Attachment #216949 for bug #245929




# $FreeBSD$

PORTNAME=	cryptography
PORTVERSION=	2.9.2
CATEGORIES=	security python
MASTER_SITES=	CHEESESHOP
PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}

LICENSE_FILE_BSD3CLAUSE=	${WRKSRC}/LICENSE.BSD

BUILD_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR}
RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
		${PY_ENUM34} \
		${PY_IPADDRESS} \
		${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR}

		${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \
		${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR}

# Python 2.7, 3.5-3.8
USES=		compiler:env python ssl
USE_PYTHON=	autoplist concurrent distutils



.include <bsd.port.pre.mk>

# OpenSSL 1.0.2t got some curve matching parameter code backported before it
# has reached its End-of-Life and security/py-cryptography already had some
# code to handle this case, but it assumed OpenSSL 1.1.0+ .
#
# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
# clear: It isn't a security fix but rather a workaround to handle unnamed but
# really named curves with OpenSSL 1.0.2t/u .
.if ${OPSYS} == FreeBSD && ${SSL_DEFAULT} == "base"
. if ${OSVERSION} >= 1103500 && ${OSVERSION} < 1200085
# 1103500	352193 2019-09-10	11.3-STABLE got OpenSSL 1.0.2t
# 1200085	339270 2018-10-19	12.0-STABLE got OpenSSL 1.1.1
EXTRA_PATCHES=	${PATCHDIR}/openssl102u
. endif
.endif

.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
post-patch:
	@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \

	${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so

do-test:
	@cd ${WRKSRC} && ${SETENV} ${TEST_ENV} PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR} ${PYTHON_CMD} -m pytest -rs -v
	#@cd ${WRKSRC} && ${PYTHON_CMD} -m pytest -rs -v

.include <bsd.port.post.mk>

Lines 1-3 Link Here

(-)security/py-cryptography/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1551354433	1	TIMESTAMP = 1596263213
2	SHA256 (cryptography-2.6.1.tar.gz) = 26c821cbeb683facb966045e2064303029d572a87ee69ca5a1bf54bf55f93ca6	2	SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
3	SIZE (cryptography-2.6.1.tar.gz) = 491580	3	SIZE (cryptography-2.9.2.tar.gz) = 517571




Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves

PR #5362

Obtained from:
https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79

--- src/_cffi_src/openssl/cryptography.py.orig	2020-04-22 22:27:48 UTC
+++ src/_cffi_src/openssl/cryptography.py
@@ -47,6 +47,8 @@ INCLUDES = """
     (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
+    (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
@@ -68,6 +70,7 @@ INCLUDES = """
 
 TYPES = """
 static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
 




Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves

PR #5362

Obtained from:
https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79

--- src/cryptography/hazmat/backends/openssl/backend.py.orig	2020-04-22 22:27:48 UTC
+++ src/cryptography/hazmat/backends/openssl/backend.py
@@ -1515,8 +1515,19 @@ class Backend(object):
 
     def _ec_key_new_by_curve(self, curve):
         curve_nid = self._elliptic_curve_to_nid(curve)
+        return self._ec_key_new_by_curve_nid(curve_nid)
+
+    def _ec_key_new_by_curve_nid(self, curve_nid):
         ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
         self.openssl_assert(ec_cdata != self._ffi.NULL)
+        # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
+        # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
+        # we can remove this as it's done automatically when getting an EC_KEY
+        # from new_by_curve_name
+        # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
+        self._lib.EC_KEY_set_asn1_flag(
+            ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
+        )
         return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
 
     def load_der_ocsp_request(self, data):




Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves

PR #5362

Obtained from:
https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79

--- src/cryptography/hazmat/backends/openssl/ec.py.orig	2020-04-22 22:26:51 UTC
+++ src/cryptography/hazmat/backends/openssl/ec.py
@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
     # explicitly encoded a curve with the same parameters as a named curve.
     # Don't do that.
     if (
-        backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
+        backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
         backend._lib.EC_GROUP_get_asn1_flag(group) == 0
     ):
         raise NotImplementedError(
@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
         self._backend.openssl_assert(group != self._backend._ffi.NULL)
 
         curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
-
-        public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
-        self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
-        public_ec_key = self._backend._ffi.gc(
-            public_ec_key, self._backend._lib.EC_KEY_free
-        )
+        public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
 
         point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
         self._backend.openssl_assert(point != self._backend._ffi.NULL)




# security/py-cryptography fails to build with libressl-2.9.1
# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237487
# Use generic DTLS functions added in LibreSSL 2.9.1
# https://github.com/pyca/cryptography/pull/4855

index 4124dcb879..ac32fdffde 100644
--- src/_cffi_src/openssl/cryptography.py.orig
+++ src/_cffi_src/openssl/cryptography.py
@@ -38,9 +38,12 @@
     (LIBRESSL_VERSION_NUMBER >= 0x2070000f)
 #define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \
     (LIBRESSL_VERSION_NUMBER >= 0x2080000f)
+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \
+    (LIBRESSL_VERSION_NUMBER >= 0x2090100f)
 #else
 #define CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER (0)
 #define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0)
+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0)
 #endif
 
 #define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 92fd1e3ec8..da21f3ce90 100644
--- src/_cffi_src/openssl/ssl.py.orig
+++ src/_cffi_src/openssl/ssl.py
@@ -719,17 +719,20 @@
 static const long TLS_ST_OK = 0;
 #endif
 
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+/* LibreSSL 2.9.1 added only the DTLS_*_method functions */
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
 static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
 const SSL_METHOD *(*DTLS_method)(void) = NULL;
 const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
 const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
+#else
+static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
+#endif
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
 static const long SSL_OP_NO_DTLSv1 = 0;
 static const long SSL_OP_NO_DTLSv1_2 = 0;
 long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
 long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
-#else
-static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
 #endif
 
 static const long Cryptography_HAS_DTLS = 1;

Return to bug 245929

Lines 2-8 Link Here

(-)security/py-cryptography/Makefile (-5 / +20 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= cryptography	4	PORTNAME= cryptography
5	PORTVERSION= 2.6.1	5	PORTVERSION= 2.9.2
6	CATEGORIES= security python	6	CATEGORIES= security python
7	MASTER_SITES= CHEESESHOP	7	MASTER_SITES= CHEESESHOP
8	PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}	8	PKGNAMEPREFIX= ${PYTHON_PKGNAMEPREFIX}
Lines 16-23 Link Here
16	LICENSE_FILE_BSD3CLAUSE= ${WRKSRC}/LICENSE.BSD	16	LICENSE_FILE_BSD3CLAUSE= ${WRKSRC}/LICENSE.BSD
17		17
18	BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR}	18	BUILD_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR}
19	RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}asn1crypto>=0.21.0:devel/py-asn1crypto@${PY_FLAVOR} \	19	RUN_DEPENDS= ${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
20	${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
21	${PY_ENUM34} \	20	${PY_ENUM34} \
22	${PY_IPADDRESS} \	21	${PY_IPADDRESS} \
23	${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR}	22	${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR}
Lines 28-34 Link Here
28	${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \	27	${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \
29	${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR}	28	${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR}
30		29
31	# Python 2.7, 3.4-3.7	30	# Python 2.7, 3.5-3.8
32	USES= compiler:env python ssl	31	USES= compiler:env python ssl
33	USE_PYTHON= autoplist concurrent distutils	32	USE_PYTHON= autoplist concurrent distutils
34		33
Lines 37-42 Link Here
37		36
38	.include <bsd.port.pre.mk>	37	.include <bsd.port.pre.mk>
39		38
		39	# OpenSSL 1.0.2t got some curve matching parameter code backported before it
		40	# has reached its End-of-Life and security/py-cryptography already had some
		41	# code to handle this case, but it assumed OpenSSL 1.1.0+ .
		42	#
		43	# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
		44	# clear: It isn't a security fix but rather a workaround to handle unnamed but
		45	# really named curves with OpenSSL 1.0.2t/u .
		46	.if ${OPSYS} == FreeBSD && ${SSL_DEFAULT} == "base"
		47	. if ${OSVERSION} >= 1103500 && ${OSVERSION} < 1200085
		48	# 1103500 352193 2019-09-10 11.3-STABLE got OpenSSL 1.0.2t
		49	# 1200085 339270 2018-10-19 12.0-STABLE got OpenSSL 1.1.1
		50	EXTRA_PATCHES= ${PATCHDIR}/openssl102u
		51	. endif
		52	.endif
		53
40	.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42	54	.if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
41	post-patch:	55	post-patch:
42	@${REINPLACE_CMD} -e 's\|"-Wno-error=sign-conversion"\|\|' \	56	@${REINPLACE_CMD} -e 's\|"-Wno-error=sign-conversion"\|\|' \
Lines 47-52 Link Here
47	${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so	61	${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so
48		62
49	do-test:	63	do-test:
50	@cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test	64	@cd ${WRKSRC} && ${SETENV} ${TEST_ENV} PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR} ${PYTHON_CMD} -m pytest -rs -v
		65	#@cd ${WRKSRC} && ${PYTHON_CMD} -m pytest -rs -v
51		66
52	.include <bsd.port.post.mk>	67	.include <bsd.port.post.mk>

Line 0 Link Here

(-)security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py (+26 lines)
	1	Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
	2
	3	PR #5362
	4
	5	Obtained from:
	6	https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
	7
	8	--- src/_cffi_src/openssl/cryptography.py.orig 2020-04-22 22:27:48 UTC
	9	+++ src/_cffi_src/openssl/cryptography.py
	10	@@ -47,6 +47,8 @@ INCLUDES = """
	11	(OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
	12	#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
	13	(OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
	14	+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
	15	+ (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
	16	#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
	17	(OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
	18	#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
	19	@@ -68,6 +70,7 @@ INCLUDES = """
	20
	21	TYPES = """
	22	static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
	23	+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
	24	static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
	25	static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
	26

Lines 1-49 Link Here

(-)security/py-cryptography/files/patch-PR4855 (-49 lines)
1	# security/py-cryptography fails to build with libressl-2.9.1
2	# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237487
3	# Use generic DTLS functions added in LibreSSL 2.9.1
4	# https://github.com/pyca/cryptography/pull/4855
5
6	index 4124dcb879..ac32fdffde 100644
7	--- src/_cffi_src/openssl/cryptography.py.orig
8	+++ src/_cffi_src/openssl/cryptography.py
9	@@ -38,9 +38,12 @@
10	(LIBRESSL_VERSION_NUMBER >= 0x2070000f)
11	#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \
12	(LIBRESSL_VERSION_NUMBER >= 0x2080000f)
13	+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \
14	+ (LIBRESSL_VERSION_NUMBER >= 0x2090100f)
15	#else
16	#define CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER (0)
17	#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0)
18	+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0)
19	#endif
20
21	#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
22	diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
23	index 92fd1e3ec8..da21f3ce90 100644
24	--- src/_cffi_src/openssl/ssl.py.orig
25	+++ src/_cffi_src/openssl/ssl.py
26	@@ -719,17 +719,20 @@
27	static const long TLS_ST_OK = 0;
28	#endif
29
30	-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
31	+/* LibreSSL 2.9.1 added only the DTLS__method functions /
32	+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
33	static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
34	const SSL_METHOD (DTLS_method)(void) = NULL;
35	const SSL_METHOD (DTLS_server_method)(void) = NULL;
36	const SSL_METHOD (DTLS_client_method)(void) = NULL;
37	+#else
38	+static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
39	+#endif
40	+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
41	static const long SSL_OP_NO_DTLSv1 = 0;
42	static const long SSL_OP_NO_DTLSv1_2 = 0;
43	long (DTLS_set_link_mtu)(SSL , long) = NULL;
44	long (DTLS_get_link_min_mtu)(SSL ) = NULL;
45	-#else
46	-static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
47	#endif
48
49	static const long Cryptography_HAS_DTLS = 1;