commit:     079600f41f80b96f77ca942cd2e270c022330deb
Author:     Aaron Bauman <bman <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 13 01:07:11 2018 +0000
Commit:     Aaron Bauman <bman <AT> gentoo <DOT> org>
CommitDate: Fri Apr 13 01:07:27 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=079600f4

dev-python/cryptography: fix building with LibreSSL

These patches fix building against >dev-libs/libressl-2.5 for all
versions of dev-python/cryptography.

Closes: https://bugs.gentoo.org/651168
Package-Manager: Portage-2.3.28, Repoman-2.3.9

 ....0.2-r1.ebuild => cryptography-1.7.1-r1.ebuild} | 25 ++++----
 .../cryptography/cryptography-2.0.2-r1.ebuild      |  4 +-
 ....0.2-r1.ebuild => cryptography-2.1.4-r1.ebuild} | 25 ++++++--
 .../files/cryptography-1.7.1-libressl251.patch     | 17 +++++
 .../cryptography-2.1.4-libressl-2.7-x509.patch     | 23 +++++++
 .../cryptography-2.1.4-libressl-2.7-x509_vfy.patch | 73 ++++++++++++++++++++++
 6 files changed, 149 insertions(+), 18 deletions(-)

diff --git a/dev-python/cryptography/cryptography-2.0.2-r1.ebuild 
b/dev-python/cryptography/cryptography-1.7.1-r1.ebuild
similarity index 66%
copy from dev-python/cryptography/cryptography-2.0.2-r1.ebuild
copy to dev-python/cryptography/cryptography-1.7.1-r1.ebuild
index e1a1c26f4aa..c6928ab74a3 100644
--- a/dev-python/cryptography/cryptography-2.0.2-r1.ebuild
+++ b/dev-python/cryptography/cryptography-1.7.1-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -6,7 +6,7 @@ EAPI=6
 PYTHON_COMPAT=( python2_7 python3_{4,5,6} pypy{,3} )
 PYTHON_REQ_USE="threads(+)"
 
-inherit distutils-r1 flag-o-matic
+inherit distutils-r1
 
 DESCRIPTION="Library providing cryptographic recipes and primitives"
 HOMEPAGE="https://github.com/pyca/cryptography/ 
https://pypi.python.org/pypi/cryptography/";
@@ -14,18 +14,19 @@ SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
 
 LICENSE="|| ( Apache-2.0 BSD )"
 SLOT="0"
-KEYWORDS="amd64 arm arm64 hppa ia64 ~mips ppc ppc64 x86"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~amd64-linux ~x86-linux"
 IUSE="libressl test"
 
 RDEPEND="
-       !libressl? ( >=dev-libs/openssl-1.0.2:0=[-bindist(-)] )
-       libressl? ( dev-libs/libressl )
-       $(python_gen_cond_dep '>=dev-python/cffi-1.7:=[${PYTHON_USEDEP}]' 
'python*')
-       $(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python2_7 
pypy{,3})
-       >=dev-python/idna-2.1[${PYTHON_USEDEP}]
-       >=dev-python/asn1crypto-0.21.0[${PYTHON_USEDEP}]
+       !libressl? ( dev-libs/openssl:0= )
+       libressl? ( dev-libs/libressl:0= )
+       $(python_gen_cond_dep '>=dev-python/cffi-1.4.1:=[${PYTHON_USEDEP}]' 
'python*')
+       $(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python2_7 
python3_3 pypy{,3})
+       >=dev-python/idna-2.0[${PYTHON_USEDEP}]
+       >=dev-python/pyasn1-0.1.8[${PYTHON_USEDEP}]
        dev-python/setuptools[${PYTHON_USEDEP}]
        >=dev-python/six-1.4.1[${PYTHON_USEDEP}]
+       $(python_gen_cond_dep '>=virtual/pypy-2.6.0' pypy )
        virtual/python-ipaddress[${PYTHON_USEDEP}]
        "
 DEPEND="${RDEPEND}
@@ -42,10 +43,10 @@ DEPEND="${RDEPEND}
 
 DOCS=( AUTHORS.rst CONTRIBUTING.rst README.rst )
 
-python_configure_all() {
-       append-cflags $(test-flags-CC -pthread)
-}
+PATCHES=( "${FILESDIR}"/${P}-libressl251.patch )
 
 python_test() {
+       distutils_install_for_testing
+
        py.test -v -v -x || die "Tests fail with ${EPYTHON}"
 }

diff --git a/dev-python/cryptography/cryptography-2.0.2-r1.ebuild 
b/dev-python/cryptography/cryptography-2.0.2-r1.ebuild
index e1a1c26f4aa..57b42e13bd3 100644
--- a/dev-python/cryptography/cryptography-2.0.2-r1.ebuild
+++ b/dev-python/cryptography/cryptography-2.0.2-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -19,7 +19,7 @@ IUSE="libressl test"
 
 RDEPEND="
        !libressl? ( >=dev-libs/openssl-1.0.2:0=[-bindist(-)] )
-       libressl? ( dev-libs/libressl )
+       libressl? ( dev-libs/libressl:0= )
        $(python_gen_cond_dep '>=dev-python/cffi-1.7:=[${PYTHON_USEDEP}]' 
'python*')
        $(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python2_7 
pypy{,3})
        >=dev-python/idna-2.1[${PYTHON_USEDEP}]

diff --git a/dev-python/cryptography/cryptography-2.0.2-r1.ebuild 
b/dev-python/cryptography/cryptography-2.1.4-r1.ebuild
similarity index 65%
copy from dev-python/cryptography/cryptography-2.0.2-r1.ebuild
copy to dev-python/cryptography/cryptography-2.1.4-r1.ebuild
index e1a1c26f4aa..27a23caab64 100644
--- a/dev-python/cryptography/cryptography-2.0.2-r1.ebuild
+++ b/dev-python/cryptography/cryptography-2.1.4-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -14,12 +14,24 @@ SRC_URI="mirror://pypi/${PN:0:1}/${PN}/${P}.tar.gz"
 
 LICENSE="|| ( Apache-2.0 BSD )"
 SLOT="0"
-KEYWORDS="amd64 arm arm64 hppa ia64 ~mips ppc ppc64 x86"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 
~sh ~sparc ~x86 ~amd64-fbsd ~amd64-linux ~x86-linux ~x64-macos ~x64-solaris"
 IUSE="libressl test"
 
+# the openssl 1.0.2l-r1 needs to be updated again :(
+# It'd theb be able to go into the || section again
+#=dev-libs/openssl-1.0.2l-r1:0
+# the following is the original section, disallowing bindist entirely
+#!libressl? ( >=dev-libs/openssl-1.0.2:0=[-bindist(-)] )
 RDEPEND="
-       !libressl? ( >=dev-libs/openssl-1.0.2:0=[-bindist(-)] )
-       libressl? ( dev-libs/libressl )
+       !libressl? (
+               dev-libs/openssl:0= (
+                       || (
+                               dev-libs/openssl:0[-bindist(-)]
+                               >=dev-libs/openssl-1.1.0g-r1:0
+                       )
+               )
+       )
+       libressl? ( dev-libs/libressl:0= )
        $(python_gen_cond_dep '>=dev-python/cffi-1.7:=[${PYTHON_USEDEP}]' 
'python*')
        $(python_gen_cond_dep 'dev-python/enum34[${PYTHON_USEDEP}]' python2_7 
pypy{,3})
        >=dev-python/idna-2.1[${PYTHON_USEDEP}]
@@ -42,6 +54,11 @@ DEPEND="${RDEPEND}
 
 DOCS=( AUTHORS.rst CONTRIBUTING.rst README.rst )
 
+PATCHES=(
+       "${FILESDIR}"/${PN}-2.1.4-libressl-2.7-x509.patch
+       "${FILESDIR}"/${PN}-2.1.4-libressl-2.7-x509_vfy.patch
+)
+
 python_configure_all() {
        append-cflags $(test-flags-CC -pthread)
 }

diff --git a/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch 
b/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch
new file mode 100644
index 00000000000..a23ed7658f8
--- /dev/null
+++ b/dev-python/cryptography/files/cryptography-1.7.1-libressl251.patch
@@ -0,0 +1,17 @@
+diff -Naur cryptography-1.7.1.orig/src/_cffi_src/openssl/x509_vfy.py 
cryptography-1.7.1/src/_cffi_src/openssl/x509_vfy.py
+--- cryptography-1.7.1.orig/src/_cffi_src/openssl/x509_vfy.py  2017-02-01 
12:29:59.080728417 -0800
++++ cryptography-1.7.1/src/_cffi_src/openssl/x509_vfy.py       2017-02-01 
12:31:48.017895844 -0800
+@@ -221,10 +221,13 @@
+ static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+ static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+ static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
++#if !CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER || \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 
0x2050100fL)
+ static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
+ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
++#endif
+ #endif
+ 
+ /* OpenSSL 1.0.2beta2+ verification parameters */
+ #if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \

diff --git 
a/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch 
b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch
new file mode 100644
index 00000000000..9a14d460601
--- /dev/null
+++ b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509.patch
@@ -0,0 +1,23 @@
+diff -ur a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
+--- a/src/_cffi_src/openssl/x509.py    2017-07-27 05:11:29.000000000 +0200
++++ b/src/_cffi_src/openssl/x509.py    2018-03-23 10:28:00.387774214 +0100
+@@ -254,8 +254,7 @@
+ 
+ const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *);
+ 
+-/* in 1.1.0 becomes const ASN1_BIT_STRING, const X509_ALGOR */
+-void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *);
++void X509_get0_signature(const ASN1_BIT_STRING **, const X509_ALGOR **, const 
X509 *);
+ 
+ long X509_get_version(X509 *);
+ 
+@@ -338,7 +337,8 @@
+ CUSTOMIZATIONS = """
+ /* Added in 1.0.2 beta but we need it in all versions now due to the great
+    opaquing. */
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && \
++    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 
0x2070000fL)
+ /* from x509/x_x509.c version 1.0.2 */
+ void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
+                          const X509 *x)

diff --git 
a/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch 
b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch
new file mode 100644
index 00000000000..a1c93cf0c66
--- /dev/null
+++ 
b/dev-python/cryptography/files/cryptography-2.1.4-libressl-2.7-x509_vfy.patch
@@ -0,0 +1,73 @@
+$OpenBSD: patch-src__cffi_src_openssl_x509_vfy_py,v 1.7 2018/02/22 18:49:16 
sthen Exp $
+
+--- a/src/_cffi_src/openssl/x509_vfy.py
++++ b/src/_cffi_src/openssl/x509_vfy.py
+@@ -204,7 +204,7 @@ int sk_X509_OBJECT_num(Cryptography_STACK_OF_X509_OBJE
+ X509_OBJECT *sk_X509_OBJECT_value(Cryptography_STACK_OF_X509_OBJECT *, int);
+ X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *);
+ Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *);
+-X509 *X509_OBJECT_get0_X509(X509_OBJECT *);
++X509 *X509_OBJECT_get0_X509(const X509_OBJECT *);
+ int X509_OBJECT_get_type(const X509_OBJECT *);
+ 
+ /* added in 1.1.0 */
+@@ -220,14 +220,11 @@ static const long Cryptography_HAS_102_VERIFICATION_ER
+ static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
+ #else
+ static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
++#if LIBRESSL_VERSION_NUMBER >= 0x2070000fL
++static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
++#else
+ static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;
+ 
+-static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
+-static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
+-static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
+-static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
+ /* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added
+    in the future... */
+ #ifndef X509_V_ERR_HOSTNAME_MISMATCH
+@@ -240,12 +237,6 @@ static const long X509_V_ERR_EMAIL_MISMATCH = 0;
+ static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
+ #endif
+ 
+-/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
+-   below because it shows up in some earlier 3rd party OpenSSL packages. */
+-static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
+-static const long X509_V_FLAG_SUITEB_192_LOS = 0;
+-static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+-
+ int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
+                                    size_t) = NULL;
+ int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
+@@ -257,6 +248,19 @@ void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PA
+                                         unsigned int) = NULL;
+ #endif
+ 
++static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
++static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
++static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
++static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
++static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
++static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
++/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
++   below because it shows up in some earlier 3rd party OpenSSL packages. */
++static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
++static const long X509_V_FLAG_SUITEB_192_LOS = 0;
++static const long X509_V_FLAG_SUITEB_128_LOS = 0;
++#endif
++
+ /* OpenSSL 1.0.2+ or Solaris's backport */
+ #ifdef X509_V_FLAG_PARTIAL_CHAIN
+ static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1;
+@@ -292,7 +296,7 @@ X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+     return ctx->cert;
+ }
+ 
+-X509 *X509_OBJECT_get0_X509(X509_OBJECT *x) {
++X509 *X509_OBJECT_get0_X509(const X509_OBJECT *x) {
+     return x->data.x509;
+ }
+ #endif

Reply via email to