig 2020-04-22 22:26:51 UTC ++++ src/cryptography/hazmat/backends/openssl/ec.py +@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key): + # explicitly encoded a curve with the same parameters as a named curve. + # Don't do that. + if ( +- backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and ++ backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and + backend._lib.EC_GROUP_get_asn1_flag(group) == 0 + ): + raise NotImplementedError( +@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object): + self._backend.openssl_assert(group != self._backend._ffi.NULL) + + curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group) +- +- public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid) +- self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL) +- public_ec_key = self._backend._ffi.gc( +- public_ec_key, self._backend._lib.EC_KEY_free +- ) ++ public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid) + + point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key) + self._backend.openssl_assert(point != self._backend._ffi.NULL) Property changes on: head/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property