Author: Matti Picus <[email protected]>
Branch: py3.5
Changeset: r92883:5a955fc2e868
Date: 2017-10-30 18:39 +0200
http://bitbucket.org/pypy/pypy/changeset/5a955fc2e868/
Log: merge py3.5-mac-embedding which can download stdlib cffi-module
build depenencies
diff --git a/.hgignore b/.hgignore
--- a/.hgignore
+++ b/.hgignore
@@ -59,6 +59,7 @@
^rpython/rlib/rvmprof/src/shared/libbacktrace/config.h$
^rpython/rlib/rvmprof/src/shared/libbacktrace/config.log$
^rpython/rlib/rvmprof/src/shared/libbacktrace/config.status$
+^pypy/tool/dest$
^pypy/goal/pypy-translation-snapshot$
^pypy/goal/pypy-c
^pypy/goal/pypy3-c
diff --git a/lib_pypy/_cffi_ssl/_cffi_src/openssl/cryptography.py
b/lib_pypy/_cffi_ssl/_cffi_src/openssl/cryptography.py
--- a/lib_pypy/_cffi_ssl/_cffi_src/openssl/cryptography.py
+++ b/lib_pypy/_cffi_ssl/_cffi_src/openssl/cryptography.py
@@ -48,6 +48,9 @@
#else
#define CRYPTOGRAPHY_IS_LIBRESSL 0
#endif
+
+#define CRYPTOGRAPHY_LIBRESSL_251_OR_GREATER \
+ (CRYPTOGRAPHY_IS_LIBRESSL && LIBRESSL_VERSION_NUMBER >= 0x20501000)
"""
TYPES = """
diff --git a/lib_pypy/_cffi_ssl/_cffi_src/openssl/x509_vfy.py
b/lib_pypy/_cffi_ssl/_cffi_src/openssl/x509_vfy.py
--- a/lib_pypy/_cffi_ssl/_cffi_src/openssl/x509_vfy.py
+++ b/lib_pypy/_cffi_ssl/_cffi_src/openssl/x509_vfy.py
@@ -244,6 +244,14 @@
static const long X509_V_FLAG_SUITEB_192_LOS = 0;
static const long X509_V_FLAG_SUITEB_128_LOS = 0;
+#if CRYPTOGRAPHY_LIBRESSL_251_OR_GREATER
+int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *, const char *, size_t);
+int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *, const char *, size_t);
+int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *, const unsigned char *,
+ size_t);
+int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *, const char *);
+void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *, unsigned int);
+#else
int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
size_t) = NULL;
int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
@@ -254,6 +262,7 @@
void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *,
unsigned int) = NULL;
#endif
+#endif
/* OpenSSL 1.0.2+ or Solaris's backport */
#ifdef X509_V_FLAG_PARTIAL_CHAIN
diff --git a/lib_pypy/_cffi_ssl/osx-roots.diff
b/lib_pypy/_cffi_ssl/osx-roots.diff
new file mode 100644
--- /dev/null
+++ b/lib_pypy/_cffi_ssl/osx-roots.diff
@@ -0,0 +1,475 @@
+diff -Naur libressl-2.6.2.orig/crypto/Makefile.am
libressl-2.6.2/crypto/Makefile.am
+--- libressl-2.6.2.orig/crypto/Makefile.am 2017-09-02 01:49:55.000000000
+0200
++++ libressl-2.6.2/crypto/Makefile.am 2017-10-07 14:05:16.000000000 +0200
+@@ -92,7 +92,7 @@
+ -mv crypto_portable.sym.tmp crypto_portable.sym
+ endif
+
+-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
-export-symbols crypto_portable.sym
++libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
-export-symbols crypto_portable.sym -framework Security -framework
CoreFoundation
+ libcrypto_la_LIBADD = libcompat.la
+ if !HAVE_EXPLICIT_BZERO
+ libcrypto_la_LIBADD += libcompatnoopt.la
+@@ -863,6 +863,7 @@
+ libcrypto_la_SOURCES += x509/x509_txt.c
+ libcrypto_la_SOURCES += x509/x509_v3.c
+ libcrypto_la_SOURCES += x509/x509_vfy.c
++libcrypto_la_SOURCES += x509/x509_vfy_apple.c
+ libcrypto_la_SOURCES += x509/x509_vpm.c
+ libcrypto_la_SOURCES += x509/x509cset.c
+ libcrypto_la_SOURCES += x509/x509name.c
+diff -Naur libressl-2.6.2.orig/crypto/Makefile.in
libressl-2.6.2/crypto/Makefile.in
+--- libressl-2.6.2.orig/crypto/Makefile.in 2017-09-26 06:07:03.000000000
+0200
++++ libressl-2.6.2/crypto/Makefile.in 2017-10-07 14:05:24.000000000 +0200
+@@ -426,20 +426,20 @@
+ x509/x509_err.c x509/x509_ext.c x509/x509_lu.c x509/x509_obj.c \
+ x509/x509_r2x.c x509/x509_req.c x509/x509_set.c \
+ x509/x509_trs.c x509/x509_txt.c x509/x509_v3.c x509/x509_vfy.c \
+- x509/x509_vpm.c x509/x509cset.c x509/x509name.c \
+- x509/x509rset.c x509/x509spki.c x509/x509type.c x509/x_all.c \
+- x509v3/pcy_cache.c x509v3/pcy_data.c x509v3/pcy_lib.c \
+- x509v3/pcy_map.c x509v3/pcy_node.c x509v3/pcy_tree.c \
+- x509v3/v3_akey.c x509v3/v3_akeya.c x509v3/v3_alt.c \
+- x509v3/v3_bcons.c x509v3/v3_bitst.c x509v3/v3_conf.c \
+- x509v3/v3_cpols.c x509v3/v3_crld.c x509v3/v3_enum.c \
+- x509v3/v3_extku.c x509v3/v3_genn.c x509v3/v3_ia5.c \
+- x509v3/v3_info.c x509v3/v3_int.c x509v3/v3_lib.c \
+- x509v3/v3_ncons.c x509v3/v3_ocsp.c x509v3/v3_pci.c \
+- x509v3/v3_pcia.c x509v3/v3_pcons.c x509v3/v3_pku.c \
+- x509v3/v3_pmaps.c x509v3/v3_prn.c x509v3/v3_purp.c \
+- x509v3/v3_skey.c x509v3/v3_sxnet.c x509v3/v3_utl.c \
+- x509v3/v3err.c
++ x509/x509_vfy_apple.c x509/x509_vpm.c x509/x509cset.c \
++ x509/x509name.c x509/x509rset.c x509/x509spki.c \
++ x509/x509type.c x509/x_all.c x509v3/pcy_cache.c \
++ x509v3/pcy_data.c x509v3/pcy_lib.c x509v3/pcy_map.c \
++ x509v3/pcy_node.c x509v3/pcy_tree.c x509v3/v3_akey.c \
++ x509v3/v3_akeya.c x509v3/v3_alt.c x509v3/v3_bcons.c \
++ x509v3/v3_bitst.c x509v3/v3_conf.c x509v3/v3_cpols.c \
++ x509v3/v3_crld.c x509v3/v3_enum.c x509v3/v3_extku.c \
++ x509v3/v3_genn.c x509v3/v3_ia5.c x509v3/v3_info.c \
++ x509v3/v3_int.c x509v3/v3_lib.c x509v3/v3_ncons.c \
++ x509v3/v3_ocsp.c x509v3/v3_pci.c x509v3/v3_pcia.c \
++ x509v3/v3_pcons.c x509v3/v3_pku.c x509v3/v3_pmaps.c \
++ x509v3/v3_prn.c x509v3/v3_purp.c x509v3/v3_skey.c \
++ x509v3/v3_sxnet.c x509v3/v3_utl.c x509v3/v3err.c
+ am__objects_27 = aes/libcrypto_la-aes-elf-x86_64.lo \
+ aes/libcrypto_la-bsaes-elf-x86_64.lo \
+ aes/libcrypto_la-vpaes-elf-x86_64.lo \
+@@ -759,11 +759,12 @@
+ x509/libcrypto_la-x509_r2x.lo x509/libcrypto_la-x509_req.lo \
+ x509/libcrypto_la-x509_set.lo x509/libcrypto_la-x509_trs.lo \
+ x509/libcrypto_la-x509_txt.lo x509/libcrypto_la-x509_v3.lo \
+- x509/libcrypto_la-x509_vfy.lo x509/libcrypto_la-x509_vpm.lo \
+- x509/libcrypto_la-x509cset.lo x509/libcrypto_la-x509name.lo \
+- x509/libcrypto_la-x509rset.lo x509/libcrypto_la-x509spki.lo \
+- x509/libcrypto_la-x509type.lo x509/libcrypto_la-x_all.lo \
+- x509v3/libcrypto_la-pcy_cache.lo \
++ x509/libcrypto_la-x509_vfy.lo \
++ x509/libcrypto_la-x509_vfy_apple.lo \
++ x509/libcrypto_la-x509_vpm.lo x509/libcrypto_la-x509cset.lo \
++ x509/libcrypto_la-x509name.lo x509/libcrypto_la-x509rset.lo \
++ x509/libcrypto_la-x509spki.lo x509/libcrypto_la-x509type.lo \
++ x509/libcrypto_la-x_all.lo x509v3/libcrypto_la-pcy_cache.lo \
+ x509v3/libcrypto_la-pcy_data.lo x509v3/libcrypto_la-pcy_lib.lo \
+ x509v3/libcrypto_la-pcy_map.lo x509v3/libcrypto_la-pcy_node.lo \
+ x509v3/libcrypto_la-pcy_tree.lo x509v3/libcrypto_la-v3_akey.lo \
+@@ -1000,7 +1001,7 @@
+ $(ASM_X86_64_ELF) $(ASM_X86_64_MACOSX)
+ BUILT_SOURCES = crypto_portable.sym
+ CLEANFILES = crypto_portable.sym
+-libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
-export-symbols crypto_portable.sym
++libcrypto_la_LDFLAGS = -version-info @LIBCRYPTO_VERSION@ -no-undefined
-export-symbols crypto_portable.sym -framework Security -framework
CoreFoundation
+ libcrypto_la_LIBADD = libcompat.la $(am__append_1)
+ libcrypto_la_CPPFLAGS = $(AM_CPPFLAGS) -DLIBRESSL_INTERNAL \
+ -DOPENSSL_NO_HW_PADLOCK $(am__append_2) $(am__append_3) \
+@@ -1272,20 +1273,20 @@
+ x509/x509_err.c x509/x509_ext.c x509/x509_lu.c x509/x509_obj.c \
+ x509/x509_r2x.c x509/x509_req.c x509/x509_set.c \
+ x509/x509_trs.c x509/x509_txt.c x509/x509_v3.c x509/x509_vfy.c \
+- x509/x509_vpm.c x509/x509cset.c x509/x509name.c \
+- x509/x509rset.c x509/x509spki.c x509/x509type.c x509/x_all.c \
+- x509v3/pcy_cache.c x509v3/pcy_data.c x509v3/pcy_lib.c \
+- x509v3/pcy_map.c x509v3/pcy_node.c x509v3/pcy_tree.c \
+- x509v3/v3_akey.c x509v3/v3_akeya.c x509v3/v3_alt.c \
+- x509v3/v3_bcons.c x509v3/v3_bitst.c x509v3/v3_conf.c \
+- x509v3/v3_cpols.c x509v3/v3_crld.c x509v3/v3_enum.c \
+- x509v3/v3_extku.c x509v3/v3_genn.c x509v3/v3_ia5.c \
+- x509v3/v3_info.c x509v3/v3_int.c x509v3/v3_lib.c \
+- x509v3/v3_ncons.c x509v3/v3_ocsp.c x509v3/v3_pci.c \
+- x509v3/v3_pcia.c x509v3/v3_pcons.c x509v3/v3_pku.c \
+- x509v3/v3_pmaps.c x509v3/v3_prn.c x509v3/v3_purp.c \
+- x509v3/v3_skey.c x509v3/v3_sxnet.c x509v3/v3_utl.c \
+- x509v3/v3err.c
++ x509/x509_vfy_apple.c x509/x509_vpm.c x509/x509cset.c \
++ x509/x509name.c x509/x509rset.c x509/x509spki.c \
++ x509/x509type.c x509/x_all.c x509v3/pcy_cache.c \
++ x509v3/pcy_data.c x509v3/pcy_lib.c x509v3/pcy_map.c \
++ x509v3/pcy_node.c x509v3/pcy_tree.c x509v3/v3_akey.c \
++ x509v3/v3_akeya.c x509v3/v3_alt.c x509v3/v3_bcons.c \
++ x509v3/v3_bitst.c x509v3/v3_conf.c x509v3/v3_cpols.c \
++ x509v3/v3_crld.c x509v3/v3_enum.c x509v3/v3_extku.c \
++ x509v3/v3_genn.c x509v3/v3_ia5.c x509v3/v3_info.c \
++ x509v3/v3_int.c x509v3/v3_lib.c x509v3/v3_ncons.c \
++ x509v3/v3_ocsp.c x509v3/v3_pci.c x509v3/v3_pcia.c \
++ x509v3/v3_pcons.c x509v3/v3_pku.c x509v3/v3_pmaps.c \
++ x509v3/v3_prn.c x509v3/v3_purp.c x509v3/v3_skey.c \
++ x509v3/v3_sxnet.c x509v3/v3_utl.c x509v3/v3err.c
+
+ # chacha
+
+@@ -2808,6 +2809,8 @@
+ x509/$(DEPDIR)/$(am__dirstamp)
+ x509/libcrypto_la-x509_vfy.lo: x509/$(am__dirstamp) \
+ x509/$(DEPDIR)/$(am__dirstamp)
++x509/libcrypto_la-x509_vfy_apple.lo: x509/$(am__dirstamp) \
++ x509/$(DEPDIR)/$(am__dirstamp)
+ x509/libcrypto_la-x509_vpm.lo: x509/$(am__dirstamp) \
+ x509/$(DEPDIR)/$(am__dirstamp)
+ x509/libcrypto_la-x509cset.lo: x509/$(am__dirstamp) \
+@@ -3583,6 +3586,7 @@
+ @AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509_txt.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509_v3.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509_vfy.Plo@am__quote@
++@AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509_vfy_apple.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509_vpm.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509cset.Plo@am__quote@
+ @AMDEP_TRUE@@am__include@
@am__quote@x509/$(DEPDIR)/libcrypto_la-x509name.Plo@am__quote@
+@@ -7460,6 +7464,13 @@
+ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
+ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS)
$(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS)
$(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_vfy.lo `test -f
'x509/x509_vfy.c' || echo '$(srcdir)/'`x509/x509_vfy.c
+
++x509/libcrypto_la-x509_vfy_apple.lo: x509/x509_vfy_apple.c
++@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS)
$(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS)
$(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_vfy_apple.lo -MD -MP -MF
x509/$(DEPDIR)/libcrypto_la-x509_vfy_apple.Tpo -c -o
x509/libcrypto_la-x509_vfy_apple.lo `test -f 'x509/x509_vfy_apple.c' || echo
'$(srcdir)/'`x509/x509_vfy_apple.c
++@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
x509/$(DEPDIR)/libcrypto_la-x509_vfy_apple.Tpo
x509/$(DEPDIR)/libcrypto_la-x509_vfy_apple.Plo
++@AMDEP_TRUE@@am__fastdepCC_FALSE@
$(AM_V_CC)source='x509/x509_vfy_apple.c'
object='x509/libcrypto_la-x509_vfy_apple.lo' libtool=yes @AMDEPBACKSLASH@
++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE)
$(depcomp) @AMDEPBACKSLASH@
++@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS)
$(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS)
$(AM_CFLAGS) $(CFLAGS) -c -o x509/libcrypto_la-x509_vfy_apple.lo `test -f
'x509/x509_vfy_apple.c' || echo '$(srcdir)/'`x509/x509_vfy_apple.c
++
+ x509/libcrypto_la-x509_vpm.lo: x509/x509_vpm.c
+ @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS)
$(DEFAULT_INCLUDES) $(INCLUDES) $(libcrypto_la_CPPFLAGS) $(CPPFLAGS)
$(AM_CFLAGS) $(CFLAGS) -MT x509/libcrypto_la-x509_vpm.lo -MD -MP -MF
x509/$(DEPDIR)/libcrypto_la-x509_vpm.Tpo -c -o x509/libcrypto_la-x509_vpm.lo
`test -f 'x509/x509_vpm.c' || echo '$(srcdir)/'`x509/x509_vpm.c
+ @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv)
x509/$(DEPDIR)/libcrypto_la-x509_vpm.Tpo
x509/$(DEPDIR)/libcrypto_la-x509_vpm.Plo
+diff -Naur libressl-2.6.2.orig/crypto/x509/x509_vfy.c
libressl-2.6.2/crypto/x509/x509_vfy.c
+--- libressl-2.6.2.orig/crypto/x509/x509_vfy.c 2017-09-02 14:01:08.000000000
+0200
++++ libressl-2.6.2/crypto/x509/x509_vfy.c 2017-10-07 14:05:16.000000000
+0200
+@@ -115,6 +115,13 @@
+
+ #define CRL_SCORE_TIME_DELTA 0x002
+
++/*
++ * If we are using Trust Evaluation Agent, rename the original function
++ */
++#ifdef __APPLE__
++#define X509_verify_cert X509_verify_cert_orig
++#endif
++
+ static int null_callback(int ok, X509_STORE_CTX *e);
+ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
+diff -Naur libressl-2.6.2.orig/crypto/x509/x509_vfy_apple.c
libressl-2.6.2/crypto/x509/x509_vfy_apple.c
+--- libressl-2.6.2.orig/crypto/x509/x509_vfy_apple.c 1970-01-01
01:00:00.000000000 +0100
++++ libressl-2.6.2/crypto/x509/x509_vfy_apple.c 2017-10-07
14:05:16.000000000 +0200
+@@ -0,0 +1,225 @@
++/*
++ * Copyright (c) 2009 Apple Inc. All Rights Reserved.
++ *
++ * @APPLE_LICENSE_HEADER_START@
++ *
++ * This file contains Original Code and/or Modifications of Original Code
++ * as defined in and that are subject to the Apple Public Source License
++ * Version 2.0 (the 'License'). You may not use this file except in
++ * compliance with the License. Please obtain a copy of the License at
++ * http://www.opensource.apple.com/apsl/ and read it before using this
++ * file.
++ *
++ * The Original Code and all software distributed under the License are
++ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
++ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
++ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
++ * Please see the License for the specific language governing rights and
++ * limitations under the License.
++ *
++ * @APPLE_LICENSE_HEADER_END@
++ *
++ */
++
++#include <stdint.h>
++#include <inttypes.h>
++#include <syslog.h>
++
++#include <Security/Security.h>
++
++#include <openssl/opensslconf.h>
++
++#include <openssl/crypto.h>
++#include <openssl/x509.h>
++#include <openssl/x509v3.h>
++
++#include "cryptlib.h"
++#include "vpm_int.h"
++#include "x509_vfy_apple.h"
++
++#define TEA_might_correct_error(err) (err ==
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY || err ==
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT || err ==
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)
++
++
++static bool add_cert_to_array(CFMutableArrayRef array, X509 *x509)
++{
++ unsigned char *asn1_cert_data = NULL;
++ int asn1_cert_len = i2d_X509(x509, &asn1_cert_data);
++
++ CFDataRef data = CFDataCreate(kCFAllocatorDefault, asn1_cert_data,
asn1_cert_len);
++
++ if (data == NULL) {
++ return false;
++ }
++
++ SecCertificateRef cert = SecCertificateCreateWithData(NULL, data);
++
++ free(asn1_cert_data);
++
++ if (cert == NULL) {
++ CFRelease(data);
++ return false;
++ }
++
++ CFArrayAppendValue(array, cert);
++ CFRelease(data);
++
++ return true;
++}
++
++static CFStringRef to_string(const char *s) {
++ if (s == NULL)
++ return NULL;
++ return CFStringCreateWithCString(kCFAllocatorDefault, s,
++ kCFStringEncodingASCII);
++}
++
++static SecPolicyRef get_policy(X509_VERIFY_PARAM *param) {
++ switch (param->purpose) {
++ case X509_PURPOSE_SSL_CLIENT:
++ case X509_PURPOSE_SSL_SERVER: {
++
++ if (!param->id) {
++ fprintf(stderr, "got no ID!\n");
++ return NULL;
++ }
++
++ CFStringRef hostname;
++ int nhosts = sk_OPENSSL_STRING_num(param->id->hosts);
++
++ if (nhosts != 1) {
++ hostname = NULL;
++
++ } else {
++ hostname =
to_string(sk_OPENSSL_STRING_value(param->id->hosts, 0));
++ CFShow(hostname);
++ }
++
++ return SecPolicyCreateSSL(param->purpose ==
X509_PURPOSE_SSL_SERVER,
++ hostname);
++ }
++
++ case X509_PURPOSE_NS_SSL_SERVER:
++ case X509_PURPOSE_SMIME_SIGN:
++ case X509_PURPOSE_SMIME_ENCRYPT:
++ case X509_PURPOSE_CRL_SIGN:
++ case X509_PURPOSE_ANY:
++ case X509_PURPOSE_OCSP_HELPER:
++ case X509_PURPOSE_TIMESTAMP_SIGN:
++ default:
++ fprintf(stderr, "unsupported purpose %d", param->purpose);
++ return NULL;
++ }
++}
++
++/*
++ * Please see comment in x509_vfy_apple.h
++ */
++int
++X509_verify_cert(X509_STORE_CTX *ctx)
++{
++ uint64_t certLastIndex = 0;
++ uint64_t i = 0;
++
++ /* Try OpenSSL, if we get a local certificate issue verify against
trusted roots */
++ int ret = X509_verify_cert_orig(ctx);
++
++ /* Verify TEA is enabled and should be used. */
++ if (0 == X509_TEA_is_enabled() ||
++ ret == 1 || !TEA_might_correct_error(ctx->error)) {
++ return ret;
++ }
++
++ /* Verify that the certificate chain exists, otherwise make it. */
++ if (ctx->chain == NULL && (ctx->chain = sk_X509_new_null()) == NULL) {
++ fprintf(stderr, "Could not create the certificate chain");
++ ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
++ return -1;
++ }
++
++ /* Verify chain depth */
++ certLastIndex = sk_X509_num(ctx->untrusted);
++ if (certLastIndex > ctx->param->depth) {
++ fprintf(stderr, "Pruning certificate chain to %" PRIu64,
certLastIndex);
++ certLastIndex = ctx->param->depth;
++ }
++
++ CFMutableArrayRef certArray = CFArrayCreateMutable(NULL, certLastIndex +
1, NULL);
++ CFRetain(certArray);
++
++ if (!add_cert_to_array(certArray, ctx->cert)) {
++ fprintf(stderr, "Failed to add certificate to array");
++ CFRelease(certArray);
++ ctx->error = X509_V_ERR_UNSPECIFIED;
++ return -1;
++ }
++
++ for (i = 0; i < certLastIndex; ++i) {
++ X509 *t = sk_X509_value(ctx->untrusted, i);
++ if (!add_cert_to_array(certArray, t)) {
++ fprintf(stderr, "Failed to add chain certificate %lld to array",
i);
++ CFRelease(certArray);
++ ctx->error = X509_V_ERR_UNSPECIFIED;
++ return 0;
++ }
++ }
++
++ // We put ASN.1 encoded X509 on the CertificateChain, so we don't call
TEACertificateChainSetEncodingHandler
++ SecPolicyRef policy = get_policy(ctx->param);
++
++ if (policy == NULL) {
++ fprintf(stderr, "Failed to create policy!\n");
++ CFRelease(certArray);
++ ctx->error = X509_V_ERR_UNSPECIFIED;
++ return -1;
++ }
++
++ SecTrustRef trust = NULL;
++
++ if (SecTrustCreateWithCertificates(certArray, policy, &trust) !=
errSecSuccess) {
++ fprintf(stderr, "Failed to create trust!\n");
++ CFRelease(certArray);
++ ctx->error = X509_V_ERR_CERT_UNTRUSTED;
++ return -1;
++ }
++
++ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) {
++ fprintf(stderr, "Setting time not supported yet?\n");
++ SecTrustSetVerifyDate(trust, CFDateCreate(NULL,
ctx->param->check_time));
++ }
++
++ SecTrustResultType result = 0;
++
++ if (SecTrustEvaluate(trust, &result) != errSecSuccess || result !=
kSecTrustResultUnspecified) {
++ CFRelease(certArray);
++ ctx->error = X509_V_ERR_CERT_UNTRUSTED;
++ return 0;
++ }
++
++ CFRelease(certArray);
++ ctx->error = 0;
++ return 1;
++}
++
++#pragma mark Trust Evaluation Agent
++
++/* -1: not set
++ * 0: set to false
++ * 1: set to true
++ */
++static int tea_enabled = -1;
++
++void
++X509_TEA_set_state(int change)
++{
++ tea_enabled = (change) ? 1 : 0;
++}
++
++int
++X509_TEA_is_enabled()
++{
++ if (tea_enabled < 0)
++ tea_enabled = (NULL == getenv(X509_TEA_ENV_DISABLE));
++
++ return tea_enabled != 0;
++}
+diff -Naur libressl-2.6.2.orig/crypto/x509/x509_vfy_apple.h
libressl-2.6.2/crypto/x509/x509_vfy_apple.h
+--- libressl-2.6.2.orig/crypto/x509/x509_vfy_apple.h 1970-01-01
01:00:00.000000000 +0100
++++ libressl-2.6.2/crypto/x509/x509_vfy_apple.h 2017-10-07
14:05:16.000000000 +0200
+@@ -0,0 +1,74 @@
++/*
++ * Copyright (c) 2009 Apple Inc. All Rights Reserved.
++ *
++ * @APPLE_LICENSE_HEADER_START@
++ *
++ * This file contains Original Code and/or Modifications of Original Code
++ * as defined in and that are subject to the Apple Public Source License
++ * Version 2.0 (the 'License'). You may not use this file except in
++ * compliance with the License. Please obtain a copy of the License at
++ * http://www.opensource.apple.com/apsl/ and read it before using this
++ * file.
++ *
++ * The Original Code and all software distributed under the License are
++ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
++ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
++ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
++ * Please see the License for the specific language governing rights and
++ * limitations under the License.
++ *
++ * @APPLE_LICENSE_HEADER_END@
++ *
++ */
++
++#ifndef HEADER_X509_H
++#include <openssl/x509.h>
++#endif
++
++#ifndef HEADER_X509_VFY_APPLE_H
++#define HEADER_X509_VFY_APPLE_H
++
++/* Environment variable name to disable TEA. */
++#define X509_TEA_ENV_DISABLE "OPENSSL_X509_TEA_DISABLE"
++
++/*
++ * X509_verify_cert
++ *
++ * Originally located in x509_vfy.c.
++ *
++ * Verify certificate with OpenSSL created X509_verify_cert. If and only if
++ * OpenSSL cannot get certificate issuer locally then OS X security API will
++ * verify the certificate, using Trust Evaluation Agent.
++ *
++ * Return values:
++ * --------------
++ * -1: Null was passed for either ctx or ctx->cert.
++ * 0: Certificate is trusted.
++ * 1: Certificate is not trusted.
++ */
++int X509_verify_cert(X509_STORE_CTX *ctx);
++
++/*
++ * X509_TEA_is_enabled
++ *
++ * Is the Trust Evaluation Agent (TEA) used for certificate verification when
++ * the issuer cannot be verified.
++ *
++ * Returns 0 if TEA is disabled and 1 if TEA is enabled.
++ */
++int X509_TEA_is_enabled();
++
++/*
++ * X509_TEA_set_state
++ *
++ * Enables/disables certificate verification with Trust Evaluation Agent (TEA)
++ * when the issuer cannot be verified.
++ *
++ * Pass 0 to disable TEA and non-zero to enable TEA.
++ */
++void X509_TEA_set_state(int change);
++
++int X509_verify_cert_orig(X509_STORE_CTX *ctx);
++
++#endif /* HEADER_X509_VFY_APPLE_H */
diff --git a/pypy/goal/targetpypystandalone.py
b/pypy/goal/targetpypystandalone.py
--- a/pypy/goal/targetpypystandalone.py
+++ b/pypy/goal/targetpypystandalone.py
@@ -352,8 +352,9 @@
def hack_for_cffi_modules(self, driver):
# HACKHACKHACK
- # ugly hack to modify target goal from compile_* to build_cffi_imports
- # this should probably get cleaned up and merged with driver.create_exe
+ # ugly hack to modify target goal from compile_* to build_cffi_imports,
+ # as done in package.py
+ # this is needed by the benchmark buildbot run, maybe do it as a
seperate step there?
from rpython.tool.runsubprocess import run_subprocess
from rpython.translator.driver import taskdef
import types
@@ -363,11 +364,14 @@
def task_build_cffi_imports(self):
''' Use cffi to compile cffi interfaces to modules'''
filename = os.path.join(pypydir, 'tool', 'build_cffi_imports.py')
+ if sys.platform == 'darwin':
+ argv = [filename, '--embed-dependencies']
+ else:
+ argv = [filename,]
status, out, err = run_subprocess(str(driver.compute_exe_name()),
- [filename])
+ argv)
sys.stdout.write(out)
sys.stderr.write(err)
- # otherwise, ignore errors
driver.task_build_cffi_imports =
types.MethodType(task_build_cffi_imports, driver)
driver.tasks['build_cffi_imports'] = driver.task_build_cffi_imports,
[compile_goal]
driver.default_goal = 'build_cffi_imports'
diff --git a/pypy/tool/build_cffi_imports.py b/pypy/tool/build_cffi_imports.py
--- a/pypy/tool/build_cffi_imports.py
+++ b/pypy/tool/build_cffi_imports.py
@@ -1,5 +1,5 @@
from __future__ import print_function
-import sys, shutil, os
+import sys, shutil, os, tempfile, hashlib
from os.path import join
class MissingDependenciesError(Exception):
@@ -22,12 +22,131 @@
"xx": None, # for testing: 'None' should be completely ignored
}
-def create_cffi_import_libraries(pypy_c, options, basedir, only=None):
+# for distribution, we may want to fetch dependencies not provided by
+# the OS, such as a recent openssl/libressl or liblzma/xz.
+cffi_dependencies = {
+ 'lzma': ('https://tukaani.org/xz/xz-5.2.3.tar.gz',
+
'71928b357d0a09a12a4b4c5fafca8c31c19b0e7d3b8ebb19622e96f26dbf28cb',
+ []),
+ 'ssl':
('http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.2.tar.gz',
+ 'b029d2492b72a9ba5b5fcd9f3d602c9fd0baa087912f2aaecc28f52f567ec478',
+ ['--without-openssldir']),
+ '_gdbm': ('http://ftp.gnu.org/gnu/gdbm/gdbm-1.13.tar.gz',
+
'9d252cbd7d793f7b12bcceaddda98d257c14f4d1890d851c386c37207000a253',
+ ['--without-readline']),
+}
+
+
+def _unpack_tarfile(filename, extract_dir):
+ """Unpack tar/tar.gz/tar.bz2/tar.xz `filename` to `extract_dir`
+ """
+ import tarfile # late import for breaking circular dependency
+ try:
+ tarobj = tarfile.open(filename)
+ except tarfile.TarError:
+ raise ReadError(
+ "%s is not a compressed or uncompressed tar file" % filename)
+ try:
+ tarobj.extractall(extract_dir)
+ finally:
+ tarobj.close()
+
+def _sha256(filename):
+ dgst = hashlib.sha256()
+
+ with open(filename, 'rb') as fp:
+ dgst.update(fp.read())
+ return dgst.hexdigest()
+
+
+def _build_dependency(name, destdir, patches=[]):
+ import multiprocessing
+ import shutil
+ import subprocess
+
+ from rpython.tool.runsubprocess import run_subprocess
+
+ try:
+ from urllib.request import urlretrieve
+ except ImportError:
+ from urllib import urlretrieve
+
+ try:
+ url, dgst, args = cffi_dependencies[name]
+ except KeyError:
+ return 0, None, None
+
+ archive_dir = os.path.join(tempfile.gettempdir(), 'pypy-archives')
+
+ if not os.path.isdir(archive_dir):
+ os.makedirs(archive_dir)
+
+ archive = os.path.join(archive_dir, url.rsplit('/', 1)[-1])
+
+ # next, fetch the archive to disk, if needed
+ if not os.path.exists(archive) or _sha256(archive) != dgst:
+ print('fetching archive', url, file=sys.stderr)
+ urlretrieve(url, archive)
+
+ # extract the archive into our destination directory
+ print('unpacking archive', archive, file=sys.stderr)
+ _unpack_tarfile(archive, destdir)
+
+ sources = os.path.join(
+ destdir,
+ os.path.basename(archive)[:-7],
+ )
+
+ # apply any patches
+ if patches:
+ for patch in patches:
+ print('applying patch', patch, file=sys.stderr)
+ status, stdout, stderr = run_subprocess(
+ '/usr/bin/patch', ['-p1', '-i', patch], cwd=sources,
+ )
+
+ if status != 0:
+ return status, stdout, stderr
+
+ print('configuring', sources, file=sys.stderr)
+
+ # configure & build it
+ status, stdout, stderr = run_subprocess(
+ './configure',
+ [
+ '--prefix=/usr',
+ '--disable-shared',
+ '--enable-silent-rules',
+ '--disable-dependency-tracking',
+ ] + args,
+ cwd=sources,
+ )
+
+ if status != 0:
+ return status, stdout, stderr
+
+ print('building', sources, file=sys.stderr)
+
+ status, stdout, stderr = run_subprocess(
+ 'make',
+ [
+ '-s', '-j' + str(multiprocessing.cpu_count()),
+ 'install', 'DESTDIR={}/'.format(destdir),
+ ],
+ cwd=sources,
+ )
+
+ return status, stdout, stderr
+
+
+def create_cffi_import_libraries(pypy_c, options, basedir, only=None,
+ embed_dependencies=False):
from rpython.tool.runsubprocess import run_subprocess
shutil.rmtree(str(join(basedir,'lib_pypy','__pycache__')),
ignore_errors=True)
failures = []
+
for key, module in sorted(cffi_build_scripts.items()):
if only and key not in only:
print("* SKIPPING", key, '(not specified in --only)')
@@ -40,9 +159,49 @@
else:
args = ['-c', 'import ' + module]
cwd = None
+ env = os.environ.copy()
+
print('*', ' '.join(args), file=sys.stderr)
+ if embed_dependencies:
+ curdir = os.path.abspath(os.path.dirname(__file__))
+ destdir = os.path.join(curdir, 'dest')
+
+ shutil.rmtree(destdir, ignore_errors=True)
+ os.makedirs(destdir)
+
+ if key == 'ssl' and sys.platform == 'darwin':
+ # this patch is loosely inspired by an Apple and adds
+ # a fallback to the OS X roots when none are available
+ patches = [
+ os.path.join(curdir,
+ '../../lib_pypy/_cffi_ssl/osx-roots.diff'),
+ ]
+ else:
+ patches = []
+
+ status, stdout, stderr = _build_dependency(key, destdir,
+ patches=patches)
+
+ if status != 0:
+ failures.append((key, module))
+ print("stdout:")
+ print(stdout.decode('utf-8'))
+ print("stderr:")
+ print(stderr.decode('utf-8'))
+ continue
+
+ env['CPPFLAGS'] = \
+ '-I{}/usr/include {}'.format(destdir, env.get('CPPFLAGS', ''))
+ env['LDFLAGS'] = \
+ '-L{}/usr/lib {}'.format(destdir, env.get('LDFLAGS', ''))
+
+ if key == 'ssl' and sys.platform == 'darwin':
+ # needed for our roots patch
+ env['LDFLAGS'] += ' -framework CoreFoundation -framework
Security'
+
try:
- status, stdout, stderr = run_subprocess(str(pypy_c), args, cwd=cwd)
+ status, stdout, stderr = run_subprocess(str(pypy_c), args,
+ cwd=cwd, env=env)
if status != 0:
failures.append((key, module))
print("stdout:")
@@ -73,6 +232,8 @@
' you can specify an alternative pypy vm here')
parser.add_argument('--only', dest='only', default=None,
help='Only build the modules delimited by a colon.
E.g. ssl,sqlite')
+ parser.add_argument('--embed-dependencies', dest='embed_dependencies',
action='store_true',
+ help='embed dependencies for distribution')
args = parser.parse_args()
exename = join(os.getcwd(), args.exefile)
@@ -89,7 +250,8 @@
only = None
else:
only = set(args.only.split(','))
- failures = create_cffi_import_libraries(exename, options, basedir,
only=only)
+ failures = create_cffi_import_libraries(exename, options, basedir,
only=only,
+
embed_dependencies=args.embed_dependencies)
if len(failures) > 0:
print('*** failed to build the CFFI modules %r' % (
[f[1] for f in failures],), file=sys.stderr)
diff --git a/pypy/tool/release/package.py b/pypy/tool/release/package.py
--- a/pypy/tool/release/package.py
+++ b/pypy/tool/release/package.py
@@ -83,7 +83,11 @@
if not _fake and not pypy_runs(pypy_c):
raise OSError("Running %r failed!" % (str(pypy_c),))
if not options.no_cffi:
- failures = create_cffi_import_libraries(str(pypy_c), options,
str(basedir))
+ failures = create_cffi_import_libraries(
+ str(pypy_c), options, str(basedir),
+ embed_dependencies=options.embed_dependencies,
+ )
+
for key, module in failures:
print >>sys.stderr, """!!!!!!!!!!\nBuilding {0} bindings failed.
You can either install development headers package,
@@ -266,6 +270,15 @@
def package(*args, **kwds):
import argparse
+
+ class NegateAction(argparse.Action):
+ def __init__(self, option_strings, dest, nargs=0, **kwargs):
+ super(NegateAction, self).__init__(option_strings, dest, nargs,
+ **kwargs)
+
+ def __call__(self, parser, ns, values, option):
+ setattr(ns, self.dest, option[2:4] != 'no')
+
if sys.platform == 'win32':
pypy_exe = 'pypy3.exe'
else:
@@ -296,12 +309,20 @@
help='destination dir for archive')
parser.add_argument('--override_pypy_c', type=str, default='',
help='use as pypy3 exe instead of pypy/goal/pypy3-c')
+ parser.add_argument('--embedded-dependencies',
'--no-embedded-dependencies',
+ dest='embed_dependencies',
+ action=NegateAction,
+ default=(sys.platform == 'darwin'),
+ help='whether to embed dependencies for distribution '
+ '(default on OS X)')
options = parser.parse_args(args)
if os.environ.has_key("PYPY_PACKAGE_NOSTRIP"):
options.nostrip = True
if os.environ.has_key("PYPY_PACKAGE_WITHOUTTK"):
options.no_tk = True
+ if os.environ.has_key("PYPY_EMBED_DEPENDENCIES"):
+ options.embed_dependencies = True
if not options.builddir:
# The import actually creates the udir directory
from rpython.tool.udir import udir
_______________________________________________
pypy-commit mailing list
[email protected]
https://mail.python.org/mailman/listinfo/pypy-commit
