From: "Quentin Retornaz" <gentoo@retornaz.com>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/, dev-lang/python/files/
Date: Sat, 19 Nov 2022 17:27:35 +0000 (UTC) [thread overview]
Message-ID: <1668878750.fdeb8eb44ef8b07500cb9fbad5d99d735ed59465.quentin@gentoo> (raw)
commit: fdeb8eb44ef8b07500cb9fbad5d99d735ed59465
Author: Mike Skec <skec <AT> protonmail <DOT> ch>
AuthorDate: Fri Nov 18 01:27:53 2022 +0000
Commit: Quentin Retornaz <gentoo <AT> retornaz <DOT> com>
CommitDate: Sat Nov 19 17:25:50 2022 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=fdeb8eb4
dev-lang/python: LibreSSL 3.5.3 compatibility patches
The patches for Python 3.10 and 3.11 are now the same. The fix for
the _hashopenssl module is unchanged.
For the _ssl module we neuter the security_level stuff if we are
building with <libressl-3.6.0. We only include the @SECLEVEL cipher
string annotations if we are on >=libressl-3.6.0.
Signed-off-by: Mike Skec <skec <AT> protonmail.ch>
Signed-off-by: Quentin Retornaz <gentoo <AT> retornaz.com>
...ch => python-3.10.3-hashopenssl-libressl.patch} | 11 ++--
dev-lang/python/files/python-3.10.3-libressl.patch | 74 ----------------------
.../python/files/python-3.10.3-ssl-libressl.patch | 40 ++++++++++++
dev-lang/python/python-3.10.8_p2.ebuild | 3 +-
dev-lang/python/python-3.10.8_p3.ebuild | 3 +-
dev-lang/python/python-3.11.0_p1.ebuild | 3 +-
dev-lang/python/python-3.11.0_p2.ebuild | 3 +-
7 files changed, 54 insertions(+), 83 deletions(-)
diff --git a/dev-lang/python/files/python-3.11.0-libressl.patch b/dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch
similarity index 99%
rename from dev-lang/python/files/python-3.11.0-libressl.patch
rename to dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch
index ccac291..46cbbe7 100644
--- a/dev-lang/python/files/python-3.11.0-libressl.patch
+++ b/dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch
@@ -4,9 +4,9 @@ Index: Modules/_hashopenssl.c
--- a/Modules/_hashopenssl.c.orig
+++ b/Modules/_hashopenssl.c
@@ -45,11 +45,6 @@
-
+
#define MUNCH_SIZE INT_MAX
-
+
-#define PY_OPENSSL_HAS_SCRYPT 1
-#define PY_OPENSSL_HAS_SHA3 1
-#define PY_OPENSSL_HAS_SHAKE 1
@@ -30,11 +30,11 @@ Index: Modules/_hashopenssl.c
+#endif
PY_HASH_ENTRY(NULL, NULL, NULL, 0),
};
-
+
@@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna
goto exit;
}
-
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+ type = get_hashlib_state(module)->EVPtype;
+#else
@@ -44,6 +44,7 @@ Index: Modules/_hashopenssl.c
type = get_hashlib_state(module)->EVPtype;
}
+#endif
-
+
self = newEVPobject(type);
if (self == NULL) {
+
diff --git a/dev-lang/python/files/python-3.10.3-libressl.patch b/dev-lang/python/files/python-3.10.3-libressl.patch
deleted file mode 100644
index 18e40c1..0000000
--- a/dev-lang/python/files/python-3.10.3-libressl.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-Neuter security level things until LibreSSL supports them.
-
-Index: Modules/_ssl.c
---- a/Modules/_ssl.c.orig
-+++ b/Modules/_ssl.c
-@@ -169,7 +169,7 @@ extern const SSL_METHOD *TLSv1_2_method(void);
- * Based on Hynek's excellent blog post (update 2021-02-11)
- * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- */
-- #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
-+ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
- #ifndef PY_SSL_MIN_PROTOCOL
- #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
- #endif
-@@ -3579,6 +3579,12 @@ set_num_tickets(PySSLContext *self, PyObject *arg, voi
- PyDoc_STRVAR(PySSLContext_num_tickets_doc,
- "Control the number of TLSv1.3 session tickets");
- #endif /* TLS1_3_VERSION */
-+
-+int
-+SSL_CTX_get_security_level(const SSL_CTX *ctx)
-+{
-+ return 1;
-+}
-
- static PyObject *
- get_security_level(PySSLContext *self, void *c)
-Index: Modules/_hashopenssl.c
---- a/Modules/_hashopenssl.c.orig
-+++ b/Modules/_hashopenssl.c
-@@ -45,11 +45,6 @@
-
- #define MUNCH_SIZE INT_MAX
-
--#define PY_OPENSSL_HAS_SCRYPT 1
--#define PY_OPENSSL_HAS_SHA3 1
--#define PY_OPENSSL_HAS_SHAKE 1
--#define PY_OPENSSL_HAS_BLAKE2 1
--
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L
- #define PY_EVP_MD EVP_MD
- #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties)
-@@ -119,6 +114,7 @@ static const py_hashentry_t py_hashes[] = {
- PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256),
- PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
- PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
-+#if !defined(LIBRESSL_VERSION_NUMBER)
- /* truncated sha2 */
- PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
- PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
-@@ -133,6 +129,7 @@ static const py_hashentry_t py_hashes[] = {
- /* blake2 digest */
- PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
- PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
-+#endif
- PY_HASH_ENTRY(NULL, NULL, NULL, 0),
- };
-
-@@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna
- goto exit;
- }
-
-+#if defined(LIBRESSL_VERSION_NUMBER)
-+ type = get_hashlib_state(module)->EVPtype;
-+#else
- if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
- type = get_hashlib_state(module)->EVPXOFtype;
- } else {
- type = get_hashlib_state(module)->EVPtype;
- }
-+#endif
-
- self = newEVPobject(type);
- if (self == NULL) {
diff --git a/dev-lang/python/files/python-3.10.3-ssl-libressl.patch b/dev-lang/python/files/python-3.10.3-ssl-libressl.patch
new file mode 100644
index 0000000..78b6291
--- /dev/null
+++ b/dev-lang/python/files/python-3.10.3-ssl-libressl.patch
@@ -0,0 +1,40 @@
+Neuter security level things for LibreSSL < 3.6.0
+
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index d11ec05..4cb9479 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -171,7 +171,15 @@ extern const SSL_METHOD *TLSv1_2_method(void);
+ * Based on Hynek's excellent blog post (update 2021-02-11)
+ * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ */
+- #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
++
++ // libssl can only parse @SECLEVEL annotations with LibreSSL 3.6.0 and later.
++ #if defined(LIBRESSL_VERSION_NUMBER) && \
++ (LIBRESSL_VERSION_NUMBER >= 0x03060000f)
++ #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
++ #else
++ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
++ #endif
++
+ #ifndef PY_SSL_MIN_PROTOCOL
+ #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
+ #endif
+@@ -3584,6 +3592,16 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc,
+ "Control the number of TLSv1.3 session tickets");
+ #endif /* TLS1_3_VERSION */
+
++// Fall back to security level 1 for LibreSSL < 3.6.0
++#if defined(LIBRESSL_VERSION_NUMBER) && \
++ (LIBRESSL_VERSION_NUMBER < 0x03060000f)
++static int
++SSL_CTX_get_security_level(const SSL_CTX *ctx)
++{
++ return 1;
++}
++#endif
++
+ static PyObject *
+ get_security_level(PySSLContext *self, void *c)
+ {
diff --git a/dev-lang/python/python-3.10.8_p2.ebuild b/dev-lang/python/python-3.10.8_p2.ebuild
index 0aa5e16..87a3e07 100644
--- a/dev-lang/python/python-3.10.8_p2.ebuild
+++ b/dev-lang/python/python-3.10.8_p2.ebuild
@@ -113,7 +113,8 @@ src_prepare() {
local PATCHES=(
"${WORKDIR}/${PATCHSET}"
- "${FILESDIR}"/${PN}-3.10.3-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
)
default
diff --git a/dev-lang/python/python-3.10.8_p3.ebuild b/dev-lang/python/python-3.10.8_p3.ebuild
index 393aa9b..a07e7b6 100644
--- a/dev-lang/python/python-3.10.8_p3.ebuild
+++ b/dev-lang/python/python-3.10.8_p3.ebuild
@@ -113,7 +113,8 @@ src_prepare() {
local PATCHES=(
"${WORKDIR}/${PATCHSET}"
- "${FILESDIR}"/${PN}-3.10.3-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
)
default
diff --git a/dev-lang/python/python-3.11.0_p1.ebuild b/dev-lang/python/python-3.11.0_p1.ebuild
index ed21566..8c41902 100644
--- a/dev-lang/python/python-3.11.0_p1.ebuild
+++ b/dev-lang/python/python-3.11.0_p1.ebuild
@@ -118,7 +118,8 @@ src_prepare() {
local PATCHES=(
"${WORKDIR}/${PATCHSET}"
- "${FILESDIR}"/${PN}-3.11.0-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
)
default
diff --git a/dev-lang/python/python-3.11.0_p2.ebuild b/dev-lang/python/python-3.11.0_p2.ebuild
index be6e54f..a488ba8 100644
--- a/dev-lang/python/python-3.11.0_p2.ebuild
+++ b/dev-lang/python/python-3.11.0_p2.ebuild
@@ -118,7 +118,8 @@ src_prepare() {
local PATCHES=(
"${WORKDIR}/${PATCHSET}"
- "${FILESDIR}"/${PN}-3.11.0-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch
+ "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch
)
default
next reply other threads:[~2022-11-19 17:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-19 17:27 Quentin Retornaz [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-10-06 14:36 [gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/, dev-lang/python/files/ orbea
2024-08-03 4:53 orbea
2024-07-16 22:04 orbea
2022-10-09 18:12 Quentin Retornaz
2019-02-20 19:10 Aaron Bauman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1668878750.fdeb8eb44ef8b07500cb9fbad5d99d735ed59465.quentin@gentoo \
--to=gentoo@retornaz.com \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox