From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1C2D0158021 for ; Sat, 19 Nov 2022 17:27:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 21B20E07E0; Sat, 19 Nov 2022 17:27:38 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 03390E07E0 for ; Sat, 19 Nov 2022 17:27:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8F3F2341266 for ; Sat, 19 Nov 2022 17:27:36 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2141B731 for ; Sat, 19 Nov 2022 17:27:35 +0000 (UTC) From: "Quentin Retornaz" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Quentin Retornaz" Message-ID: <1668878750.fdeb8eb44ef8b07500cb9fbad5d99d735ed59465.quentin@gentoo> Subject: [gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/, dev-lang/python/files/ X-VCS-Repository: repo/proj/libressl X-VCS-Files: dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch dev-lang/python/files/python-3.10.3-libressl.patch dev-lang/python/files/python-3.10.3-ssl-libressl.patch dev-lang/python/files/python-3.11.0-libressl.patch dev-lang/python/python-3.10.8_p2.ebuild dev-lang/python/python-3.10.8_p3.ebuild dev-lang/python/python-3.11.0_p1.ebuild dev-lang/python/python-3.11.0_p2.ebuild X-VCS-Directories: dev-lang/python/ dev-lang/python/files/ X-VCS-Committer: quentin X-VCS-Committer-Name: Quentin Retornaz X-VCS-Revision: fdeb8eb44ef8b07500cb9fbad5d99d735ed59465 X-VCS-Branch: master Date: Sat, 19 Nov 2022 17:27:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 9153645f-5d91-4058-a992-16ebeaeef1bc X-Archives-Hash: ceb301fa90c735a2058e82b93862a095 commit: fdeb8eb44ef8b07500cb9fbad5d99d735ed59465 Author: Mike Skec protonmail ch> AuthorDate: Fri Nov 18 01:27:53 2022 +0000 Commit: Quentin Retornaz retornaz com> CommitDate: Sat Nov 19 17:25:50 2022 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=fdeb8eb4 dev-lang/python: LibreSSL 3.5.3 compatibility patches The patches for Python 3.10 and 3.11 are now the same. The fix for the _hashopenssl module is unchanged. For the _ssl module we neuter the security_level stuff if we are building with =libressl-3.6.0. Signed-off-by: Mike Skec protonmail.ch> Signed-off-by: Quentin Retornaz retornaz.com> ...ch => python-3.10.3-hashopenssl-libressl.patch} | 11 ++-- dev-lang/python/files/python-3.10.3-libressl.patch | 74 ---------------------- .../python/files/python-3.10.3-ssl-libressl.patch | 40 ++++++++++++ dev-lang/python/python-3.10.8_p2.ebuild | 3 +- dev-lang/python/python-3.10.8_p3.ebuild | 3 +- dev-lang/python/python-3.11.0_p1.ebuild | 3 +- dev-lang/python/python-3.11.0_p2.ebuild | 3 +- 7 files changed, 54 insertions(+), 83 deletions(-) diff --git a/dev-lang/python/files/python-3.11.0-libressl.patch b/dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch similarity index 99% rename from dev-lang/python/files/python-3.11.0-libressl.patch rename to dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch index ccac291..46cbbe7 100644 --- a/dev-lang/python/files/python-3.11.0-libressl.patch +++ b/dev-lang/python/files/python-3.10.3-hashopenssl-libressl.patch @@ -4,9 +4,9 @@ Index: Modules/_hashopenssl.c --- a/Modules/_hashopenssl.c.orig +++ b/Modules/_hashopenssl.c @@ -45,11 +45,6 @@ - + #define MUNCH_SIZE INT_MAX - + -#define PY_OPENSSL_HAS_SCRYPT 1 -#define PY_OPENSSL_HAS_SHA3 1 -#define PY_OPENSSL_HAS_SHAKE 1 @@ -30,11 +30,11 @@ Index: Modules/_hashopenssl.c +#endif PY_HASH_ENTRY(NULL, NULL, NULL, 0), }; - + @@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna goto exit; } - + +#if defined(LIBRESSL_VERSION_NUMBER) + type = get_hashlib_state(module)->EVPtype; +#else @@ -44,6 +44,7 @@ Index: Modules/_hashopenssl.c type = get_hashlib_state(module)->EVPtype; } +#endif - + self = newEVPobject(type); if (self == NULL) { + diff --git a/dev-lang/python/files/python-3.10.3-libressl.patch b/dev-lang/python/files/python-3.10.3-libressl.patch deleted file mode 100644 index 18e40c1..0000000 --- a/dev-lang/python/files/python-3.10.3-libressl.patch +++ /dev/null @@ -1,74 +0,0 @@ -Neuter security level things until LibreSSL supports them. - -Index: Modules/_ssl.c ---- a/Modules/_ssl.c.orig -+++ b/Modules/_ssl.c -@@ -169,7 +169,7 @@ extern const SSL_METHOD *TLSv1_2_method(void); - * Based on Hynek's excellent blog post (update 2021-02-11) - * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - */ -- #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" -+ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" - #ifndef PY_SSL_MIN_PROTOCOL - #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION - #endif -@@ -3579,6 +3579,12 @@ set_num_tickets(PySSLContext *self, PyObject *arg, voi - PyDoc_STRVAR(PySSLContext_num_tickets_doc, - "Control the number of TLSv1.3 session tickets"); - #endif /* TLS1_3_VERSION */ -+ -+int -+SSL_CTX_get_security_level(const SSL_CTX *ctx) -+{ -+ return 1; -+} - - static PyObject * - get_security_level(PySSLContext *self, void *c) -Index: Modules/_hashopenssl.c ---- a/Modules/_hashopenssl.c.orig -+++ b/Modules/_hashopenssl.c -@@ -45,11 +45,6 @@ - - #define MUNCH_SIZE INT_MAX - --#define PY_OPENSSL_HAS_SCRYPT 1 --#define PY_OPENSSL_HAS_SHA3 1 --#define PY_OPENSSL_HAS_SHAKE 1 --#define PY_OPENSSL_HAS_BLAKE2 1 -- - #if OPENSSL_VERSION_NUMBER >= 0x30000000L - #define PY_EVP_MD EVP_MD - #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties) -@@ -119,6 +114,7 @@ static const py_hashentry_t py_hashes[] = { - PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256), - PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384), - PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512), -+#if !defined(LIBRESSL_VERSION_NUMBER) - /* truncated sha2 */ - PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224), - PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256), -@@ -133,6 +129,7 @@ static const py_hashentry_t py_hashes[] = { - /* blake2 digest */ - PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256), - PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512), -+#endif - PY_HASH_ENTRY(NULL, NULL, NULL, 0), - }; - -@@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna - goto exit; - } - -+#if defined(LIBRESSL_VERSION_NUMBER) -+ type = get_hashlib_state(module)->EVPtype; -+#else - if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) { - type = get_hashlib_state(module)->EVPXOFtype; - } else { - type = get_hashlib_state(module)->EVPtype; - } -+#endif - - self = newEVPobject(type); - if (self == NULL) { diff --git a/dev-lang/python/files/python-3.10.3-ssl-libressl.patch b/dev-lang/python/files/python-3.10.3-ssl-libressl.patch new file mode 100644 index 0000000..78b6291 --- /dev/null +++ b/dev-lang/python/files/python-3.10.3-ssl-libressl.patch @@ -0,0 +1,40 @@ +Neuter security level things for LibreSSL < 3.6.0 + +diff --git a/Modules/_ssl.c b/Modules/_ssl.c +index d11ec05..4cb9479 100644 +--- a/Modules/_ssl.c ++++ b/Modules/_ssl.c +@@ -171,7 +171,15 @@ extern const SSL_METHOD *TLSv1_2_method(void); + * Based on Hynek's excellent blog post (update 2021-02-11) + * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ + */ +- #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" ++ ++ // libssl can only parse @SECLEVEL annotations with LibreSSL 3.6.0 and later. ++ #if defined(LIBRESSL_VERSION_NUMBER) && \ ++ (LIBRESSL_VERSION_NUMBER >= 0x03060000f) ++ #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" ++ #else ++ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM" ++ #endif ++ + #ifndef PY_SSL_MIN_PROTOCOL + #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION + #endif +@@ -3584,6 +3592,16 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc, + "Control the number of TLSv1.3 session tickets"); + #endif /* TLS1_3_VERSION */ + ++// Fall back to security level 1 for LibreSSL < 3.6.0 ++#if defined(LIBRESSL_VERSION_NUMBER) && \ ++ (LIBRESSL_VERSION_NUMBER < 0x03060000f) ++static int ++SSL_CTX_get_security_level(const SSL_CTX *ctx) ++{ ++ return 1; ++} ++#endif ++ + static PyObject * + get_security_level(PySSLContext *self, void *c) + { diff --git a/dev-lang/python/python-3.10.8_p2.ebuild b/dev-lang/python/python-3.10.8_p2.ebuild index 0aa5e16..87a3e07 100644 --- a/dev-lang/python/python-3.10.8_p2.ebuild +++ b/dev-lang/python/python-3.10.8_p2.ebuild @@ -113,7 +113,8 @@ src_prepare() { local PATCHES=( "${WORKDIR}/${PATCHSET}" - "${FILESDIR}"/${PN}-3.10.3-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch ) default diff --git a/dev-lang/python/python-3.10.8_p3.ebuild b/dev-lang/python/python-3.10.8_p3.ebuild index 393aa9b..a07e7b6 100644 --- a/dev-lang/python/python-3.10.8_p3.ebuild +++ b/dev-lang/python/python-3.10.8_p3.ebuild @@ -113,7 +113,8 @@ src_prepare() { local PATCHES=( "${WORKDIR}/${PATCHSET}" - "${FILESDIR}"/${PN}-3.10.3-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch ) default diff --git a/dev-lang/python/python-3.11.0_p1.ebuild b/dev-lang/python/python-3.11.0_p1.ebuild index ed21566..8c41902 100644 --- a/dev-lang/python/python-3.11.0_p1.ebuild +++ b/dev-lang/python/python-3.11.0_p1.ebuild @@ -118,7 +118,8 @@ src_prepare() { local PATCHES=( "${WORKDIR}/${PATCHSET}" - "${FILESDIR}"/${PN}-3.11.0-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch ) default diff --git a/dev-lang/python/python-3.11.0_p2.ebuild b/dev-lang/python/python-3.11.0_p2.ebuild index be6e54f..a488ba8 100644 --- a/dev-lang/python/python-3.11.0_p2.ebuild +++ b/dev-lang/python/python-3.11.0_p2.ebuild @@ -118,7 +118,8 @@ src_prepare() { local PATCHES=( "${WORKDIR}/${PATCHSET}" - "${FILESDIR}"/${PN}-3.11.0-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-hashopenssl-libressl.patch + "${FILESDIR}"/${PN}-3.10.3-ssl-libressl.patch ) default