Re: python2.7:/usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol 'X509_VERIFY_PARAM_set1_ip'

Wed, 04 Jan 2017 11:34:09 -0800 

On 2017/01/03 10:49, Peter Hessler wrote:
> Ugly patch to get py-cryptography loading again after the Symbol
> massacre in libressl.  (the #ifdef trick didn't work, so yolo)
> 
> OK?

Slightly tweaked - this way (with the second ifdefs removed) I think it should
cause things to break if/when libressl adds the rest of the VERIFY_PARAMS api
so we can adjust the workaround.

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/py-cryptography/Makefile,v
retrieving revision 1.18
diff -u -p -r1.18 Makefile
--- Makefile    3 Jan 2017 19:26:14 -0000       1.18
+++ Makefile    4 Jan 2017 19:33:24 -0000
@@ -6,7 +6,7 @@ MODPY_EGG_VERSION=      1.5.3
 DISTNAME=      cryptography-${MODPY_EGG_VERSION}
 PKGNAME=       ${MODPY_PY_PREFIX}${DISTNAME}
 CATEGORIES=    security devel
-REVISION=      0
+REVISION=      1
 
 HOMEPAGE=      https://cryptography.io/
 
Index: patches/patch-src__cffi_src_openssl_x509_vfy_py
===================================================================
RCS file: 
/cvs/ports/security/py-cryptography/patches/patch-src__cffi_src_openssl_x509_vfy_py,v
retrieving revision 1.1
diff -u -p -r1.1 patch-src__cffi_src_openssl_x509_vfy_py
--- patches/patch-src__cffi_src_openssl_x509_vfy_py     8 Nov 2016 15:37:59 
-0000       1.1
+++ patches/patch-src__cffi_src_openssl_x509_vfy_py     4 Jan 2017 19:33:24 
-0000
@@ -1,24 +1,28 @@
 $OpenBSD: patch-src__cffi_src_openssl_x509_vfy_py,v 1.1 2016/11/08 15:37:59 
sthen Exp $
 
-Hack to allow building with newer libressl following this commit:
+Newer libressl has part but not all of the X509_VERIFY_PARAM_* API from
+OpenSSL 1.0.2beta2+; hack to allow py-cryptography to build/run with this.
 
-Date: 2016/11/05 20:14:59
-Author: beck
-Branch: HEAD
-Tag: (none) 
-Log:
-Part one of the alt chains changes, bring in newer modifications to
-VERIFY_PARAMS - based on boringssl.
-ok jsing@ miod@
-
-Members: 
-       vpm_int.h:1.1->1.2 
-       x509_vfy.h:1.16->1.17 
-       x509_vpm.c:1.11->1.12 
-
---- src/_cffi_src/openssl/x509_vfy.py.orig     Mon Sep 26 21:22:21 2016
-+++ src/_cffi_src/openssl/x509_vfy.py  Tue Nov  8 15:31:14 2016
-@@ -207,10 +207,12 @@ static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0
+--- src/_cffi_src/openssl/x509_vfy.py.orig     Sun Nov  6 03:05:05 2016
++++ src/_cffi_src/openssl/x509_vfy.py  Wed Jan  4 19:30:20 2017
+@@ -187,10 +187,12 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *,
+ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *,
+                                 size_t);
+ void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int);
+-int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *,
+-                                 size_t);
+-int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *,
+-                              size_t);
++/* Fails with recent LibreSSL; ffi doesn't support ifdefs here */
++// int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *,
++//                                  size_t);
++// int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *,
++//                               size_t);
++/****/
+ int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *);
+ """
+ 
+@@ -207,9 +209,11 @@ static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0
  static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
  static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
  static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
@@ -26,21 +30,7 @@ Members: 
  static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
  static const long X509_V_ERR_EMAIL_MISMATCH = 0;
  static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
- #endif
 +#endif
+ #endif
  
  /* OpenSSL 1.0.2beta2+ verification parameters */
- #if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \
-@@ -226,10 +228,12 @@ static const long X509_V_FLAG_SUITEB_128_LOS = 0;
- 
- int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
-                                    size_t) = NULL;
-+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2050100fL
- int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
-                                     size_t) = NULL;
- int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *,
-                                  size_t) = NULL;
-+#endif
- int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = 
NULL;
- void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *,
-                                         unsigned int) = NULL;

Reply via email to