security/py-cryptography: support LibreSSL 3.4.0

Merged upstream as https://github.com/pyca/cryptography/pull/6360
and backported to this version.

While here, remove remaining FreeBSD 11 cruft

Approved by: fluffy (mentor), koobs (implicit: MAINTAINER_POLICY)
Differential Revision: https://reviews.freebsd.org/D32281

(cherry picked from commit 5b57210d0d0a7d74c9f8b4895907b34f2f34473d)

7 files changed, 98 insertions, 103 deletions

diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile
index 18d7c316f41d..daf7f3a4d732 100644
--- a/security/py-cryptography/Makefile
+++ b/security/py-cryptography/Makefile
@@ -35,20 +35,6 @@ TEST_ENV=	PYTHONPATH=${STAGEDIR}${PYTHONPREFIX_SITELIBDIR}
 
 .include <bsd.port.pre.mk>
 
-# OpenSSL 1.0.2t got some curve matching parameter code backported before it
-# has reached its End-of-Life and security/py-cryptography already had some
-# code to handle this case, but it assumed OpenSSL 1.1.0+ .
-#
-# This has been fixed in 3.0-23-g241f8450 of security/py-cryptography and to be
-# clear: It isn't a security fix but rather a workaround to handle unnamed but
-# really named curves with OpenSSL 1.0.2t/u .
-
-# We need to keep old py-cryptography and py-openssl for 11.x release
-# due to outdated OpenSSL version in base
-
-# Apply LibreSSL upstream patch that conflicts with above patch for 2.9.2
-EXTRA_PATCHES=	${PATCHDIR}/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
-
 .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
 post-patch:
 	@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' \
diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo
index d7062e6364f6..a2ec74471294 100644
--- a/security/py-cryptography/distinfo
+++ b/security/py-cryptography/distinfo
@@ -1,5 +1,3 @@
 TIMESTAMP = 1614253508
-SHA256 (cryptography-2.9.2.tar.gz) = a0c30272fb4ddda5f5ffc1089d7405b7a71b0b0f51993cb4e5dbb4590b2fc229
-SIZE (cryptography-2.9.2.tar.gz) = 517571
 SHA256 (cryptography-3.3.2.tar.gz) = 5a60d3780149e13b7a6ff7ad6526b38846354d11a15e21068e57073e29e19bed
 SIZE (cryptography-3.3.2.tar.gz) = 539883
diff --git a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py b/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
deleted file mode 100644
index bf5d425142e6..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src___cffi__src_openssl_cryptography.py
+++ /dev/null
@@ -1,26 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/_cffi_src/openssl/cryptography.py.orig	2020-04-22 22:27:48 UTC
-+++ src/_cffi_src/openssl/cryptography.py
-@@ -47,6 +47,8 @@ INCLUDES = """
-     (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
-+#define CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER \
-+    (OPENSSL_VERSION_NUMBER >= 0x1000215fL && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
-     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
- #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
-@@ -68,6 +70,7 @@ INCLUDES = """
- 
- TYPES = """
- static const int CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER;
-+static const int CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER;
- static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
- static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
- 
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
deleted file mode 100644
index fc9701242a42..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_backend.py
+++ /dev/null
@@ -1,29 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/cryptography/hazmat/backends/openssl/backend.py.orig	2020-04-22 22:27:48 UTC
-+++ src/cryptography/hazmat/backends/openssl/backend.py
-@@ -1515,8 +1515,19 @@ class Backend(object):
- 
-     def _ec_key_new_by_curve(self, curve):
-         curve_nid = self._elliptic_curve_to_nid(curve)
-+        return self._ec_key_new_by_curve_nid(curve_nid)
-+
-+    def _ec_key_new_by_curve_nid(self, curve_nid):
-         ec_cdata = self._lib.EC_KEY_new_by_curve_name(curve_nid)
-         self.openssl_assert(ec_cdata != self._ffi.NULL)
-+        # Setting the ASN.1 flag to OPENSSL_EC_NAMED_CURVE is
-+        # only necessary on OpenSSL 1.0.2t/u. Once we drop support for 1.0.2
-+        # we can remove this as it's done automatically when getting an EC_KEY
-+        # from new_by_curve_name
-+        # CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER
-+        self._lib.EC_KEY_set_asn1_flag(
-+            ec_cdata, backend._lib.OPENSSL_EC_NAMED_CURVE
-+        )
-         return self._ffi.gc(ec_cdata, self._lib.EC_KEY_free)
- 
-     def load_der_ocsp_request(self, data):
diff --git a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py b/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
deleted file mode 100644
index 4c155c1d7b2d..000000000000
--- a/security/py-cryptography/files/openssl102u/patch-src_cryptography_hazmat_backends_openssl_ec.py
+++ /dev/null
@@ -1,32 +0,0 @@
-Workaround for OpenSSL 1.0.2t/u to handle unnamed but really named curves
-
-PR #5362
-
-Obtained from:
-https://github.com/pyca/cryptography/commit/241f845071a8747d0986ed60575e28840f096b79
-
---- src/cryptography/hazmat/backends/openssl/ec.py.orig	2020-04-22 22:26:51 UTC
-+++ src/cryptography/hazmat/backends/openssl/ec.py
-@@ -42,7 +42,7 @@ def _ec_key_curve_sn(backend, ec_key):
-     # explicitly encoded a curve with the same parameters as a named curve.
-     # Don't do that.
-     if (
--        backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
-+        backend._lib.CRYPTOGRAPHY_OPENSSL_102U_OR_GREATER and
-         backend._lib.EC_GROUP_get_asn1_flag(group) == 0
-     ):
-         raise NotImplementedError(
-@@ -195,12 +195,7 @@ class _EllipticCurvePrivateKey(object):
-         self._backend.openssl_assert(group != self._backend._ffi.NULL)
- 
-         curve_nid = self._backend._lib.EC_GROUP_get_curve_name(group)
--
--        public_ec_key = self._backend._lib.EC_KEY_new_by_curve_name(curve_nid)
--        self._backend.openssl_assert(public_ec_key != self._backend._ffi.NULL)
--        public_ec_key = self._backend._ffi.gc(
--            public_ec_key, self._backend._lib.EC_KEY_free
--        )
-+        public_ec_key = self._backend._ec_key_new_by_curve_nid(curve_nid)
- 
-         point = self._backend._lib.EC_KEY_get0_public_key(self._ec_key)
-         self._backend.openssl_assert(point != self._backend._ffi.NULL)
diff --git a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
index deb9c6408832..deb9c6408832 100644
--- a/security/py-cryptography/files/extra-patch-Fix-build-with-LibreSSL-3.3.2-5988
+++ b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
new file mode 100644
index 000000000000..a8bb6dc6da43
--- /dev/null
+++ b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
@@ -0,0 +1,98 @@
+From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
+From: Charlie Li <vishwin@users.noreply.github.com>
+Date: Sun, 3 Oct 2021 00:20:31 -0400
+Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
+
+* Add LibreSSL 3.4.0 to CI
+
+* Add a LibreSSL 3.4.0 guard
+
+Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
+
+* DTLS_get_data_mtu does not exist in LibreSSL
+
+* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
+
+* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
+
+* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
+
+While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
+---
+ .github/workflows/ci.yml              |  6 ++++--
+ src/_cffi_src/openssl/cryptography.py |  3 +++
+ src/_cffi_src/openssl/evp.py          | 15 ++++++++++-----
+ src/_cffi_src/openssl/ssl.py          |  3 ++-
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
+index 878d22d8..821ddc9f 100644
+--- src/_cffi_src/openssl/cryptography.py
++++ src/_cffi_src/openssl/cryptography.py
+@@ -36,8 +36,11 @@ INCLUDES = """
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
+     (LIBRESSL_VERSION_NUMBER < 0x3030200f)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
++    (LIBRESSL_VERSION_NUMBER < 0x3040000f)
+ #else
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
+ #endif
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
+index ab7cfeb3..cad3339a 100644
+--- src/_cffi_src/openssl/evp.py
++++ src/_cffi_src/openssl/evp.py
+@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
+                                       size_t) = NULL;
+ #endif
+ 
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
+-static const long Cryptography_HAS_RAW_KEY = 0;
+-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
+-int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
+                       const unsigned char *tbs, size_t) = NULL;
+ int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
+                         const unsigned char *, size_t) = NULL;
++#else
++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
++#endif
++
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++static const long Cryptography_HAS_RAW_KEY = 0;
++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
++int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
+                                        size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
+@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
+ int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
+                                    size_t *) = NULL;
+ #else
+-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
+ static const long Cryptography_HAS_RAW_KEY = 1;
+ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
+ #endif
+diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
+index ca275e91..0830a463 100644
+--- src/_cffi_src/openssl/ssl.py
++++ src/_cffi_src/openssl/ssl.py
+@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
+ SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
+ #endif
+ 
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_TLSv1_3 = 0;
+ static const long SSL_OP_NO_TLSv1_3 = 0;
+ static const long SSL_VERIFY_POST_HANDSHAKE = 0;
+-- 
+2.32.0
+