Hi all, This also allows py-paramiko to be updated to 2.x (it moves the dependency from py-crypto to py-cryptography).
Kind regards. Pablo On Wed, Jan 4, 2017 at 8:33 PM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017/01/03 10:49, Peter Hessler wrote: >> Ugly patch to get py-cryptography loading again after the Symbol >> massacre in libressl. (the #ifdef trick didn't work, so yolo) >> >> OK? > > Slightly tweaked - this way (with the second ifdefs removed) I think it should > cause things to break if/when libressl adds the rest of the VERIFY_PARAMS api > so we can adjust the workaround. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/py-cryptography/Makefile,v > retrieving revision 1.18 > diff -u -p -r1.18 Makefile > --- Makefile 3 Jan 2017 19:26:14 -0000 1.18 > +++ Makefile 4 Jan 2017 19:33:24 -0000 > @@ -6,7 +6,7 @@ MODPY_EGG_VERSION= 1.5.3 > DISTNAME= cryptography-${MODPY_EGG_VERSION} > PKGNAME= ${MODPY_PY_PREFIX}${DISTNAME} > CATEGORIES= security devel > -REVISION= 0 > +REVISION= 1 > > HOMEPAGE= https://cryptography.io/ > > Index: patches/patch-src__cffi_src_openssl_x509_vfy_py > =================================================================== > RCS file: > /cvs/ports/security/py-cryptography/patches/patch-src__cffi_src_openssl_x509_vfy_py,v > retrieving revision 1.1 > diff -u -p -r1.1 patch-src__cffi_src_openssl_x509_vfy_py > --- patches/patch-src__cffi_src_openssl_x509_vfy_py 8 Nov 2016 15:37:59 > -0000 1.1 > +++ patches/patch-src__cffi_src_openssl_x509_vfy_py 4 Jan 2017 19:33:24 > -0000 > @@ -1,24 +1,28 @@ > $OpenBSD: patch-src__cffi_src_openssl_x509_vfy_py,v 1.1 2016/11/08 15:37:59 > sthen Exp $ > > -Hack to allow building with newer libressl following this commit: > +Newer libressl has part but not all of the X509_VERIFY_PARAM_* API from > +OpenSSL 1.0.2beta2+; hack to allow py-cryptography to build/run with this. > > -Date: 2016/11/05 20:14:59 > -Author: beck > -Branch: HEAD > -Tag: (none) > -Log: > -Part one of the alt chains changes, bring in newer modifications to > -VERIFY_PARAMS - based on boringssl. > -ok jsing@ miod@ > - > -Members: > - vpm_int.h:1.1->1.2 > - x509_vfy.h:1.16->1.17 > - x509_vpm.c:1.11->1.12 > - > ---- src/_cffi_src/openssl/x509_vfy.py.orig Mon Sep 26 21:22:21 2016 > -+++ src/_cffi_src/openssl/x509_vfy.py Tue Nov 8 15:31:14 2016 > -@@ -207,10 +207,12 @@ static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0 > +--- src/_cffi_src/openssl/x509_vfy.py.orig Sun Nov 6 03:05:05 2016 > ++++ src/_cffi_src/openssl/x509_vfy.py Wed Jan 4 19:30:20 2017 > +@@ -187,10 +187,12 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *, > + int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *, > + size_t); > + void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int); > +-int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *, > +- size_t); > +-int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, > +- size_t); > ++/* Fails with recent LibreSSL; ffi doesn't support ifdefs here */ > ++// int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *, > ++// size_t); > ++// int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *, > ++// size_t); > ++/****/ > + int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *); > + """ > + > +@@ -207,9 +209,11 @@ static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0 > static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; > static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; > static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; > @@ -26,21 +30,7 @@ Members: > static const long X509_V_ERR_HOSTNAME_MISMATCH = 0; > static const long X509_V_ERR_EMAIL_MISMATCH = 0; > static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; > - #endif > +#endif > + #endif > > /* OpenSSL 1.0.2beta2+ verification parameters */ > - #if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \ > -@@ -226,10 +228,12 @@ static const long X509_V_FLAG_SUITEB_128_LOS = 0; > - > - int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *, > - size_t) = NULL; > -+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < > 0x2050100fL > - int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *, > - size_t) = NULL; > - int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, > - size_t) = NULL; > -+#endif > - int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = > NULL; > - void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, > - unsigned int) = NULL; > -- Pablo Méndez Hernández