View | Details | Raw Unified | Return to bug 226906 | Differences between
and this patch

Collapse All | Expand All

(-)security/py-cryptography/files/patch-issue4210 (+231 lines)
Line 0 Link Here
1
--- src/_cffi_src/openssl/crypto.py.orig	2017-11-30 01:53:32 UTC
2
+++ src/_cffi_src/openssl/crypto.py
3
@@ -92,7 +92,7 @@ CUSTOMIZATIONS = """
4
 # define OPENSSL_PLATFORM        SSLEAY_PLATFORM
5
 # define OPENSSL_DIR             SSLEAY_DIR
6
 #endif
7
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
8
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
9
 static const long Cryptography_HAS_LOCKING_CALLBACKS = 1;
10
 #else
11
 static const long Cryptography_HAS_LOCKING_CALLBACKS = 0;
12
--- src/_cffi_src/openssl/cryptography.py.orig	2017-11-30 01:53:32 UTC
13
+++ src/_cffi_src/openssl/cryptography.py
14
@@ -25,27 +25,31 @@ INCLUDES = """
15
 #include <windows.h>
16
 #endif
17
 
18
-#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
19
-    (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
20
-#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
21
-    (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
22
-#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
23
-    (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
24
-#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
25
-    (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
26
+#if CRYPTOGRAPHY_IS_LIBRESSL
27
+#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER (LIBRESSL_VERSION_NUMBER >= 0x20700000)
28
+#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER (LIBRESSL_VERSION_NUMBER >= 0x20700000)
29
+#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER (LIBRESSL_VERSION_NUMBER >= 0x20700000)
30
+#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER (LIBRESSL_VERSION_NUMBER >= 0x20700000)
31
 
32
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
33
-    (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL)
34
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I \
35
-    (OPENSSL_VERSION_NUMBER < 0x1000209f || CRYPTOGRAPHY_IS_LIBRESSL)
36
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \
37
-    (OPENSSL_VERSION_NUMBER < 0x10100000 || CRYPTOGRAPHY_IS_LIBRESSL)
38
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE4 \
39
-    (OPENSSL_VERSION_NUMBER < 0x10100004 || CRYPTOGRAPHY_IS_LIBRESSL)
40
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \
41
-    (OPENSSL_VERSION_NUMBER < 0x10100005 || CRYPTOGRAPHY_IS_LIBRESSL)
42
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE6 \
43
-    (OPENSSL_VERSION_NUMBER < 0x10100006 || CRYPTOGRAPHY_IS_LIBRESSL)
44
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 (LIBRESSL_VERSION_NUMBER < 0x20700000)
45
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I (LIBRESSL_VERSION_NUMBER < 0x20700000)
46
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 (LIBRESSL_VERSION_NUMBER < 0x20700000)
47
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE4 (LIBRESSL_VERSION_NUMBER < 0x20700000)
48
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 (LIBRESSL_VERSION_NUMBER < 0x20700000)
49
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE6 (LIBRESSL_VERSION_NUMBER < 0x20700000)
50
+#else
51
+#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER (OPENSSL_VERSION_NUMBER >= 0x10002000)
52
+#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER (OPENSSL_VERSION_NUMBER >= 0x100020cf)
53
+#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER (OPENSSL_VERSION_NUMBER >= 0x10100000) 
54
+#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER (OPENSSL_VERSION_NUMBER >= 0x1010006f)
55
+
56
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 (OPENSSL_VERSION_NUMBER < 0x10002000)
57
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I (OPENSSL_VERSION_NUMBER < 0x1000209f)
58
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 (OPENSSL_VERSION_NUMBER < 0x10100000)
59
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE4 (OPENSSL_VERSION_NUMBER < 0x10100004)
60
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 (OPENSSL_VERSION_NUMBER < 0x10100005)
61
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE6 (OPENSSL_VERSION_NUMBER < 0x10100006)
62
+#endif
63
 """
64
 
65
 TYPES = """
66
--- src/_cffi_src/openssl/ct.py.orig	2017-11-30 01:53:32 UTC
67
+++ src/_cffi_src/openssl/ct.py
68
@@ -5,7 +5,7 @@
69
 from __future__ import absolute_import, division, print_function
70
 
71
 INCLUDES = """
72
-#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
73
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL
74
 #include <openssl/ct.h>
75
 
76
 typedef STACK_OF(SCT) Cryptography_STACK_OF_SCT;
77
@@ -55,7 +55,7 @@ void SCT_LIST_free(Cryptography_STACK_OF
78
 """
79
 
80
 CUSTOMIZATIONS = """
81
-#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
82
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL
83
 static const long Cryptography_HAS_SCT = 1;
84
 #else
85
 static const long Cryptography_HAS_SCT = 0;
86
--- src/_cffi_src/openssl/evp.py.orig	2017-11-30 01:53:32 UTC
87
+++ src/_cffi_src/openssl/evp.py
88
@@ -213,7 +213,8 @@ void Cryptography_EVP_MD_CTX_free(EVP_MD
89
     EVP_MD_CTX_free(ctx);
90
 #endif
91
 }
92
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(OPENSSL_NO_SCRYPT)
93
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(OPENSSL_NO_SCRYPT) || \
94
+    CRYPTOGRAPHY_IS_LIBRESSL
95
 static const long Cryptography_HAS_SCRYPT = 0;
96
 int (*EVP_PBE_scrypt)(const char *, size_t, const unsigned char *, size_t,
97
                       uint64_t, uint64_t, uint64_t, uint64_t, unsigned char *,
98
@@ -222,7 +223,7 @@ int (*EVP_PBE_scrypt)(const char *, size
99
 static const long Cryptography_HAS_SCRYPT = 1;
100
 #endif
101
 
102
-#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
103
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL
104
 static const long Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint = 1;
105
 #else
106
 static const long Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint = 0;
107
--- src/_cffi_src/openssl/ssl.py.orig	2017-11-30 01:53:32 UTC
108
+++ src/_cffi_src/openssl/ssl.py
109
@@ -444,7 +444,7 @@ long DTLSv1_handle_timeout(SSL *);
110
 CUSTOMIZATIONS = """
111
 /* Added in 1.0.2 but we need it in all versions now due to the great
112
    opaquing. */
113
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
114
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || CRYPTOGRAPHY_IS_LIBRESSL
115
 /* from ssl/ssl_lib.c */
116
 const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) {
117
     return ctx->method;
118
@@ -546,7 +546,7 @@ static const long Cryptography_HAS_ALPN 
119
 #endif
120
 
121
 /* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */
122
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
123
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || CRYPTOGRAPHY_IS_LIBRESSL
124
 void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL;
125
 void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL;
126
 static const long Cryptography_HAS_SET_CERT_CB = 0;
127
@@ -578,7 +578,7 @@ static const long Cryptography_HAS_SSL_C
128
 
129
 /* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
130
    removed */
131
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
132
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
133
 static const long Cryptography_HAS_SSL_ST = 1;
134
 #else
135
 static const long Cryptography_HAS_SSL_ST = 0;
136
@@ -587,7 +587,7 @@ static const long SSL_ST_OK = 0;
137
 static const long SSL_ST_INIT = 0;
138
 static const long SSL_ST_RENEGOTIATE = 0;
139
 #endif
140
-#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
141
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !CRYPTOGRAPHY_IS_LIBRESSL
142
 static const long Cryptography_HAS_TLS_ST = 1;
143
 #else
144
 static const long Cryptography_HAS_TLS_ST = 0;
145
@@ -595,7 +595,8 @@ static const long TLS_ST_BEFORE = 0;
146
 static const long TLS_ST_OK = 0;
147
 #endif
148
 
149
-#if defined(OPENSSL_NO_DTLS) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
150
+#if defined(OPENSSL_NO_DTLS) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || \
151
+    CRYPTOGRAPHY_IS_LIBRESSL
152
 static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
153
 const SSL_METHOD *(*DTLS_method)(void) = NULL;
154
 const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
155
--- src/_cffi_src/openssl/x509.py.orig	2017-11-30 01:53:32 UTC
156
+++ src/_cffi_src/openssl/x509.py
157
@@ -359,7 +359,7 @@ int X509_get_signature_nid(const X509 *x
158
 
159
 /* Added in 1.0.2 but we need it in all versions now due to the great
160
    opaquing. */
161
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
162
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || CRYPTOGRAPHY_IS_LIBRESSL
163
 /* from x509/x_x509.c */
164
 int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
165
 {
166
@@ -401,15 +401,6 @@ void X509_REQ_get0_signature(const X509_
167
     if (palg != NULL)
168
         *palg = req->sig_alg;
169
 }
170
-int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
171
-{
172
-    req->req_info->enc.modified = 1;
173
-    return i2d_X509_REQ_INFO(req->req_info, pp);
174
-}
175
-int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
176
-    crl->crl->enc.modified = 1;
177
-    return i2d_X509_CRL_INFO(crl->crl, pp);
178
-}
179
 
180
 void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig,
181
                              const X509_ALGOR **palg)
182
@@ -428,4 +419,17 @@ const ASN1_INTEGER *X509_REVOKED_get0_se
183
     return x->serialNumber;
184
 }
185
 #endif
186
+
187
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
188
+int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) {
189
+    crl->crl->enc.modified = 1;
190
+    return i2d_X509_CRL_INFO(crl->crl, pp);
191
+}
192
+
193
+int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp)
194
+{
195
+    req->req_info->enc.modified = 1;
196
+    return i2d_X509_REQ_INFO(req->req_info, pp);
197
+}
198
+#endif
199
 """
200
--- src/_cffi_src/openssl/x509_vfy.py.orig	2017-11-30 01:53:32 UTC
201
+++ src/_cffi_src/openssl/x509_vfy.py
202
@@ -257,6 +257,20 @@ void (*X509_VERIFY_PARAM_set_hostflags)(
203
                                         unsigned int) = NULL;
204
 #endif
205
 
206
+#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER && CRYPTOGRAPHY_IS_LIBRESSL
207
+static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
208
+static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
209
+static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
210
+static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
211
+static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
212
+static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
213
+/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
214
+   below because it shows up in some earlier 3rd party OpenSSL packages. */
215
+static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
216
+static const long X509_V_FLAG_SUITEB_192_LOS = 0;
217
+static const long X509_V_FLAG_SUITEB_128_LOS = 0;
218
+#endif
219
+
220
 /* OpenSSL 1.0.2+ or Solaris's backport */
221
 #ifdef X509_V_FLAG_PARTIAL_CHAIN
222
 static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1;
223
@@ -297,7 +311,7 @@ X509 *X509_OBJECT_get0_X509(X509_OBJECT 
224
 }
225
 #endif
226
 
227
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
228
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
229
 static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER = 0;
230
 typedef void *X509_STORE_CTX_get_issuer_fn;
231
 X509_STORE_CTX_get_issuer_fn (*X509_STORE_get_get_issuer)(X509_STORE *) = NULL;

Return to bug 226906