[gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/, dev-lang/python/files/

Sat, 19 Nov 2022 09:27:41 -0800 

commit:     fdeb8eb44ef8b07500cb9fbad5d99d735ed59465
Author:     Mike Skec <skec <AT> protonmail <DOT> ch>
AuthorDate: Fri Nov 18 01:27:53 2022 +0000
Commit:     Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
CommitDate: Sat Nov 19 17:25:50 2022 +0000
URL:        https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=fdeb8eb4

dev-lang/python: LibreSSL 3.5.3 compatibility patches

The patches for Python 3.10 and 3.11 are now the same.  The fix for
the _hashopenssl module is unchanged.

For the _ssl module we neuter the security_level stuff if we are
building with <libressl-3.6.0.  We only include the @SECLEVEL cipher
string annotations if we are on >=libressl-3.6.0.

Signed-off-by: Mike Skec <skec <AT> protonmail.ch>
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>

 ...ch => python-3.10.3-hashopenssl-libressl.patch} | 11 ++--
 dev-lang/python/files/python-3.10.3-libressl.patch | 74 ----------------------
 .../python/files/python-3.10.3-ssl-libressl.patch  | 40 ++++++++++++
 dev-lang/python/python-3.10.8_p2.ebuild            |  3 +-
 dev-lang/python/python-3.10.8_p3.ebuild            |  3 +-
 dev-lang/python/python-3.11.0_p1.ebuild            |  3 +-
 dev-lang/python/python-3.11.0_p2.ebuild            |  3 +-
 7 files changed, 54 insertions(+), 83 deletions(-)

diff --git a/dev-lang/python/files/python-3.11.0-libressl.patch 
b/dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch
similarity index 99%
rename from dev-lang/python/files/python-3.11.0-libressl.patch
rename to dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch
index ccac291..46cbbe7 100644
--- a/dev-lang/python/files/python-3.11.0-libressl.patch
+++ b/dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch
@@ -4,9 +4,9 @@ Index: Modules/_hashopenssl.c
 --- a/Modules/_hashopenssl.c.orig
 +++ b/Modules/_hashopenssl.c
 @@ -45,11 +45,6 @@
- 
+
  #define MUNCH_SIZE INT_MAX
- 
+
 -#define PY_OPENSSL_HAS_SCRYPT 1
 -#define PY_OPENSSL_HAS_SHA3 1
 -#define PY_OPENSSL_HAS_SHAKE 1
@@ -30,11 +30,11 @@ Index: Modules/_hashopenssl.c
 +#endif
      PY_HASH_ENTRY(NULL, NULL, NULL, 0),
  };
- 
+
 @@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna
          goto exit;
      }
- 
+
 +#if defined(LIBRESSL_VERSION_NUMBER)
 +    type = get_hashlib_state(module)->EVPtype;
 +#else
@@ -44,6 +44,7 @@ Index: Modules/_hashopenssl.c
          type = get_hashlib_state(module)->EVPtype;
      }
 +#endif
- 
+
      self = newEVPobject(type);
      if (self == NULL) {
+

diff --git a/dev-lang/python/files/python-3.10.3-libressl.patch 
b/dev-lang/python/files/python-3.10.3-libressl.patch
deleted file mode 100644
index 18e40c1..0000000
--- a/dev-lang/python/files/python-3.10.3-libressl.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-Neuter security level things until LibreSSL supports them.
-
-Index: Modules/_ssl.c
---- a/Modules/_ssl.c.orig
-+++ b/Modules/_ssl.c
-@@ -169,7 +169,7 @@ extern const SSL_METHOD *TLSv1_2_method(void);
-  * Based on Hynek's excellent blog post (update 2021-02-11)
-  * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-  */
--  #define PY_SSL_DEFAULT_CIPHER_STRING 
"@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
-+  #define PY_SSL_DEFAULT_CIPHER_STRING 
"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
-   #ifndef PY_SSL_MIN_PROTOCOL
-     #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
-   #endif
-@@ -3579,6 +3579,12 @@ set_num_tickets(PySSLContext *self, PyObject *arg, voi
- PyDoc_STRVAR(PySSLContext_num_tickets_doc,
- "Control the number of TLSv1.3 session tickets");
- #endif /* TLS1_3_VERSION */
-+
-+int
-+SSL_CTX_get_security_level(const SSL_CTX *ctx)
-+{
-+    return 1;
-+}
- 
- static PyObject *
- get_security_level(PySSLContext *self, void *c)
-Index: Modules/_hashopenssl.c
---- a/Modules/_hashopenssl.c.orig
-+++ b/Modules/_hashopenssl.c
-@@ -45,11 +45,6 @@
- 
- #define MUNCH_SIZE INT_MAX
- 
--#define PY_OPENSSL_HAS_SCRYPT 1
--#define PY_OPENSSL_HAS_SHA3 1
--#define PY_OPENSSL_HAS_SHAKE 1
--#define PY_OPENSSL_HAS_BLAKE2 1
--
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L
- #define PY_EVP_MD EVP_MD
- #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, 
properties)
-@@ -119,6 +114,7 @@ static const py_hashentry_t py_hashes[] = {
-     PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256),
-     PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
-     PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
-+#if !defined(LIBRESSL_VERSION_NUMBER)
-     /* truncated sha2 */
-     PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, 
NID_sha512_224),
-     PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, 
NID_sha512_256),
-@@ -133,6 +129,7 @@ static const py_hashentry_t py_hashes[] = {
-     /* blake2 digest */
-     PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, 
NID_blake2s256),
-     PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, 
NID_blake2b512),
-+#endif
-     PY_HASH_ENTRY(NULL, NULL, NULL, 0),
- };
- 
-@@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna
-         goto exit;
-     }
- 
-+#if defined(LIBRESSL_VERSION_NUMBER)
-+    type = get_hashlib_state(module)->EVPtype;
-+#else
-     if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
-         type = get_hashlib_state(module)->EVPXOFtype;
-     } else {
-         type = get_hashlib_state(module)->EVPtype;
-     }
-+#endif
- 
-     self = newEVPobject(type);
-     if (self == NULL) {

diff --git a/dev-lang/python/files/python-3.10.3-ssl-libressl.patch 
b/dev-lang/python/files/python-3.10.3-ssl-libressl.patch
new file mode 100644
index 0000000..78b6291
--- /dev/null
+++ b/dev-lang/python/files/python-3.10.3-ssl-libressl.patch
@@ -0,0 +1,40 @@
+Neuter security level things for LibreSSL < 3.6.0
+
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index d11ec05..4cb9479 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -171,7 +171,15 @@ extern const SSL_METHOD *TLSv1_2_method(void);
+  * Based on Hynek's excellent blog post (update 2021-02-11)
+  * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+  */
+-  #define PY_SSL_DEFAULT_CIPHER_STRING 
"@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
++
++  // libssl can only parse @SECLEVEL annotations with LibreSSL 3.6.0 and 
later.
++  #if defined(LIBRESSL_VERSION_NUMBER) && \
++             (LIBRESSL_VERSION_NUMBER >= 0x03060000f)
++    #define PY_SSL_DEFAULT_CIPHER_STRING 
"@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
++  #else
++    #define PY_SSL_DEFAULT_CIPHER_STRING 
"ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
++  #endif
++
+   #ifndef PY_SSL_MIN_PROTOCOL
+     #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
+   #endif
+@@ -3584,6 +3592,16 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc,
+ "Control the number of TLSv1.3 session tickets");
+ #endif /* TLS1_3_VERSION */
+ 
++// Fall back to security level 1 for LibreSSL < 3.6.0
++#if defined(LIBRESSL_VERSION_NUMBER) && \
++           (LIBRESSL_VERSION_NUMBER < 0x03060000f)
++static int
++SSL_CTX_get_security_level(const SSL_CTX *ctx)
++{
++    return 1;
++}
++#endif
++
+ static PyObject *
+ get_security_level(PySSLContext *self, void *c)
+ {

diff --git a/dev-lang/python/python-3.10.8_p2.ebuild 
b/dev-lang/python/python-3.10.8_p2.ebuild
index 0aa5e16..87a3e07 100644
--- a/dev-lang/python/python-3.10.8_p2.ebuild
+++ b/dev-lang/python/python-3.10.8_p2.ebuild
@@ -113,7 +113,8 @@ src_prepare() {
 
        local PATCHES=(
                "${WORKDIR}/${PATCHSET}"
-               "${FILESDIR}"/${PN}-3.10.3-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
        )
 
        default

diff --git a/dev-lang/python/python-3.10.8_p3.ebuild 
b/dev-lang/python/python-3.10.8_p3.ebuild
index 393aa9b..a07e7b6 100644
--- a/dev-lang/python/python-3.10.8_p3.ebuild
+++ b/dev-lang/python/python-3.10.8_p3.ebuild
@@ -113,7 +113,8 @@ src_prepare() {
 
        local PATCHES=(
                "${WORKDIR}/${PATCHSET}"
-               "${FILESDIR}"/${PN}-3.10.3-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
        )
 
        default

diff --git a/dev-lang/python/python-3.11.0_p1.ebuild 
b/dev-lang/python/python-3.11.0_p1.ebuild
index ed21566..8c41902 100644
--- a/dev-lang/python/python-3.11.0_p1.ebuild
+++ b/dev-lang/python/python-3.11.0_p1.ebuild
@@ -118,7 +118,8 @@ src_prepare() {
 
        local PATCHES=(
                "${WORKDIR}/${PATCHSET}"
-               "${FILESDIR}"/${PN}-3.11.0-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
        )
 
        default

diff --git a/dev-lang/python/python-3.11.0_p2.ebuild 
b/dev-lang/python/python-3.11.0_p2.ebuild
index be6e54f..a488ba8 100644
--- a/dev-lang/python/python-3.11.0_p2.ebuild
+++ b/dev-lang/python/python-3.11.0_p2.ebuild
@@ -118,7 +118,8 @@ src_prepare() {
 
        local PATCHES=(
                "${WORKDIR}/${PATCHSET}"
-               "${FILESDIR}"/${PN}-3.11.0-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+               "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
        )
 
        default

Reply via email to