commit: 88039b9003ccba108506a6219fb06353e977de72 Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Mon Apr 8 18:30:29 2024 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Mon Apr 8 18:30:29 2024 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=88039b90
dev-lang/python: update 3.10 libressl patch >From OpenBSD. Signed-off-by: orbea <orbea <AT> riseup.net> dev-lang/python/files/python-3.10.3-libressl.patch | 101 ++++++++------------- 1 file changed, 39 insertions(+), 62 deletions(-) diff --git a/dev-lang/python/files/python-3.10.3-libressl.patch b/dev-lang/python/files/python-3.10.3-libressl.patch index 68dd937..ebff9d4 100644 --- a/dev-lang/python/files/python-3.10.3-libressl.patch +++ b/dev-lang/python/files/python-3.10.3-libressl.patch @@ -1,83 +1,61 @@ -Neuter security level things for LibreSSL < 3.6.0 - -diff --git a/Modules/_ssl.c b/Modules/_ssl.c -index d11ec05..4cb9479 100644 ---- a/Modules/_ssl.c -+++ b/Modules/_ssl.c -@@ -171,7 +171,15 @@ extern const SSL_METHOD *TLSv1_2_method(void); - * Based on Hynek's excellent blog post (update 2021-02-11) - * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - */ -- #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" -+ -+ // libssl can only parse @SECLEVEL annotations with LibreSSL 3.6.0 and later. -+ #if defined(LIBRESSL_VERSION_NUMBER) && \ -+ (LIBRESSL_VERSION_NUMBER >= 0x03060000f) -+ #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" -+ #else -+ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" -+ #endif -+ - #ifndef PY_SSL_MIN_PROTOCOL - #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION - #endif -@@ -3584,6 +3592,16 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc, - "Control the number of TLSv1.3 session tickets"); - #endif /* TLS1_3_VERSION */ - -+// Fall back to security level 1 for LibreSSL < 3.6.0 -+#if defined(LIBRESSL_VERSION_NUMBER) && \ -+ (LIBRESSL_VERSION_NUMBER < 0x03060000f) -+static int -+SSL_CTX_get_security_level(const SSL_CTX *ctx) -+{ -+ return 1; -+} -+#endif -+ - static PyObject * - get_security_level(PySSLContext *self, void *c) - { - -Fix for _hashopenssl module. -https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/3.11/patches/patch-Modules__hashopenssl_c +LibreSSL has NID_sha3_256 and NID_sha512_256 now, but it's simpler to +handle -stable updates if we keep the patch until 7.4 is out. Index: Modules/_hashopenssl.c --- a/Modules/_hashopenssl.c.orig +++ b/Modules/_hashopenssl.c -@@ -45,11 +45,6 @@ - +@@ -45,10 +45,18 @@ + #define MUNCH_SIZE INT_MAX - --#define PY_OPENSSL_HAS_SCRYPT 1 --#define PY_OPENSSL_HAS_SHA3 1 --#define PY_OPENSSL_HAS_SHAKE 1 --#define PY_OPENSSL_HAS_BLAKE2 1 -- + ++#ifdef NID_id_scrypt + #define PY_OPENSSL_HAS_SCRYPT 1 ++#endif ++#ifdef NID_sha3_256 + #define PY_OPENSSL_HAS_SHA3 1 ++#endif ++#ifdef NID_shake256 + #define PY_OPENSSL_HAS_SHAKE 1 ++#endif ++#ifdef NID_blake2s256 + #define PY_OPENSSL_HAS_BLAKE2 1 ++#endif + #if OPENSSL_VERSION_NUMBER >= 0x30000000L #define PY_EVP_MD EVP_MD - #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties) -@@ -119,6 +114,7 @@ static const py_hashentry_t py_hashes[] = { - PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256), +@@ -120,19 +128,27 @@ static const py_hashentry_t py_hashes[] = { PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384), PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512), -+#if !defined(LIBRESSL_VERSION_NUMBER) /* truncated sha2 */ ++#ifdef NID_sha512_256 PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224), PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256), -@@ -133,6 +129,7 @@ static const py_hashentry_t py_hashes[] = { ++#endif + /* sha3 */ ++#ifdef PY_OPENSSL_HAS_SHA3 + PY_HASH_ENTRY(Py_hash_sha3_224, NULL, SN_sha3_224, NID_sha3_224), + PY_HASH_ENTRY(Py_hash_sha3_256, NULL, SN_sha3_256, NID_sha3_256), + PY_HASH_ENTRY(Py_hash_sha3_384, NULL, SN_sha3_384, NID_sha3_384), + PY_HASH_ENTRY(Py_hash_sha3_512, NULL, SN_sha3_512, NID_sha3_512), ++#endif + /* sha3 shake */ ++#ifdef PY_OPENSSL_HAS_SHAKE + PY_HASH_ENTRY(Py_hash_shake_128, NULL, SN_shake128, NID_shake128), + PY_HASH_ENTRY(Py_hash_shake_256, NULL, SN_shake256, NID_shake256), ++#endif /* blake2 digest */ ++#ifdef PY_OPENSSL_HAS_BLAKE2 PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256), PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512), +#endif PY_HASH_ENTRY(NULL, NULL, NULL, 0), }; - -@@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna + +@@ -873,11 +889,15 @@ py_evp_fromname(PyObject *module, const char *digestna goto exit; } - -+#if defined(LIBRESSL_VERSION_NUMBER) + ++#ifndef EVP_MD_FLAG_XOF + type = get_hashlib_state(module)->EVPtype; +#else if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) { @@ -86,7 +64,6 @@ Index: Modules/_hashopenssl.c type = get_hashlib_state(module)->EVPtype; } +#endif - + self = newEVPobject(type); if (self == NULL) { -
