Seems related: https://github.com/pyca/cryptography/pull/4855

Created attachment 203915 [details]
py-cryptography-libressl291.patch

https://github.com/pyca/cryptography/pull/4855/ as a patch against ports tree, fixes py-crytpography build with LibreSSL 2.9.1

Comment 3 Pietro Cerutti 2019-04-23 09:50:05 UTC

I can confirm that https://github.com/pyca/cryptography/pull/4855 works fine. Thanks for taking care of this!

(In reply to Maciej Pasternacki from comment #2)

This patch didn't work for me, received some redefinition errors.


creating build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7
cc -DNDEBUG -O2 -pipe -I/usr/local/include -fstack-protector -fno-strict-aliasing -fPIC -I/usr/local/include/python3.7m -c build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c -o build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.o -Wconversion -Wno-error=sign-conversion
build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c:2498:21: error: redefinition of 'DTLS_method' as different kind of symbol
const SSL_METHOD *(*DTLS_method)(void) = NULL;
                    ^
/usr/local/include/openssl/ssl.h:1474:19: note: previous definition is here
const SSL_METHOD *DTLS_method(void);            /* DTLS v1.0 or later */
                  ^
build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c:2499:21: error: redefinition of 'DTLS_server_method' as different kind of symbol
const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
                    ^
/usr/local/include/openssl/ssl.h:1475:19: note: previous definition is here
const SSL_METHOD *DTLS_server_method(void);     /* DTLS v1.0 or later */
                  ^
build/temp.freebsd-12.0-RELEASE-p3-amd64-3.7/_openssl.c:2500:21: error: redefinition of 'DTLS_client_method' as different kind of symbol
const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
                    ^
/usr/local/include/openssl/ssl.h:1476:19: note: previous definition is here
const SSL_METHOD *DTLS_client_method(void);     /* DTLS v1.0 or later */

(In reply to Dean E. Weimer from comment #4)
never mind, patch didn't apply correctly, changes weren't applied to my ports build attempt.

Patch works, thanks!

Comment 7 Pietro Cerutti 2019-04-25 12:04:34 UTC

The patch works for all combinations of (i386, amd64) and (base, openssl, openssl111, libressl):

https://people.freebsd.org/~gahr/py36-cryptography-logs/

Comment 8 Kubilay Kocak 2019-04-25 12:18:46 UTC

(In reply to Pietro Cerutti from comment #7)

Patch applies cleanly, but then I get the following at patch stage:

===>  Applying FreeBSD patches for py27-cryptography-2.6.1
1 out of 1 hunks failed--saving rejects to src/_cffi_src/openssl/cryptography.py.rej
=> FreeBSD patch patch-src___cffi__src_openssl_cryptography.py failed to apply cleanly.
*** Error code 1

@Maciej Was the patch backported against the current version (2.6.1) ?

Comment 9 Pietro Cerutti 2019-04-25 12:38:06 UTC

Here's the version I used.
https://people.freebsd.org/~gahr/py36-cryptography-logs/patch-libressl-1.9.1.txt

Comment 10 Kubilay Kocak 2019-04-25 12:58:46 UTC

(In reply to Pietro Cerutti from comment #9)

Could you include it as an attachment here please, and is your version of the patch the one that was QA'd with base/openssl/openssl111/libressl{11,12} ?

Comment 11 Pietro Cerutti 2019-04-25 13:03:41 UTC

Created attachment 204005 [details]
QA'd patch

Comment 12 Pietro Cerutti 2019-04-25 13:05:08 UTC

(In reply to Kubilay Kocak from comment #10)
Yes - I uploaded directly from my ports tree

The patch I attached was generated against PORTVERSION 2.6.1 (master branch of https://github.com/freebsd/freebsd-ports which tracks SVN HEAD; there were no commits in security/py-cryptography after I made the patch).

In case I generated it the wrong way: I ran `make extract`, applied patches manually in work dir, ran `make makepatch`, committed generated `files/patch-*` into my private git repo. The attached patch is diff of the resulting commit.

I just checked that `make clean patch` works with both py27 and py37 flavors (and poudriere doesn't complain either). I'm running CURRENT (r346149 at the moment), so version of patch/diff might be slightly different than RELEASE/STABLE.

I can regenerate the patches if needed, but Pietro's version has received more extensive QA.

Comment 14 Kubilay Kocak 2019-04-25 13:32:53 UTC

Thank you both for following up, I'll test Pietro's patch and report back

Comment 15 commit-hook 2019-04-26 05:13:40 UTC

A commit references this bug:

Author: koobs
Date: Fri Apr 26 05:13:27 UTC 2019
New revision: 500082
URL: https://svnweb.freebsd.org/changeset/ports/500082

Log:
  security/py-cryptography: Fix build with libressl 2.9.1

  Backport upstream pull request #4855 by Charlie Li <ml+freebsd vishwin info>

  PR:		237487
  Submitted by:	Maciej Pasternacki <maciej pasternacki. net> (v1)
  Submitted by:	gahr (v2)
  Reported by:	Simeon Simeonov <sgs pichove org>
  Obtained from:	https://github.com/pyca/cryptography/pull/4855
  Tested by:	gahr (all USES=ssl versions), many

Changes:
  head/security/py-cryptography/files/
  head/security/py-cryptography/files/patch-PR4855

Comment 16 Kubilay Kocak 2019-04-26 05:15:35 UTC

Committed, with minor changes (added patch comments).

Thank you everyone for the quality of the report, upstream resolution, testing and confirmation of resolution.