_openssl.so: undefined symbol 'X509_VERIFY_PARAM_set1_ip'

Pablo Méndez Hernández Thu, 05 Jan 2017 05:49:12 -0800

Hi all,

This also allows py-paramiko to be updated to 2.x (it moves the
dependency from py-crypto to py-cryptography).



Kind regards.
Pablo

On Wed, Jan 4, 2017 at 8:33 PM, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2017/01/03 10:49, Peter Hessler wrote:
>> Ugly patch to get py-cryptography loading again after the Symbol
>> massacre in libressl.  (the #ifdef trick didn't work, so yolo)
>>
>> OK?
>
> Slightly tweaked - this way (with the second ifdefs removed) I think it should
> cause things to break if/when libressl adds the rest of the VERIFY_PARAMS api
> so we can adjust the workaround.
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/py-cryptography/Makefile,v
> retrieving revision 1.18
> diff -u -p -r1.18 Makefile
> --- Makefile    3 Jan 2017 19:26:14 -0000       1.18
> +++ Makefile    4 Jan 2017 19:33:24 -0000
> @@ -6,7 +6,7 @@ MODPY_EGG_VERSION=      1.5.3
>  DISTNAME=      cryptography-${MODPY_EGG_VERSION}
>  PKGNAME=       ${MODPY_PY_PREFIX}${DISTNAME}
>  CATEGORIES=    security devel
> -REVISION=      0
> +REVISION=      1
>
>  HOMEPAGE=      https://cryptography.io/
>
> Index: patches/patch-src__cffi_src_openssl_x509_vfy_py
> ===================================================================
> RCS file: 
> /cvs/ports/security/py-cryptography/patches/patch-src__cffi_src_openssl_x509_vfy_py,v
> retrieving revision 1.1
> diff -u -p -r1.1 patch-src__cffi_src_openssl_x509_vfy_py
> --- patches/patch-src__cffi_src_openssl_x509_vfy_py     8 Nov 2016 15:37:59 
> -0000       1.1
> +++ patches/patch-src__cffi_src_openssl_x509_vfy_py     4 Jan 2017 19:33:24 
> -0000
> @@ -1,24 +1,28 @@
>  $OpenBSD: patch-src__cffi_src_openssl_x509_vfy_py,v 1.1 2016/11/08 15:37:59 
> sthen Exp $
>
> -Hack to allow building with newer libressl following this commit:
> +Newer libressl has part but not all of the X509_VERIFY_PARAM_* API from
> +OpenSSL 1.0.2beta2+; hack to allow py-cryptography to build/run with this.
>
> -Date: 2016/11/05 20:14:59
> -Author: beck
> -Branch: HEAD
> -Tag: (none)
> -Log:
> -Part one of the alt chains changes, bring in newer modifications to
> -VERIFY_PARAMS - based on boringssl.
> -ok jsing@ miod@
> -
> -Members:
> -       vpm_int.h:1.1->1.2
> -       x509_vfy.h:1.16->1.17
> -       x509_vpm.c:1.11->1.12
> -
> ---- src/_cffi_src/openssl/x509_vfy.py.orig     Mon Sep 26 21:22:21 2016
> -+++ src/_cffi_src/openssl/x509_vfy.py  Tue Nov  8 15:31:14 2016
> -@@ -207,10 +207,12 @@ static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0
> +--- src/_cffi_src/openssl/x509_vfy.py.orig     Sun Nov  6 03:05:05 2016
> ++++ src/_cffi_src/openssl/x509_vfy.py  Wed Jan  4 19:30:20 2017
> +@@ -187,10 +187,12 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *,
> + int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *,
> +                                 size_t);
> + void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int);
> +-int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *,
> +-                                 size_t);
> +-int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *,
> +-                              size_t);
> ++/* Fails with recent LibreSSL; ffi doesn't support ifdefs here */
> ++// int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *,
> ++//                                  size_t);
> ++// int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *,
> ++//                               size_t);
> ++/****/
> + int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *);
> + """
> +
> +@@ -207,9 +209,11 @@ static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0
>   static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
>   static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
>   static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
> @@ -26,21 +30,7 @@ Members:
>   static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
>   static const long X509_V_ERR_EMAIL_MISMATCH = 0;
>   static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
> - #endif
>  +#endif
> + #endif
>
>   /* OpenSSL 1.0.2beta2+ verification parameters */
> - #if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \
> -@@ -226,10 +228,12 @@ static const long X509_V_FLAG_SUITEB_128_LOS = 0;
> -
> - int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
> -                                    size_t) = NULL;
> -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 
> 0x2050100fL
> - int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
> -                                     size_t) = NULL;
> - int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *,
> -                                  size_t) = NULL;
> -+#endif
> - int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = 
> NULL;
> - void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *,
> -                                         unsigned int) = NULL;
>



-- 

Pablo Méndez Hernández

Re: python2.7:/usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: undefined symbol 'X509_VERIFY_PARAM_set1_ip'

Reply via email to