From 58a2c0b4b774c28cdb023d5cab9c1179b7f88af3 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Fri, 21 May 2021 11:11:07 -0400 Subject: security/py-cryptography: fix build on FreeBSD 11 The LibreSSL 3.3.2+ patch does not and was never intended to apply with older py-cryptography 2.9.2 that we offer for FreeBSD 11 using base OpenSSL. For now, make the LibreSSL 3.3.2+ patch conditional on SSL_DEFAULT=libressl* until FreeBSD 11 goes EOL. Reported by: dvl Fixes: 6f05c9c07cff security/py-cryptography: fix build with LibreSSL 3.3.2+ Pointy hat to: vishwin Approved by: koobs (maintainer, implicit), fluffly (mentor, implicit) PR: 255241 --- security/py-cryptography/Makefile | 6 +++ .../extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 | 62 ++++++++++++++++++++++ .../files/patch-Fix-build-with-LibreSSL-3.3.2-5988 | 62 ---------------------- 3 files changed, 68 insertions(+), 62 deletions(-) create mode 100644 security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 delete mode 100644 security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 (limited to 'security') diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile index 6f9273719204..0e8e8337092e 100644 --- a/security/py-cryptography/Makefile +++ b/security/py-cryptography/Makefile @@ -54,6 +54,12 @@ EXTRA_PATCHES= ${PATCHDIR}/openssl102u . endif .endif +# Apply LibreSSL upstream patch that conflicts with above patch for 2.9.2 +# XXX convert back to unconditional when FreeBSD 11 goes EOL +.if ${SSL_DEFAULT:Mlibressl*} +EXTRA_PATCHES= ${PATCHDIR}/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 +.endif + .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42 post-patch: @${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \ diff --git a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 new file mode 100644 index 000000000000..deb9c6408832 --- /dev/null +++ b/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 @@ -0,0 +1,62 @@ +From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001 +From: Charlie Li +Date: Mon, 19 Apr 2021 18:38:38 -0400 +Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988) + +* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS* + +While here, bump CI + +* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS* + +DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2 + +* Switch to LESS_THAN context for LibreSSL 3.3.2 + +While here, fix indents + +* Remove extra C variable declaration + +The variable is not actually used from Python +--- + .github/workflows/ci.yml | 2 +- + src/_cffi_src/openssl/cryptography.py | 7 +++++++ + src/_cffi_src/openssl/ssl.py | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py +index e2b5a132..b9c7a793 100644 +--- src/_cffi_src/openssl/cryptography.py ++++ src/_cffi_src/openssl/cryptography.py +@@ -32,6 +32,13 @@ INCLUDES = """ + #include + #endif + ++#if CRYPTOGRAPHY_IS_LIBRESSL ++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \ ++ (LIBRESSL_VERSION_NUMBER < 0x3030200f) ++#else ++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0) ++#endif ++ + #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ + (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) + +diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py +index 11a7d63a..081ef041 100644 +--- src/_cffi_src/openssl/ssl.py ++++ src/_cffi_src/openssl/ssl.py +@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0; + #endif + + #if CRYPTOGRAPHY_IS_LIBRESSL ++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 + static const long SSL_OP_NO_DTLSv1 = 0; + static const long SSL_OP_NO_DTLSv1_2 = 0; ++#endif + long (*DTLS_set_link_mtu)(SSL *, long) = NULL; + long (*DTLS_get_link_min_mtu)(SSL *) = NULL; + #endif +-- +2.31.1 + diff --git a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 deleted file mode 100644 index deb9c6408832..000000000000 --- a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 +++ /dev/null @@ -1,62 +0,0 @@ -From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001 -From: Charlie Li -Date: Mon, 19 Apr 2021 18:38:38 -0400 -Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988) - -* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS* - -While here, bump CI - -* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS* - -DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2 - -* Switch to LESS_THAN context for LibreSSL 3.3.2 - -While here, fix indents - -* Remove extra C variable declaration - -The variable is not actually used from Python ---- - .github/workflows/ci.yml | 2 +- - src/_cffi_src/openssl/cryptography.py | 7 +++++++ - src/_cffi_src/openssl/ssl.py | 2 ++ - 3 files changed, 10 insertions(+), 1 deletion(-) - -diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py -index e2b5a132..b9c7a793 100644 ---- src/_cffi_src/openssl/cryptography.py -+++ src/_cffi_src/openssl/cryptography.py -@@ -32,6 +32,13 @@ INCLUDES = """ - #include - #endif - -+#if CRYPTOGRAPHY_IS_LIBRESSL -+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \ -+ (LIBRESSL_VERSION_NUMBER < 0x3030200f) -+#else -+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0) -+#endif -+ - #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) - -diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py -index 11a7d63a..081ef041 100644 ---- src/_cffi_src/openssl/ssl.py -+++ src/_cffi_src/openssl/ssl.py -@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0; - #endif - - #if CRYPTOGRAPHY_IS_LIBRESSL -+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 - static const long SSL_OP_NO_DTLSv1 = 0; - static const long SSL_OP_NO_DTLSv1_2 = 0; -+#endif - long (*DTLS_set_link_mtu)(SSL *, long) = NULL; - long (*DTLS_get_link_min_mtu)(SSL *) = NULL; - #endif --- -2.31.1 - -- cgit