MASTER_SITES=	PYPI

MAKE_ENV=	CRYPTOGRAPHY_DONT_BUILD_RUST=1

--- src/_cffi_src/openssl/crypto.py.orig	2023-03-22 07:29:15 UTC

+++ src/_cffi_src/openssl/crypto.py

@@ -74,11 +74,8 @@ CUSTOMIZATIONS = """

 # define OPENSSL_DIR             SSLEAY_DIR

 #endif

+static const long Cryptography_HAS_OPENSSL_CLEANUP = 1;

 #if CRYPTOGRAPHY_IS_LIBRESSL

-static const long Cryptography_HAS_OPENSSL_CLEANUP = 0;

-

-void (*OPENSSL_cleanup)(void) = NULL;

-

 /* This function has a significantly different signature pre-1.1.0. since it is

  * for testing only, we don't bother to expose it on older OpenSSLs.

  */

@@ -89,7 +86,6 @@ int (*Cryptography_CRYPTO_set_mem_functions)(

     void (*)(void *, const char *, int)) = NULL;

 #else

-static const long Cryptography_HAS_OPENSSL_CLEANUP = 1;

 static const long Cryptography_HAS_MEM_FUNCTIONS = 1;

 int Cryptography_CRYPTO_set_mem_functions(

--- src/_cffi_src/openssl/cryptography.py.orig	2021-08-24 17:17:17 UTC

+++ src/_cffi_src/openssl/cryptography.py

@@ -33,17 +33,17 @@ INCLUDES = """

 #endif

 #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \

-    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)

+    OPENSSL_VERSION_NUMBER >= 0x1010006f

 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \

-    (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)

+    OPENSSL_VERSION_NUMBER < 0x101000af

 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \

-    (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL)

+    OPENSSL_VERSION_NUMBER < 0x10101000

 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \

-    (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)

+    OPENSSL_VERSION_NUMBER < 0x10101020

 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \

-    (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)

-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \

+    OPENSSL_VERSION_NUMBER < 0x10101040

+#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && \

     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)

 #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1

 #else

--- src/_cffi_src/openssl/dh.py.orig	2021-08-24 17:17:17 UTC

+++ src/_cffi_src/openssl/dh.py

@@ -37,117 +37,9 @@ int Cryptography_i2d_DHxparams_bio(BIO *bp, DH *x);

 """

 CUSTOMIZATIONS = """

-#if CRYPTOGRAPHY_IS_LIBRESSL

-#ifndef DH_CHECK_Q_NOT_PRIME

-#define DH_CHECK_Q_NOT_PRIME            0x10

-#endif

-

-#ifndef DH_CHECK_INVALID_Q_VALUE

-#define DH_CHECK_INVALID_Q_VALUE        0x20

-#endif

-

-#ifndef DH_CHECK_INVALID_J_VALUE

-#define DH_CHECK_INVALID_J_VALUE        0x40

-#endif

-

-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */

-

-/*-

- * Check that p is a safe prime and

- * if g is 2, 3 or 5, check that it is a suitable generator

- * where

- * for 2, p mod 24 == 11

- * for 3, p mod 12 == 5

- * for 5, p mod 10 == 3 or 7

- * should hold.

- */

-

-int Cryptography_DH_check(const DH *dh, int *ret)

-{

-    int ok = 0, r;

-    BN_CTX *ctx = NULL;

-    BN_ULONG l;

-    BIGNUM *t1 = NULL, *t2 = NULL;

-

-    *ret = 0;

-    ctx = BN_CTX_new();

-    if (ctx == NULL)

-        goto err;

-    BN_CTX_start(ctx);

-    t1 = BN_CTX_get(ctx);

-    if (t1 == NULL)

-        goto err;

-    t2 = BN_CTX_get(ctx);

-    if (t2 == NULL)

-        goto err;

-

-    if (dh->q) {

-        if (BN_cmp(dh->g, BN_value_one()) <= 0)

-            *ret |= DH_NOT_SUITABLE_GENERATOR;

-        else if (BN_cmp(dh->g, dh->p) >= 0)

-            *ret |= DH_NOT_SUITABLE_GENERATOR;

-        else {

-            /* Check g^q == 1 mod p */

-            if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))

-                goto err;

-            if (!BN_is_one(t1))

-                *ret |= DH_NOT_SUITABLE_GENERATOR;

-        }

-        r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);

-        if (r < 0)

-            goto err;

-        if (!r)

-            *ret |= DH_CHECK_Q_NOT_PRIME;

-        /* Check p == 1 mod q  i.e. q divides p - 1 */

-        if (!BN_div(t1, t2, dh->p, dh->q, ctx))

-            goto err;

-        if (!BN_is_one(t2))

-            *ret |= DH_CHECK_INVALID_Q_VALUE;

-        if (dh->j && BN_cmp(dh->j, t1))

-            *ret |= DH_CHECK_INVALID_J_VALUE;

-

-    } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {

-        l = BN_mod_word(dh->p, 24);

-        if (l == (BN_ULONG)-1)

-            goto err;

-        if (l != 11)

-            *ret |= DH_NOT_SUITABLE_GENERATOR;

-    } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {

-        l = BN_mod_word(dh->p, 10);

-        if (l == (BN_ULONG)-1)

-            goto err;

-        if ((l != 3) && (l != 7))

-            *ret |= DH_NOT_SUITABLE_GENERATOR;

-    } else

-        *ret |= DH_UNABLE_TO_CHECK_GENERATOR;

-

-    r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);

-    if (r < 0)

-        goto err;

-    if (!r)

-        *ret |= DH_CHECK_P_NOT_PRIME;

-    else if (!dh->q) {

-        if (!BN_rshift1(t1, dh->p))

-            goto err;

-        r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);

-        if (r < 0)

-            goto err;

-        if (!r)

-            *ret |= DH_CHECK_P_NOT_SAFE_PRIME;

-    }

-    ok = 1;

- err:

-    if (ctx != NULL) {

-        BN_CTX_end(ctx);

-        BN_CTX_free(ctx);

-    }

-    return (ok);

-}

-#else

 int Cryptography_DH_check(const DH *dh, int *ret) {

     return DH_check(dh, ret);

 }

-#endif

 /* These functions were added in OpenSSL 1.1.0f commit d0c50e80a8 */

 /* Define our own to simplify support across all versions. */

--- src/_cffi_src/openssl/evp.py.orig	2021-08-24 17:02:37 UTC

+++ src/_cffi_src/openssl/evp.py

@@ -203,7 +203,20 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, cons

                                       size_t) = NULL;

 #endif

-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111

+#if CRYPTOGRAPHY_IS_LIBRESSL

+static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;

+static const long Cryptography_HAS_RAW_KEY = 0;

+static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;

+int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;

+EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,

+                                       size_t) = NULL;

+EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,

+                                      size_t) = NULL;

+int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,

+                                    size_t *) = NULL;

+int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,

+                                   size_t *) = NULL;

+#elif CRYPTOGRAPHY_OPENSSL_LESS_THAN_111

 static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;

 static const long Cryptography_HAS_RAW_KEY = 0;

 static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;

--- src/_cffi_src/openssl/fips.py.orig	2021-08-24 17:17:17 UTC

+++ src/_cffi_src/openssl/fips.py

@@ -17,11 +17,5 @@ int FIPS_mode(void);

 """

 CUSTOMIZATIONS = """

-#if CRYPTOGRAPHY_IS_LIBRESSL

-static const long Cryptography_HAS_FIPS = 0;

-int (*FIPS_mode_set)(int) = NULL;

-int (*FIPS_mode)(void) = NULL;

-#else

 static const long Cryptography_HAS_FIPS = 1;

-#endif

 """

--- src/_cffi_src/openssl/ocsp.py.orig	2021-08-24 17:17:17 UTC

+++ src/_cffi_src/openssl/ocsp.py

@@ -77,7 +77,6 @@ int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char *

 CUSTOMIZATIONS = """

 #if ( \

-    !CRYPTOGRAPHY_IS_LIBRESSL && \

     CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \

     )

 /* These structs come from ocsp_lcl.h and are needed to de-opaque the struct

@@ -104,62 +103,15 @@ struct ocsp_basic_response_st {

 };

 #endif

-#if CRYPTOGRAPHY_IS_LIBRESSL

-/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */

-const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)

-{

-    return single->certId;

-}

-const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(

-    const OCSP_BASICRESP *bs)

-{

-    return bs->certs;

-}

-int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,

-                      const ASN1_OCTET_STRING **pid,

-                      const X509_NAME **pname)

-{

-    const OCSP_RESPID *rid = bs->tbsResponseData->responderId;

-

-    if (rid->type == V_OCSP_RESPID_NAME) {

-        *pname = rid->value.byName;

-        *pid = NULL;

-    } else if (rid->type == V_OCSP_RESPID_KEY) {

-        *pid = rid->value.byKey;

-        *pname = NULL;

-    } else {

-        return 0;

-    }

-    return 1;

-}

-const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(

-    const OCSP_BASICRESP* bs)

-{

-    return bs->tbsResponseData->producedAt;

-}

-const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)

-{

-    return bs->signature;

-}

-#endif

-

 #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J

 const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)

 {

-#if CRYPTOGRAPHY_IS_LIBRESSL

-    return bs->signatureAlgorithm;

-#else

     return &bs->signatureAlgorithm;

-#endif

 }

 const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)

 {

-#if CRYPTOGRAPHY_IS_LIBRESSL

-    return bs->tbsResponseData;

-#else

     return &bs->tbsResponseData;

-#endif

 }

 #endif

 """

--- src/_cffi_src/openssl/ssl.py.orig	2021-08-24 17:17:17 UTC

+++ src/_cffi_src/openssl/ssl.py

@@ -515,12 +515,7 @@ CUSTOMIZATIONS = """

 // users have upgraded. PersistentlyDeprecated2020

 static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;

-#if CRYPTOGRAPHY_IS_LIBRESSL

-static const long Cryptography_HAS_VERIFIED_CHAIN = 0;

-Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;

-#else

 static const long Cryptography_HAS_VERIFIED_CHAIN = 1;

-#endif

 #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111

 static const long Cryptography_HAS_KEYLOG = 0;

@@ -586,8 +581,6 @@ static const long TLS_ST_OK = 0;

 #endif

 #if CRYPTOGRAPHY_IS_LIBRESSL

-static const long SSL_OP_NO_DTLSv1 = 0;

-static const long SSL_OP_NO_DTLSv1_2 = 0;

 long (*DTLS_set_link_mtu)(SSL *, long) = NULL;

 long (*DTLS_get_link_min_mtu)(SSL *) = NULL;

 #endif

--- src/_cffi_src/openssl/x509.py.orig	2021-08-24 17:02:37 UTC

+++ src/_cffi_src/openssl/x509.py

@@ -276,33 +276,8 @@ void X509_REQ_get0_signature(const X509_REQ *, const A

 """

 CUSTOMIZATIONS = """

-#if CRYPTOGRAPHY_IS_LIBRESSL

-int i2d_re_X509_tbs(X509 *x, unsigned char **pp)

-{

-    /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1

-       but older OpenSSLs don't have the enc ASN1_ENCODING member in the

-       X509 struct.  Setting modified to 1 marks the encoding

-       (x->cert_info->enc.enc) as invalid, but since the entire struct isn't

-       present we don't care. */

-    return i2d_X509_CINF(x->cert_info, pp);

-}

-#endif

-

 /* Being kept around for pyOpenSSL */

 X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {

     return X509_REVOKED_dup(rev);

 }

-/* Added in 1.1.0 but we need it in all versions now due to the great

-   opaquing. */

-#if CRYPTOGRAPHY_IS_LIBRESSL

-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)

-{

-    req->req_info->enc.modified = 1;

-    return i2d_X509_REQ_INFO(req->req_info, pp);

-}

-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {

-    crl->crl->enc.modified = 1;

-    return i2d_X509_CRL_INFO(crl->crl, pp);

-}

-#endif

 """

--- setup.py.orig	2021-03-25 17:19:57 UTC

+++ setup.py

@@ -10,23 +10,7 @@ import sys

 from setuptools import find_packages, setup

-try:

-    from setuptools_rust import RustExtension

-except ImportError:

-    print(

-        """

-        =============================DEBUG ASSISTANCE==========================

-        If you are seeing an error here please try the following to

-        successfully install cryptography:

-        Upgrade to the latest pip and try again. This will fix errors for most

-        users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip

-        =============================DEBUG ASSISTANCE==========================

-        """

-    )

-    raise

-

-

 base_dir = os.path.dirname(__file__)

 src_dir = os.path.join(base_dir, "src")

@@ -41,9 +25,8 @@ with open(os.path.join(src_dir, "cryptography", "__abo

 # `install_requirements` and `setup_requirements` must be kept in sync with

 # `pyproject.toml`

-setuptools_rust = "setuptools-rust>=0.11.4"

 install_requirements = ["cffi>=1.12"]

-setup_requirements = install_requirements + [setuptools_rust]

+setup_requirements = install_requirements

 if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):

     rust_extensions = []

@@ -129,9 +112,6 @@ try:

                 "twine >= 1.12.0",

                 "sphinxcontrib-spelling >= 4.0.1",

             ],

-            "sdist": [

-                setuptools_rust,

-            ],

             "pep8test": [

                 "black",

                 "flake8",

@@ -149,7 +129,6 @@ try:

             "src/_cffi_src/build_openssl.py:ffi",

             "src/_cffi_src/build_padding.py:ffi",

         ],

-        rust_extensions=rust_extensions,

     )

 except:  # noqa: E722

     # Note: This is a bare exception that re-raises so that we don't interfere