python27: problem at packaging stage

Hmm, so far no luck with security/py-cryptography. I patched, got /usr/ports/security/py-cryptography/files/patch-src___cffi__src_openssl_x509.py ran make clean make distclean make install and got the same errors above. Checking /var/ports/usr/ports/security/py-cryptography/work-py27/cryptography-2.1.4/src/_cffi_src/openssl/x509.py, the patches (below) are applied. Just to double check, mv files files.old make clean make distclean make install results in the same build errors (above) but checking /var/ports/usr/ports/security/py-cryptography/work-py27/cryptography-2.1.4/src/_cffi_src/openssl/x509.py the patches are not applied (as expected, meaning the patch was correctly applied the first time, but did not clear the errors).

The patch file contains

Code:
--- src/_cffi_src/openssl/x509.py.orig  2017-11-30 01:53:32 UTC
+++ src/_cffi_src/openssl/x509.py
@@ -255,8 +255,7 @@ int X509_get_signature_nid(const X509 *)

const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *);

-/* in 1.1.0 becomes const ASN1_BIT_STRING, const X509_ALGOR */
-void X509_get0_signature(ASN1_BIT_STRING **, X509_ALGOR **, X509 *);
+void X509_get0_signature(const ASN1_BIT_STRING **, const X509_ALGOR **, const X509 *);

long X509_get_version(X509 *);

@@ -339,7 +338,8 @@ void X509_REQ_get0_signature(const X509_
CUSTOMIZATIONS = """
/* Added in 1.0.2 beta but we need it in all versions now due to the great
    opaquing. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && \
+    (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
/* from x509/x_x509.c version 1.0.2 */
void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
                          const X509 *x)
@@ -383,9 +383,11 @@ X509_REVOKED *Cryptography_X509_REVOKED_
    opaquing. */
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110

+#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL)
int X509_up_ref(X509 *x) {
    return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
}
+#endif

const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
{

Stuck pending further guidance on this one. I might try patching the other x509.py locations just to see if that helps tomorrow.
 
Talsamon - without the patches applied? I just tried with this patch: https://bugs.freebsd.org/bugzilla/a...ty/py-cryptography/files/patch-issue4210_sec1

which generated, after make makepatch:
Code:
patch-src___cffi__src_openssl_crypto.py        patch-src___cffi__src_openssl_ct.py        patch-src___cffi__src_openssl_x509.py
patch-src___cffi__src_openssl_cryptography.py    patch-src___cffi__src_openssl_ssl.py

which resulted in a whole 'nother set of errors. But if commenting out OpenSSL references is enough, that's much easier. Switching SSL providers back to OpenSSL is something I'd rather not contemplate...
 
I got security/py-cryptography to build. I commented out
Code:
CFLAGS+=       -I${OPENSSLINC}
LDFLAGS+=      -L${OPENSSLLIB}
in the Makefile.
This is not a solution. While it builds the port is not in a usable state afterwards. The lines are there to prevent it from picking up base OpenSSL headers. You can't even import basic things if it's compiled without them:
Code:
Python 2.7.14 (default, Apr 30 2018, 12:19:27)
[GCC 4.2.1 Compatible FreeBSD Clang 6.0.0 (branches/release_60 325932)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> import cryptography.hazmat.backends.openssl.backend
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 54, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: Undefined symbol "d2i_DHxparams"
>>>
d2i_DHxparams is a function that LibreSSL does not provide.
 
Here are my issues with LibreSSL 2.7.2+ and a current ports tree

dns/bind-tools - patch in PR 226903 worked

lang/ruby24 - failed, haven't started messing with it yet

security/py-cryptography patches HERE WORKED (update) for me

www/apache24 - patches should be applied, port builds without errors, but I get /usr/local/libexec/apache24/mod_ssl.so: Undefined symbol "OPENSSL_malloc_init" and apache24 won't start (in progress)

databases/mysql56-server - should be an issue, but I haven't got that far yet.

I had problems with postgresql95-server-9.5.12, openssh-portable-7.7.p1_1,1, and amavisd-new-2.11.0_2,1 , but those were all resolved without explicit attention through incremental port builds and seem OK now.
 
I'll try the ruby patch later tonight. The py-crypto patch seems to be actively under dev. It may have some issues with my build environment. If you get it to work successfully, LMK and perhaps between us we can narrow down what's causing me grief.
 
The last py-cryptography patch is supposed to be the last one before be commited. The previous one needed to be re-worked due to breaking openssl-devel, not related with libressl. That is supposed to be up-streamed.
 
security/py-cryptography patch file from attachment 192933 of PR 226906 works fine. In moving it from web to GUI workstation to server, I borked a line and it wasn't patching right.

Process (just FYI), and patch file that worked for me is attached, py36 will have slightly different paths. The same patch should work for both. Sorry I can't test py36.
  • cd /usr/ports/security/py-cryptography
  • make clean && make distclean && make install
  • cd /var/ports/usr/ports/security/py-cryptography/work-py27/cryptography-2.1.4/src/_cffi_src/openssl
  • patch -C < path.to.patch/py-cryptography27-PR226906-A192933.patch
  • check output for any errors (important :))
  • patch < path.to.patch/py-cryptography27-PR226906-A192933.patch
  • cd /usr/ports/security/py-cryptography
  • mkdir -p files
  • make makepatch
  • make make deinstall make reinstall or just portmaster)
 

Attachments

  • py-cryptography27-PR226906-A192933.patch.txt
    7.9 KB · Views: 249
lang/ruby24 patch works (also for lang/ruby25) apply in /var/ports/usr/ports/lang/ruby24/work/ruby-2.4.4/ext/openssl/ (as above)

dns/bind-tools patch works (also for dns/bind9*) apply in /var/ports/usr/ports/dns/bind-tools/work/bind-9.12.1/lib/dns/ (as above)

patches I used are below, but check The LibreSSL wiki for updates


ruby-PR226852-A1920101.patch
Diff:
--- ext/openssl/extconf.rb.orig    2018-04-02 09:57:14 UTC
+++ ext/openssl/extconf.rb
@@ -122,8 +122,11 @@ OpenSSL.check_func_or_macro("SSL_get_ser
 have_func("SSL_is_server")
 
 # added in 1.1.0
+if !have_struct_member("SSL", "ctx", "openssl/ssl.h") ||
+    try_static_assert("LIBRESSL_VERSION_NUMBER >= 0x2070000fL", "openssl/opensslv.h")
+  $defs.push("-DHAVE_OPAQUE_OPENSSL")
+end
 have_func("CRYPTO_lock") || $defs.push("-DHAVE_OPENSSL_110_THREADING_API")
-have_struct_member("SSL", "ctx", "openssl/ssl.h") || $defs.push("-DHAVE_OPAQUE_OPENSSL")
 have_func("BN_GENCB_new")
 have_func("BN_GENCB_free")
 have_func("BN_GENCB_get_arg")


--- ext/openssl/openssl_missing.h.orig    2018-03-22 19:37:19 UTC
+++ ext/openssl/openssl_missing.h
@@ -72,6 +72,9 @@ void ossl_HMAC_CTX_free(HMAC_CTX *);
 #if !defined(HAVE_X509_STORE_SET_EX_DATA)
 #  define X509_STORE_set_ex_data(x, idx, data) \
     CRYPTO_set_ex_data(&(x)->ex_data, (idx), (data))
+#endif
+
+#if !defined(HAVE_X509_STORE_GET_EX_NEW_INDEX)
 #  define X509_STORE_get_ex_new_index(l, p, newf, dupf, freef) \
     CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE, (l), (p), \
                 (newf), (dupf), (freef))
@@ -145,6 +148,7 @@ void ossl_X509_REQ_get0_signature(const
 #endif
 
 #if !defined(HAVE_OPAQUE_OPENSSL)
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000fL
 #define IMPL_PKEY_GETTER(_type, _name) \
 static inline _type *EVP_PKEY_get0_##_type(EVP_PKEY *pkey) { \
     return pkey->pkey._name; }
@@ -196,6 +200,7 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
 #undef IMPL_PKEY_GETTER
 #undef IMPL_KEY_ACCESSOR2
 #undef IMPL_KEY_ACCESSOR3
+#endif
 #endif /* HAVE_OPAQUE_OPENSSL */
 
 #if !defined(EVP_CTRL_AEAD_GET_TAG)

bind-PR226903-A191794.patch
Diff:
--- lib/dns/openssldh_link.c.orig       2018-03-25 00:15:52 UTC
+++ lib/dns/openssldh_link.c
@@ -69,7 +69,7 @@ static isc_result_t openssldh_todns(cons

 static BIGNUM *bn2, *bn768, *bn1024, *bn1536;

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L )
 /*
  * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
  * are from OpenSSL 1.1.0.
--- lib/dns/openssldsa_link.c.orig      2018-03-25 00:16:57 UTC
+++ lib/dns/openssldsa_link.c
@@ -49,7 +49,7 @@

 static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L )
 static void
 DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
             const BIGNUM **g)
--- lib/dns/opensslecdsa_link.c.orig    2018-03-25 00:17:52 UTC
+++ lib/dns/opensslecdsa_link.c
@@ -42,7 +42,7 @@

 #define DST_RET(a) {ret = a; goto err;}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L )
 /* From OpenSSL 1.1 */
 static void
 ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
--- lib/dns/opensslrsa_link.c.orig      2018-03-25 00:18:28 UTC
+++ lib/dns/opensslrsa_link.c
@@ -121,7 +121,7 @@
 #endif
 #define DST_RET(a) {ret = a; goto err;}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || ( defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L )
 /* From OpenSSL 1.1.0 */
 static int
 RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
 
This is not a solution. While it builds the port is not in a usable state afterwards. The lines are there to prevent it from picking up base OpenSSL headers. You can't even import basic things if it's compiled without them:
Code:
Python 2.7.14 (default, Apr 30 2018, 12:19:27)
[GCC 4.2.1 Compatible FreeBSD Clang 6.0.0 (branches/release_60 325932)] on freebsd12
Type "help", "copyright", "credits" or "license" for more information.
>>> import cryptography.hazmat.backends.openssl.backend
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 54, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 13, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so: Undefined symbol "d2i_DHxparams"
>>>
d2i_DHxparams is a function that LibreSSL does not provide.

Sorry, I was too fast, and did not check this.
 
Back
Top