* [gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/files/
@ 2024-03-12 20:15 orbea
0 siblings, 0 replies; 2+ messages in thread
From: orbea @ 2024-03-12 20:15 UTC (permalink / raw
To: gentoo-commits
commit: 0a55b7dac06b5210c67d328456e27e17b2eed681
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Tue Mar 12 20:08:45 2024 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Tue Mar 12 20:08:45 2024 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=0a55b7da
dev-lang/python: update 2.7 patch for libressl-3.9
Signed-off-by: orbea <orbea <AT> riseup.net>
dev-lang/python/files/python-2.7.18-libressl.patch | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/dev-lang/python/files/python-2.7.18-libressl.patch b/dev-lang/python/files/python-2.7.18-libressl.patch
index 2f74202..159d329 100644
--- a/dev-lang/python/files/python-2.7.18-libressl.patch
+++ b/dev-lang/python/files/python-2.7.18-libressl.patch
@@ -1,7 +1,6 @@
https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/2.7/patches/patch-Modules__hashopenssl_c
-Index: Modules/_hashopenssl.c
---- a/Modules/_hashopenssl.c.orig
+--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -56,7 +56,8 @@
#define _OPENSSL_SUPPORTS_SHA2
@@ -13,3 +12,15 @@ Index: Modules/_hashopenssl.c
/* OpenSSL < 1.1.0 */
#define EVP_MD_CTX_new EVP_MD_CTX_create
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -596,7 +596,9 @@
+ Py_INCREF(sslctx);
+
+ /* Make sure the SSL error state is initialized */
++#if !defined(LIBRESSL_VERSION_NUMBER) || (LIBRESSL_VERSION_NUMBER < 0x3090000fL)
+ (void) ERR_get_state();
++#endif
+ ERR_clear_error();
+
+ PySSL_BEGIN_ALLOW_THREADS
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/files/
@ 2024-04-08 18:48 orbea
0 siblings, 0 replies; 2+ messages in thread
From: orbea @ 2024-04-08 18:48 UTC (permalink / raw
To: gentoo-commits
commit: 88039b9003ccba108506a6219fb06353e977de72
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Mon Apr 8 18:30:29 2024 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Mon Apr 8 18:30:29 2024 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=88039b90
dev-lang/python: update 3.10 libressl patch
From OpenBSD.
Signed-off-by: orbea <orbea <AT> riseup.net>
dev-lang/python/files/python-3.10.3-libressl.patch | 101 ++++++++-------------
1 file changed, 39 insertions(+), 62 deletions(-)
diff --git a/dev-lang/python/files/python-3.10.3-libressl.patch b/dev-lang/python/files/python-3.10.3-libressl.patch
index 68dd937..ebff9d4 100644
--- a/dev-lang/python/files/python-3.10.3-libressl.patch
+++ b/dev-lang/python/files/python-3.10.3-libressl.patch
@@ -1,83 +1,61 @@
-Neuter security level things for LibreSSL < 3.6.0
-
-diff --git a/Modules/_ssl.c b/Modules/_ssl.c
-index d11ec05..4cb9479 100644
---- a/Modules/_ssl.c
-+++ b/Modules/_ssl.c
-@@ -171,7 +171,15 @@ extern const SSL_METHOD *TLSv1_2_method(void);
- * Based on Hynek's excellent blog post (update 2021-02-11)
- * https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
- */
-- #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
-+
-+ // libssl can only parse @SECLEVEL annotations with LibreSSL 3.6.0 and later.
-+ #if defined(LIBRESSL_VERSION_NUMBER) && \
-+ (LIBRESSL_VERSION_NUMBER >= 0x03060000f)
-+ #define PY_SSL_DEFAULT_CIPHER_STRING "@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
-+ #else
-+ #define PY_SSL_DEFAULT_CIPHER_STRING "ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM"
-+ #endif
-+
- #ifndef PY_SSL_MIN_PROTOCOL
- #define PY_SSL_MIN_PROTOCOL TLS1_2_VERSION
- #endif
-@@ -3584,6 +3592,16 @@ PyDoc_STRVAR(PySSLContext_num_tickets_doc,
- "Control the number of TLSv1.3 session tickets");
- #endif /* TLS1_3_VERSION */
-
-+// Fall back to security level 1 for LibreSSL < 3.6.0
-+#if defined(LIBRESSL_VERSION_NUMBER) && \
-+ (LIBRESSL_VERSION_NUMBER < 0x03060000f)
-+static int
-+SSL_CTX_get_security_level(const SSL_CTX *ctx)
-+{
-+ return 1;
-+}
-+#endif
-+
- static PyObject *
- get_security_level(PySSLContext *self, void *c)
- {
-
-Fix for _hashopenssl module.
-https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/python/3.11/patches/patch-Modules__hashopenssl_c
+LibreSSL has NID_sha3_256 and NID_sha512_256 now, but it's simpler to
+handle -stable updates if we keep the patch until 7.4 is out.
Index: Modules/_hashopenssl.c
--- a/Modules/_hashopenssl.c.orig
+++ b/Modules/_hashopenssl.c
-@@ -45,11 +45,6 @@
-
+@@ -45,10 +45,18 @@
+
#define MUNCH_SIZE INT_MAX
-
--#define PY_OPENSSL_HAS_SCRYPT 1
--#define PY_OPENSSL_HAS_SHA3 1
--#define PY_OPENSSL_HAS_SHAKE 1
--#define PY_OPENSSL_HAS_BLAKE2 1
--
+
++#ifdef NID_id_scrypt
+ #define PY_OPENSSL_HAS_SCRYPT 1
++#endif
++#ifdef NID_sha3_256
+ #define PY_OPENSSL_HAS_SHA3 1
++#endif
++#ifdef NID_shake256
+ #define PY_OPENSSL_HAS_SHAKE 1
++#endif
++#ifdef NID_blake2s256
+ #define PY_OPENSSL_HAS_BLAKE2 1
++#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define PY_EVP_MD EVP_MD
- #define PY_EVP_MD_fetch(algorithm, properties) EVP_MD_fetch(NULL, algorithm, properties)
-@@ -119,6 +114,7 @@ static const py_hashentry_t py_hashes[] = {
- PY_HASH_ENTRY(Py_hash_sha256, "SHA256", SN_sha256, NID_sha256),
+@@ -120,19 +128,27 @@ static const py_hashentry_t py_hashes[] = {
PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
-+#if !defined(LIBRESSL_VERSION_NUMBER)
/* truncated sha2 */
++#ifdef NID_sha512_256
PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
-@@ -133,6 +129,7 @@ static const py_hashentry_t py_hashes[] = {
++#endif
+ /* sha3 */
++#ifdef PY_OPENSSL_HAS_SHA3
+ PY_HASH_ENTRY(Py_hash_sha3_224, NULL, SN_sha3_224, NID_sha3_224),
+ PY_HASH_ENTRY(Py_hash_sha3_256, NULL, SN_sha3_256, NID_sha3_256),
+ PY_HASH_ENTRY(Py_hash_sha3_384, NULL, SN_sha3_384, NID_sha3_384),
+ PY_HASH_ENTRY(Py_hash_sha3_512, NULL, SN_sha3_512, NID_sha3_512),
++#endif
+ /* sha3 shake */
++#ifdef PY_OPENSSL_HAS_SHAKE
+ PY_HASH_ENTRY(Py_hash_shake_128, NULL, SN_shake128, NID_shake128),
+ PY_HASH_ENTRY(Py_hash_shake_256, NULL, SN_shake256, NID_shake256),
++#endif
/* blake2 digest */
++#ifdef PY_OPENSSL_HAS_BLAKE2
PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
+#endif
PY_HASH_ENTRY(NULL, NULL, NULL, 0),
};
-
-@@ -873,11 +870,15 @@ py_evp_fromname(PyObject *module, const char *digestna
+
+@@ -873,11 +889,15 @@ py_evp_fromname(PyObject *module, const char *digestna
goto exit;
}
-
-+#if defined(LIBRESSL_VERSION_NUMBER)
+
++#ifndef EVP_MD_FLAG_XOF
+ type = get_hashlib_state(module)->EVPtype;
+#else
if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
@@ -86,7 +64,6 @@ Index: Modules/_hashopenssl.c
type = get_hashlib_state(module)->EVPtype;
}
+#endif
-
+
self = newEVPobject(type);
if (self == NULL) {
-
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-04-08 18:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-04-08 18:48 [gentoo-commits] repo/proj/libressl:master commit in: dev-lang/python/files/ orbea
-- strict thread matches above, loose matches on Subject: below --
2024-03-12 20:15 orbea
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox