6 files changed, 111 insertions, 57 deletions

diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile
index ef219bb42bdd..c8322658c890 100644
--- a/security/py-cryptography/Makefile
+++ b/security/py-cryptography/Makefile
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	cryptography
-PORTVERSION=	2.6.1
+PORTVERSION=	2.9.2
 CATEGORIES=	security python
 MASTER_SITES=	CHEESESHOP
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
@@ -16,8 +16,7 @@ LICENSE_FILE_APACHE20=		${WRKSRC}/LICENSE.APACHE
 LICENSE_FILE_BSD3CLAUSE=	${WRKSRC}/LICENSE.BSD
 
 BUILD_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR}
-RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}asn1crypto>=0.21.0:devel/py-asn1crypto@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
+RUN_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cffi>=1.8:devel/py-cffi@${PY_FLAVOR} \
 		${PY_ENUM34} \
 		${PY_IPADDRESS} \
 		${PYTHON_PKGNAMEPREFIX}six>=1.4.1:devel/py-six@${PY_FLAVOR}
@@ -28,15 +27,32 @@ TEST_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cryptography-vectors>=${PORTVERSION}:securi
 		${PYTHON_PKGNAMEPREFIX}pytest>=3.6.0:devel/py-pytest@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pytz>0:devel/py-pytz@${PY_FLAVOR}
 
-# Python 2.7, 3.4-3.7
+# Python 2.7, 3.5-3.8
 USES=		compiler:env python ssl
 USE_PYTHON=	autoplist concurrent distutils
 
 CFLAGS+=	-I${OPENSSLINC}
 LDFLAGS+=	-L${OPENSSLLIB}
 
+TEST_ENV=	PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
+
 .include <bsd.port.pre.mk>
 
+# OpenSSL 1.0.2t got some curve matching parameter code backported before it
+# has reached its End-of-Life and security/py-cryptography already had some
+# code to handle this case, but it assumed OpenSSL 1.1.0+ .
+#
+# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
+# clear: It isn't a security fix but rather a workaround to handle unnamed but
+# really named curves with OpenSSL 1.0.2t/u .
+.if ${OPSYS} == FreeBSD && ${SSL_DEFAULT} == "base"
+. if ${OSVERSION} >= 1103500 && ${OSVERSION} < 1200085
+# 1103500	352193 2019-09-10	11.3-STABLE got OpenSSL 1.0.2t
+# 1200085	339270 2018-10-19	12.0-STABLE got OpenSSL 1.1.1
+EXTRA_PATCHES=	${PATCHDIR}/openssl102u
+. endif
+.endif
+
 .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
 post-patch:
 	@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \
@@ -47,6 +63,6 @@ post-install:
 	${STRIP_CMD} ${STAGEDIR}${PYTHON_SITELIBDIR}/cryptography/hazmat/bindings/*.so
 
 do-test:
-	@cd ${WRKSRC} && ${PYTHON_CMD} ${PYDISTUTILS_SETUP} test
+	@cd ${WRKSRC} && ${SETENV} ${TEST_ENV} ${PYTHON_CMD} -m pytest -q -v -rs -o addopts=
 
 .include <bsd.port.post.mk>
diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo
index bad171cc21b8..298e7118bfca 100644
--- a/security/py-cryptography/distinfo
+++ b/security/py-cryptography/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1551354433
-SHA256 (cryptography-2.6.1.tar.gz) = 26c821cbeb683facb966045e2064303029d572a87ee69ca5a1bf54bf55f93ca6
-SIZE (cryptography-2.6.1.tar.gz) = 491580
+TIMESTAMP = 1596263213
+SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
+SIZE (cryptography-2.9.2.tar.gz) = 517571
diff --git a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
new file mode 100644
index 000000000000..bf5d425142e6
--- /dev/null
+++ b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
@@ -0,0 +1,26 @@
+Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
+
+PR #5362
+
+Obtained from:
+https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
+
+--- src/_cffi_src/openssl/cryptography.py.orig	2020-04-22 22:27:48 UTC
++++ src/_cffi_src/openssl/cryptography.py
+@@ -47,6 +47,8 @@ INCLUDES = """
+     (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
+     (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
++#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
++    (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
+     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+@@ -68,6 +70,7 @@ INCLUDES = """
+ 
+ TYPES = """
+ static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
++static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
+ static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+ static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
+ 
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
new file mode 100644
index 000000000000..fc9701242a42
--- /dev/null
+++ b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
@@ -0,0 +1,29 @@
+Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
+
+PR #5362
+
+Obtained from:
+https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
+
+--- src/cryptography/hazmat/backends/openssl/backend.py.orig	2020-04-22 22:27:48 UTC
++++ src/cryptography/hazmat/backends/openssl/backend.py
+@@ -1515,8 +1515,19 @@ class Backend(object):
+ 
+     def _ec_key_new_by_curve(self, curve):
+         curve_nid = self._elliptic_curve_to_nid(curve)
++        return self._ec_key_new_by_curve_nid(curve_nid)
++
++    def _ec_key_new_by_curve_nid(self, curve_nid):
+         ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
+         self.openssl_assert(ec_cdata != self._ffi.NULL)
++        # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
++        # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
++        # we can remove this as it's done automatically when getting an EC_KEY
++        # from new_by_curve_name
++        # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
++        self._lib.EC_KEY_set_asn1_flag(
++            ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
++        )
+         return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
+ 
+     def load_der_ocsp_request(self, data):
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
new file mode 100644
index 000000000000..4c155c1d7b2d
--- /dev/null
+++ b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
@@ -0,0 +1,32 @@
+Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
+
+PR #5362
+
+Obtained from:
+https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
+
+--- src/cryptography/hazmat/backends/openssl/ec.py.orig	2020-04-22 22:26:51 UTC
++++ src/cryptography/hazmat/backends/openssl/ec.py
+@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
+     # explicitly encoded a curve with the same parameters as a named curve.
+     # Don't do that.
+     if (
+-        backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
++        backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
+         backend._lib.EC_GROUP_get_asn1_flag(group) == 0
+     ):
+         raise NotImplementedError(
+@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
+         self._backend.openssl_assert(group != self._backend._ffi.NULL)
+ 
+         curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
+-
+-        public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
+-        self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
+-        public_ec_key = self._backend._ffi.gc(
+-            public_ec_key, self._backend._lib.EC_KEY_free
+-        )
++        public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
+ 
+         point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
+         self._backend.openssl_assert(point != self._backend._ffi.NULL)
diff --git a/security/py-cryptography/files/patch-PR4855 b/security/py-cryptography/files/patch-PR4855
deleted file mode 100644
index 63f02496c393..000000000000
--- a/security/py-cryptography/files/patch-PR4855
+++ /dev/null
@@ -1,49 +0,0 @@
-# security/py-cryptography fails to build with libressl-2.9.1
-# https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237487
-# Use generic DTLS functions added in LibreSSL 2.9.1
-# https://github.com/pyca/cryptography/pull/4855
-
-index 4124dcb879..ac32fdffde 100644
---- src/_cffi_src/openssl/cryptography.py.orig
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -38,9 +38,12 @@
-     (LIBRESSL_VERSION_NUMBER >= 0x2070000f)
- #define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \
-     (LIBRESSL_VERSION_NUMBER >= 0x2080000f)
-+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \
-+    (LIBRESSL_VERSION_NUMBER >= 0x2090100f)
- #else
- #define CRYPTOGRAPHY_LIBRESSL_27_OR_GREATER (0)
- #define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0)
-+#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0)
- #endif
- 
- #define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
-diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
-index 92fd1e3ec8..da21f3ce90 100644
---- src/_cffi_src/openssl/ssl.py.orig
-+++ src/_cffi_src/openssl/ssl.py
-@@ -719,17 +719,20 @@
- static const long TLS_ST_OK = 0;
- #endif
- 
--#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
-+/* LibreSSL 2.9.1 added only the DTLS_*_method functions */
-+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
- static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
- const SSL_METHOD *(*DTLS_method)(void) = NULL;
- const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
- const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
-+#else
-+static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
-+#endif
-+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
- static const long SSL_OP_NO_DTLSv1 = 0;
- static const long SSL_OP_NO_DTLSv1_2 = 0;
- long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
- long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
--#else
--static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
- #endif
- 
- static const long Cryptography_HAS_DTLS = 1;