Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
5
Merge Requests
5
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jérome Perrin
slapos
Commits
b13d20e9
Commit
b13d20e9
authored
May 04, 2024
by
Jérome Perrin
Browse files
Options
Browse Files
Download
Plain Diff
Merge remote-tracking branch 'upstream/master' into zope4py3
parents
840f6226
b5c45134
Changes
19
Show whitespace changes
Inline
Side-by-side
Showing
19 changed files
with
783 additions
and
46 deletions
+783
-46
component/kerberos/buildout.cfg
component/kerberos/buildout.cfg
+2
-3
component/mariadb/buildout.cfg
component/mariadb/buildout.cfg
+4
-0
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
+369
-0
component/nodejs/buildout.cfg
component/nodejs/buildout.cfg
+2
-0
component/open62541/buildout.cfg
component/open62541/buildout.cfg
+3
-2
component/openssl/buildout.cfg
component/openssl/buildout.cfg
+20
-8
component/openvpn/buildout.cfg
component/openvpn/buildout.cfg
+7
-3
component/proxysql/buildout.cfg
component/proxysql/buildout.cfg
+6
-10
component/python-cryptography/buildout.cfg
component/python-cryptography/buildout.cfg
+2
-0
component/python-cryptography/cryptography-3.3.2-openssl-3.0.patch
.../python-cryptography/cryptography-3.3.2-openssl-3.0.patch
+336
-0
component/qjs-wrapper/buildout.cfg
component/qjs-wrapper/buildout.cfg
+1
-1
software/fluentd/buildout.hash.cfg
software/fluentd/buildout.hash.cfg
+1
-1
software/fluentd/instance-input-schema.json
software/fluentd/instance-input-schema.json
+5
-4
software/fluentd/instance.cfg
software/fluentd/instance.cfg
+1
-1
software/fluentd/software.cfg.json
software/fluentd/software.cfg.json
+13
-0
software/fluentd/test/test.py
software/fluentd/test/test.py
+1
-1
software/js-drone/software-c-astral.cfg
software/js-drone/software-c-astral.cfg
+1
-1
software/osie-coupler/software.cfg
software/osie-coupler/software.cfg
+8
-10
stack/slapos.cfg
stack/slapos.cfg
+1
-1
No files found.
component/kerberos/buildout.cfg
View file @
b13d20e9
...
@@ -10,14 +10,13 @@ parts =
...
@@ -10,14 +10,13 @@ parts =
[kerberos]
[kerberos]
recipe = slapos.recipe.cmmi
recipe = slapos.recipe.cmmi
shared = true
shared = true
url = http
://web.mit.edu/kerberos/dist/krb5/1.19/krb5-1.19
.2.tar.gz
url = http
s://web.mit.edu/kerberos/dist/krb5/1.20/krb5-1.20
.2.tar.gz
md5sum =
eb51b7724111e1a458a8c9a261d45a31
md5sum =
7ac456e97c4959ebe5c836dc2f5aab2c
configure-command = src/configure
configure-command = src/configure
configure-options =
configure-options =
--prefix=@@LOCATION@@
--prefix=@@LOCATION@@
--with-ldap=no
--with-ldap=no
--without-readline
--without-readline
--without-tcl
--without-keyutils
--without-keyutils
environment =
environment =
PATH=${m4:location}/bin:${bison:location}/bin:%(PATH)s
PATH=${m4:location}/bin:${bison:location}/bin:%(PATH)s
...
...
component/mariadb/buildout.cfg
View file @
b13d20e9
...
@@ -103,6 +103,10 @@ patch-options = -p1
...
@@ -103,6 +103,10 @@ patch-options = -p1
patches =
patches =
https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131
https://sources.debian.org/data/main/m/mariadb-10.3/1:10.3.34-0+deb10u1/debian/patches/0024-Revert-to-using-system-pcre-library.patch#1c6a0f2634f5a56122299674b77b1131
[mariadb-10.4:python3]
patches +=
${:_profile_base_location_}/mariadb-10.4.32-openssl-3.0.patch#ec3e2b57eae5421e052ab89224b29b7e
[mariadb-10.5]
[mariadb-10.5]
<= mariadb-common
<= mariadb-common
version = 10.5.23
version = 10.5.23
...
...
component/mariadb/mariadb-10.4.32-openssl-3.0.patch
0 → 100644
View file @
b13d20e9
Changes to support OpenSSL 3.0 based on the following commits :
* 8a9c1e9ccf227e5f8ee9a4716a9b64665a8489e3 MDEV-25785 Add support for OpenSSL 3.0
*
1dc09ce0fdcf556dfc57de3f012a455c6d54a951 Revert "don't build with OpenSSL 3.0, it doesn't work before MDEV-25785"
*
ef655669816d73a1d92fbf459b768abcc7cac296 MDEV-27778 md5 in FIPS crashes with OpenSSL 3.0.0
diff --git a/cmake/ssl.cmake b/cmake/ssl.cmake
index a6793cf3c55..1bd46bc0f39 100644
--- a/cmake/ssl.cmake
+++ b/cmake/ssl.cmake
@@ -118,7 +118,7 @@
MACRO (MYSQL_CHECK_SSL)
ENDIF()
FIND_PACKAGE(OpenSSL)
SET_PACKAGE_PROPERTIES(OpenSSL PROPERTIES TYPE RECOMMENDED)
- IF(OPENSSL_FOUND AND OPENSSL_VERSION AND OPENSSL_VERSION VERSION_LESS "3.0.0")
+ IF(OPENSSL_FOUND)
SET(OPENSSL_LIBRARY ${OPENSSL_SSL_LIBRARY})
INCLUDE(CheckSymbolExists)
SET(SSL_SOURCES "")
@@ -139,6 +139,13 @@
MACRO (MYSQL_CHECK_SSL)
SET(SSL_INTERNAL_INCLUDE_DIRS "")
SET(SSL_DEFINES "-DHAVE_OPENSSL")
+ # Silence "deprecated in OpenSSL 3.0"
+ IF((NOT OPENSSL_VERSION) # 3.0 not determined by older cmake
+ OR NOT(OPENSSL_VERSION VERSION_LESS "3.0.0"))
+ SET(SSL_DEFINES "${SSL_DEFINES} -DOPENSSL_API_COMPAT=0x10100000L")
+ SET(CMAKE_REQUIRED_DEFINITIONS -DOPENSSL_API_COMPAT=0x10100000L)
+ ENDIF()
+
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
SET(CMAKE_REQUIRED_LIBRARIES ${SSL_LIBRARIES})
SET(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
@@ -152,6 +159,7 @@
MACRO (MYSQL_CHECK_SSL)
HAVE_X509_check_host)
SET(CMAKE_REQUIRED_INCLUDES)
SET(CMAKE_REQUIRED_LIBRARIES)
+ SET(CMAKE_REQUIRED_DEFINITIONS)
ELSE()
IF(WITH_SSL STREQUAL "system")
MESSAGE(FATAL_ERROR "Cannot find appropriate system libraries for SSL. Use WITH_SSL=bundled to enable SSL support")
diff --git a/include/ssl_compat.h b/include/ssl_compat.h
index 7b4a828a4d9..7a652d46121 100644
--- a/include/ssl_compat.h
+++ b/include/ssl_compat.h
@@ -78,7 +78,6 @@
#define DH_set0_pqg(D,P,Q,G) ((D)->p= (P), (D)->g= (G))
#endif
-#define EVP_CIPHER_CTX_buf_noconst(ctx) ((ctx)->buf)
#define EVP_CIPHER_CTX_encrypting(ctx) ((ctx)->encrypt)
#define EVP_CIPHER_CTX_SIZE sizeof(EVP_CIPHER_CTX)
diff --git a/mysql-test/lib/openssl.cnf b/mysql-test/lib/openssl.cnf
index b9ab37ac3a1..7cd6f748af2 100644
--- a/mysql-test/lib/openssl.cnf
+++ b/mysql-test/lib/openssl.cnf
@@ -9,4 +9,4 @@
ssl_conf = ssl_section
system_default = system_default_section
[system_default_section]
-CipherString = ALL:@SECLEVEL=1
+CipherString = ALL:@SECLEVEL=0
diff --git a/mysql-test/main/ssl_cipher.result b/mysql-test/main/ssl_cipher.result
index 9308f0f9833..d549ec7d2b4 100644
--- a/mysql-test/main/ssl_cipher.result
+++ b/mysql-test/main/ssl_cipher.result
@@ -61,9 +61,9 @@
connect ssl_con,localhost,root,,,,,SSL;
SHOW STATUS LIKE 'Ssl_cipher';
Variable_name Value
Ssl_cipher AES128-SHA
-SHOW STATUS LIKE 'Ssl_cipher_list';
-Variable_name Value
-Ssl_cipher_list AES128-SHA
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
+VARIABLE_VALUE like '%AES128-SHA%'
+1
disconnect ssl_con;
connection default;
call mtr.add_suppression("TLSv1.0 and TLSv1.1 are insecure");
diff --git a/mysql-test/main/ssl_cipher.test b/mysql-test/main/ssl_cipher.test
index 3a54aca5145..7150e19809e 100644
--- a/mysql-test/main/ssl_cipher.test
+++ b/mysql-test/main/ssl_cipher.test
@@ -98,7 +98,7 @@
let $restart_parameters=--ssl-cipher=AES128-SHA;
source include/restart_mysqld.inc;
connect (ssl_con,localhost,root,,,,,SSL);
SHOW STATUS LIKE 'Ssl_cipher';
-SHOW STATUS LIKE 'Ssl_cipher_list';
+SELECT VARIABLE_VALUE like '%AES128-SHA%' FROM INFORMATION_SCHEMA.SESSION_STATUS WHERE VARIABLE_NAME='Ssl_cipher_list';
disconnect ssl_con;
connection default;
diff --git a/mysys_ssl/my_crypt.cc b/mysys_ssl/my_crypt.cc
index a8643f6e5b6..00447e73d79 100644
--- a/mysys_ssl/my_crypt.cc
+++ b/mysys_ssl/my_crypt.cc
@@ -29,11 +29,7 @@
#include <ssl_compat.h>
#include <cstdint>
-#ifdef HAVE_WOLFSSL
#define CTX_ALIGN 16
-#else
-#define CTX_ALIGN 0
-#endif
class MyCTX
{
@@ -100,8 +96,9 @@
class MyCTX_nopad : public MyCTX
{
public:
const uchar *key;
- uint klen, buf_len;
+ uint klen, source_tail_len;
uchar oiv[MY_AES_BLOCK_SIZE];
+ uchar source_tail[MY_AES_BLOCK_SIZE];
MyCTX_nopad() : MyCTX() { }
~MyCTX_nopad() = default;
@@ -112,7 +109,7 @@
class MyCTX_nopad : public MyCTX
compile_time_assert(MY_AES_CTX_SIZE >= sizeof(MyCTX_nopad));
this->key= key;
this->klen= klen;
- this->buf_len= 0;
+ this->source_tail_len= 0;
if (ivlen)
memcpy(oiv, iv, ivlen);
DBUG_ASSERT(ivlen == 0 || ivlen == sizeof(oiv));
@@ -123,26 +120,41 @@
class MyCTX_nopad : public MyCTX
return res;
}
+ /** Update last partial source block, stored in source_tail array. */
+ void update_source_tail(const uchar* src, uint slen)
+ {
+ if (!slen)
+ return;
+ uint new_tail_len= (source_tail_len + slen) % MY_AES_BLOCK_SIZE;
+ if (new_tail_len)
+ {
+ if (slen + source_tail_len < MY_AES_BLOCK_SIZE)
+ {
+ memcpy(source_tail + source_tail_len, src, slen);
+ }
+ else
+ {
+ DBUG_ASSERT(slen > new_tail_len);
+ memcpy(source_tail, src + slen - new_tail_len, new_tail_len);
+ }
+ }
+ source_tail_len= new_tail_len;
+ }
+
int update(const uchar *src, uint slen, uchar *dst, uint *dlen)
{
- buf_len+= slen;
+ update_source_tail(src, slen);
return MyCTX::update(src, slen, dst, dlen);
}
int finish(uchar *dst, uint *dlen)
{
- buf_len %= MY_AES_BLOCK_SIZE;
- if (buf_len)
+ if (source_tail_len)
{
- uchar *buf= EVP_CIPHER_CTX_buf_noconst(ctx);
/*
Not much we can do, block ciphers cannot encrypt data that aren't
a multiple of the block length. At least not without padding.
Let's do something CTR-like for the last partial block.
-
- NOTE this assumes that there are only buf_len bytes in the buf.
- If OpenSSL will change that, we'll need to change the implementation
- of this class too.
*/
uchar mask[MY_AES_BLOCK_SIZE];
uint mlen;
@@ -154,10 +166,10 @@
class MyCTX_nopad : public MyCTX
return rc;
DBUG_ASSERT(mlen == sizeof(mask));
- for (uint i=0; i < buf_len; i++)
- dst[i]= buf[i] ^ mask[i];
+ for (uint i=0; i < source_tail_len; i++)
+ dst[i]= source_tail[i] ^ mask[i];
}
- *dlen= buf_len;
+ *dlen= source_tail_len;
return MY_AES_OK;
}
};
diff --git a/mysys_ssl/my_md5.cc b/mysys_ssl/my_md5.cc
index 407dee3bc69..75995bccf90 100644
--- a/mysys_ssl/my_md5.cc
+++ b/mysys_ssl/my_md5.cc
@@ -52,12 +52,23 @@
static void md5_result(EVP_MD_CTX *context, uchar digest[MD5_HASH_SIZE])
static void md5_init(EVP_MD_CTX *context)
{
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ EVP_MD *md5;
+ EVP_MD_CTX_init(context);
+ /* Ok to ignore FIPS: MD5 is not used for crypto here */
+ /* In OpenSSL 3.0.0+ it is a different EVP_MD provider */
+ md5 = EVP_MD_fetch(NULL, "MD5", "fips=no");
+ EVP_DigestInit_ex(context, md5, NULL);
+ EVP_MD_free(md5);
+#else
EVP_MD_CTX_init(context);
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* Ok to ignore FIPS: MD5 is not used for crypto here */
+ /* In OpenSSL 1.1.1 the non FIPS allowed flag is context specific */
EVP_MD_CTX_set_flags(context, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
EVP_DigestInit_ex(context, EVP_md5(), NULL);
+#endif
}
static void md5_input(EVP_MD_CTX *context, const uchar *buf, unsigned len)
diff --git a/unittest/mysys/aes-t.c b/unittest/mysys/aes-t.c
index 34704e06749..cbec2760941 100644
--- a/unittest/mysys/aes-t.c
+++ b/unittest/mysys/aes-t.c
@@ -21,27 +21,96 @@
#include <string.h>
#include <ctype.h>
-#define DO_TEST(mode, nopad, slen, fill, dlen, hash) \
- SKIP_BLOCK_IF(mode == 0xDEADBEAF, nopad ? 4 : 5, #mode " not supported") \
- { \
- memset(src, fill, src_len= slen); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, \
- src, src_len, dst, &dst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "encrypt " #mode " %u %s", src_len, nopad ? "nopad" : "pad"); \
- if (!nopad) \
- ok (dst_len == my_aes_get_size(mode, src_len), "my_aes_get_size");\
- my_md5(md5, (char*)dst, dst_len); \
- ok(dst_len == dlen && memcmp(md5, hash, sizeof(md5)) == 0, "md5"); \
- ok(my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT, \
- dst, dst_len, ddst, &ddst_len, \
- key, sizeof(key), iv, sizeof(iv)) == MY_AES_OK, \
- "decrypt " #mode " %u", dst_len); \
- ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp"); \
+
+/** Test streaming encryption, bytewise update.*/
+static int aes_crypt_bytewise(enum my_aes_mode mode, int flags, const unsigned char *src,
+ unsigned int slen, unsigned char *dst, unsigned int *dlen,
+ const unsigned char *key, unsigned int klen,
+ const unsigned char *iv, unsigned int ivlen)
+{
+ /* Allocate context on odd address on stack, in order to
+ catch misalignment errors.*/
+ void *ctx= (char *)alloca(MY_AES_CTX_SIZE+1)+1;
+
+ int res1, res2;
+ uint d1= 0, d2;
+ uint i;
+
+ if ((res1= my_aes_crypt_init(ctx, mode, flags, key, klen, iv, ivlen)))
+ return res1;
+ for (i= 0; i < slen; i++)
+ {
+ uint tmp_d1=0;
+ res1= my_aes_crypt_update(ctx, src+i,1, dst, &tmp_d1);
+ if (res1)
+ return res1;
+ d1+= tmp_d1;
+ dst+= tmp_d1;
+ }
+ res2= my_aes_crypt_finish(ctx, dst, &d2);
+ *dlen= d1 + d2;
+ return res1 ? res1 : res2;
+}
+
+
+#ifndef HAVE_EncryptAes128Ctr
+const uint MY_AES_CTR=0xDEADBEAF;
+#endif
+#ifndef HAVE_EncryptAes128Gcm
+const uint MY_AES_GCM=0xDEADBEAF;
+#endif
+
+#define MY_AES_UNSUPPORTED(x) (x == 0xDEADBEAF)
+
+static void do_test(uint mode, const char *mode_str, int nopad, uint slen,
+ char fill, size_t dlen, const char *hash)
+{
+ uchar key[16]= {1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6};
+ uchar iv[16]= {2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7};
+ uchar src[1000], dst[1100], dst2[1100], ddst[1000];
+ uchar md5[MY_MD5_HASH_SIZE];
+ uint src_len, dst_len, dst_len2, ddst_len;
+ int result;
+
+ if (MY_AES_UNSUPPORTED(mode))
+ {
+ skip(nopad?7:6, "%s not supported", mode_str);
+ return;
+ }
+ memset(src, fill, src_len= slen);
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src, src_len,
+ dst, &dst_len, key, sizeof(key), iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt %s %u %s", mode_str, src_len,
+ nopad ? "nopad" : "pad");
+
+ if (nopad)
+ {
+ result= aes_crypt_bytewise(mode, nopad | ENCRYPTION_FLAG_ENCRYPT, src,
+ src_len, dst2, &dst_len2, key, sizeof(key),
+ iv, sizeof(iv));
+ ok(result == MY_AES_OK, "encrypt bytewise %s %u", mode_str, src_len);
+ /* Compare with non-bytewise encryption result*/
+ ok(dst_len == dst_len2 && memcmp(dst, dst2, dst_len) == 0,
+ "memcmp bytewise %s %u", mode_str, src_len);
+ }
+ else
+ {
+ int dst_len_real= my_aes_get_size(mode, src_len);
+ ok(dst_len_real= dst_len, "my_aes_get_size");
}
+ my_md5(md5, (char *) dst, dst_len);
+ ok(dst_len == dlen, "md5 len");
+ ok(memcmp(md5, hash, sizeof(md5)) == 0, "md5");
+ result= my_aes_crypt(mode, nopad | ENCRYPTION_FLAG_DECRYPT,
+ dst, dst_len, ddst, &ddst_len, key, sizeof(key), iv,
+ sizeof(iv));
+
+ ok(result == MY_AES_OK, "decrypt %s %u", mode_str, dst_len);
+ ok(ddst_len == src_len && memcmp(src, ddst, src_len) == 0, "memcmp");
+}
-#define DO_TEST_P(M,S,F,D,H) DO_TEST(M,0,S,F,D,H)
-#define DO_TEST_N(M,S,F,D,H) DO_TEST(M,ENCRYPTION_FLAG_NOPAD,S,F,D,H)
+#define DO_TEST_P(M, S, F, D, H) do_test(M, #M, 0, S, F, D, H)
+#define DO_TEST_N(M, S, F, D, H) do_test(M, #M, ENCRYPTION_FLAG_NOPAD, S, F, D, H)
/* useful macro for debugging */
#define PRINT_MD5() \
@@ -53,25 +122,15 @@
printf("\"\n"); \
} while(0);
-#ifndef HAVE_EncryptAes128Ctr
-const uint MY_AES_CTR=0xDEADBEAF;
-#endif
-#ifndef HAVE_EncryptAes128Gcm
-const uint MY_AES_GCM=0xDEADBEAF;
-#endif
int
main(int argc __attribute__((unused)),char *argv[])
{
- uchar key[16]= {1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6};
- uchar iv[16]= {2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7};
- uchar src[1000], dst[1100], ddst[1000];
- uchar md5[MY_MD5_HASH_SIZE];
- uint src_len, dst_len, ddst_len;
MY_INIT(argv[0]);
- plan(87);
+ plan(122);
+
DO_TEST_P(MY_AES_ECB, 200, '.', 208, "\xd8\x73\x8e\x3a\xbc\x66\x99\x13\x7f\x90\x23\x52\xee\x97\x6f\x9a");
DO_TEST_P(MY_AES_ECB, 128, '?', 144, "\x19\x58\x33\x85\x4c\xaa\x7f\x06\xd1\xb2\xec\xd7\xb7\x6a\xa9\x5b");
DO_TEST_P(MY_AES_CBC, 159, '%', 160, "\x4b\x03\x18\x3d\xf1\xa7\xcd\xa1\x46\xb3\xc6\x8a\x92\xc0\x0f\xc9");
component/nodejs/buildout.cfg
View file @
b13d20e9
...
@@ -64,11 +64,13 @@ md5sum = c5ab3e98977dfd639d830625d79eff52
...
@@ -64,11 +64,13 @@ md5sum = c5ab3e98977dfd639d830625d79eff52
<= nodejs-base
<= nodejs-base
version = v14.16.0
version = v14.16.0
md5sum = 7dc3666f407bf4e12a01ce1be2883d31
md5sum = 7dc3666f407bf4e12a01ce1be2883d31
openssl-location = ${openssl-1.1:location}
[nodejs-12.18.3]
[nodejs-12.18.3]
<= nodejs-base
<= nodejs-base
version = v12.18.3
version = v12.18.3
md5sum = 28bf6a4d98b238403fa58a0805f4a979
md5sum = 28bf6a4d98b238403fa58a0805f4a979
openssl-location = ${openssl-1.1:location}
PATH = ${pkgconfig:location}/bin:${python2.7:location}/bin:%(PATH)s
PATH = ${pkgconfig:location}/bin:${python2.7:location}/bin:%(PATH)s
configure-command = ./configure
configure-command = ./configure
...
...
component/open62541/buildout.cfg
View file @
b13d20e9
...
@@ -17,8 +17,9 @@ max_version = 11
...
@@ -17,8 +17,9 @@ max_version = 11
[open62541]
[open62541]
recipe = slapos.recipe.cmmi
recipe = slapos.recipe.cmmi
shared = true
shared = true
url = https://github.com/open62541/open62541/archive/refs/heads/pack/v1.3.zip
tag = v1.3.4
md5sum = c2e9938f082b027110fba538de76684c
url = https://github.com/open62541/open62541/archive/refs/heads/pack/${:tag}.zip
md5sum = b9c1d3ae9d7593941108f46036f29ccc
patch-options = -p1
patch-options = -p1
patches =
patches =
${:_profile_base_location_}/ipv6_bugfix.patch#355bec02adee4ea73ff5a56ba6971ad2
${:_profile_base_location_}/ipv6_bugfix.patch#355bec02adee4ea73ff5a56ba6971ad2
...
...
component/openssl/buildout.cfg
View file @
b13d20e9
...
@@ -14,11 +14,9 @@ extends =
...
@@ -14,11 +14,9 @@ extends =
parts =
parts =
openssl-output
openssl-output
[openssl]
[openssl
-common
]
recipe = slapos.recipe.cmmi
recipe = slapos.recipe.cmmi
shared = true
shared = true
url = https://www.openssl.org/source/openssl-1.1.1w.tar.gz
md5sum = 3f76825f195e52d4b10c70040681a275
location = @@LOCATION@@
location = @@LOCATION@@
# 'prefix' option to override --openssldir/--prefix (which is useful
# 'prefix' option to override --openssldir/--prefix (which is useful
# when combined with DESTDIR). Used by slapos.package.git/obs
# when combined with DESTDIR). Used by slapos.package.git/obs
...
@@ -46,12 +44,26 @@ make-targets =
...
@@ -46,12 +44,26 @@ make-targets =
environment =
environment =
PERL=${perl:location}/bin/perl
PERL=${perl:location}/bin/perl
[openssl-3.0]
<= openssl-common
url = https://www.openssl.org/source/openssl-3.0.13.tar.gz
md5sum = c15e53a62711002901d3515ac8b30b86
[openssl-quictls]
[openssl-quictls]
<= openssl
<= openssl-3.0
# XXX tag missing for 1.1.1w
url = https://github.com/quictls/openssl/archive/refs/tags/openssl-3.0.13-quic1.tar.gz
# url = https://github.com/quictls/openssl/archive/refs/tags/OpenSSL_1_1_1w-quic1.tar.gz
md5sum = ff6a1f5fc5e7ea03aba9c97e7f26d97d
url = https://github.com/quictls/openssl/archive/612d8e44d687e4b71c4724319d7aa27a733bcbca.tar.gz
md5sum =4a06f8b195e817c8a0d94ebdbc7c7bb7
[openssl-1.1]
<= openssl-common
url = https://www.openssl.org/source/openssl-1.1.1w.tar.gz
md5sum = 3f76825f195e52d4b10c70040681a275
[openssl]
<= openssl-3.0
[openssl:python2]
<= openssl-1.1
[openssl-output]
[openssl-output]
# Shared binary location to ease migration
# Shared binary location to ease migration
...
...
component/openvpn/buildout.cfg
View file @
b13d20e9
[buildout]
[buildout]
extends =
extends =
../libcap-ng/buildout.cfg
../lzo/buildout.cfg
../lzo/buildout.cfg
../openssl/buildout.cfg
../openssl/buildout.cfg
../flex/buildout.cfg
../flex/buildout.cfg
...
@@ -10,10 +11,11 @@ parts =
...
@@ -10,10 +11,11 @@ parts =
[openvpn]
[openvpn]
recipe = slapos.recipe.cmmi
recipe = slapos.recipe.cmmi
url = https://
swupdate.openvpn.org/community/releases/openvpn-${:version}.tar.x
z
url = https://
build.openvpn.net/downloads/releases/openvpn-${:version}.tar.g
z
version = 2.
4.7
version = 2.
6.8
md5sum = 4
ad8a008e1e7f261b3aa0024e79e7fb7
md5sum = 4
27fe070a4ab9fd78dc64195458dc361
configure-options =
configure-options =
--disable-lz4
--disable-dependency-tracking
--disable-dependency-tracking
--disable-plugin-auth-pam
--disable-plugin-auth-pam
--enable-iproute2
--enable-iproute2
...
@@ -21,6 +23,8 @@ environment =
...
@@ -21,6 +23,8 @@ environment =
PATH=${xz-utils:location}/bin:%(PATH)s
PATH=${xz-utils:location}/bin:%(PATH)s
LZO_LIBS=-L${lzo:location}/lib -llzo2
LZO_LIBS=-L${lzo:location}/lib -llzo2
LZO_CFLAGS=-I${lzo:location}/include
LZO_CFLAGS=-I${lzo:location}/include
LIBCAPNG_LIBS=-L${libcap-ng:location}/lib -lcap-ng
LIBCAPNG_CFLAGS=-I${libcap-ng:location}/include
OPENSSL_LIBS=-L${openssl:location}/lib -lcrypto -lssl
OPENSSL_LIBS=-L${openssl:location}/lib -lcrypto -lssl
OPENSSL_CFLAGS=-I${openssl:location}/include
OPENSSL_CFLAGS=-I${openssl:location}/include
LDFLAGS =-Wl,-rpath=${lzo:location}/lib -Wl,-rpath=${flex:location}/lib -Wl,-rpath=${openssl:location}/lib
LDFLAGS =-Wl,-rpath=${lzo:location}/lib -Wl,-rpath=${flex:location}/lib -Wl,-rpath=${openssl:location}/lib
...
...
component/proxysql/buildout.cfg
View file @
b13d20e9
...
@@ -12,11 +12,11 @@ extends =
...
@@ -12,11 +12,11 @@ extends =
../libtool/buildout.cfg
../libtool/buildout.cfg
../m4/buildout.cfg
../m4/buildout.cfg
../openssl/buildout.cfg
../openssl/buildout.cfg
../patch/buildout.cfg
../pcre/buildout.cfg
../pcre/buildout.cfg
../perl/buildout.cfg
../perl/buildout.cfg
# https://github.com/libinjection/libinjection/issues/4
# https://github.com/libinjection/libinjection/issues/4
../python-2.7/buildout.cfg
../python-2.7/buildout.cfg
../util-linux/buildout.cfg
../defaults.cfg
../defaults.cfg
parts =
parts =
...
@@ -28,9 +28,9 @@ max_version = 11
...
@@ -28,9 +28,9 @@ max_version = 11
[proxysql]
[proxysql]
recipe = slapos.recipe.cmmi
recipe = slapos.recipe.cmmi
shared = true
shared = true
version = v2.
3.2
version = v2.
4.8
url = https://github.com/sysown/proxysql/archive/refs/tags/${:version}.tar.gz
url = https://github.com/sysown/proxysql/archive/refs/tags/${:version}.tar.gz
md5sum =
969129ac43c9f64641509891a116e0e1
md5sum =
17f31d5764b0e529a3b94f7db82794e4
configure-command = true
configure-command = true
make-options = GIT_VERSION=${:version}
make-options = GIT_VERSION=${:version}
# The install target does not honor DESTDIR:
# The install target does not honor DESTDIR:
...
@@ -40,15 +40,11 @@ post-install =
...
@@ -40,15 +40,11 @@ post-install =
install -Dt %(location)s/bin %(make-targets)s
install -Dt %(location)s/bin %(make-targets)s
environment =
environment =
PKG_CONFIG_PATH=${openssl:location}/lib/pkgconfig:${gnutls:location}/lib/pkgconfig:${libgcrypt:location}/lib/pkgconfig:${zlib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig
PKG_CONFIG_PATH=${openssl:location}/lib/pkgconfig:${gnutls:location}/lib/pkgconfig:${libgcrypt:location}/lib/pkgconfig:${zlib:location}/lib/pkgconfig:${pcre:location}/lib/pkgconfig
PATH=${m4:location}/bin:${libtool:location}/bin:${libgcrypt:location}/bin:${curl:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:${bzip2:location}/bin:${autoconf:location}/bin:${git:location}/bin:${automake:location}/bin:${
patch:location}/bin:${
cmake:location}/bin:${python2.7:location}/bin:%(PATH)s
PATH=${m4:location}/bin:${libtool:location}/bin:${libgcrypt:location}/bin:${curl:location}/bin:${perl:location}/bin:${pkgconfig:location}/bin:${bzip2:location}/bin:${autoconf:location}/bin:${git:location}/bin:${automake:location}/bin:${cmake:location}/bin:${python2.7:location}/bin:%(PATH)s
CXXFLAGS=-I${openssl:location}/include -I${gnutls:location}/include -I${zlib:location}/include
CXXFLAGS=-I${openssl:location}/include -I${gnutls:location}/include -I${
libuuid:location}/include -I${
zlib:location}/include
CFLAGS=-I${gnutls:location}/include
CFLAGS=-I${gnutls:location}/include
LDFLAGS=-L${openssl:location}/lib -Wl,-rpath -Wl,${gnutls:location}/lib -L${gnutls:location}/lib -Wl,-rpath=${curl:location}/lib -L${libtool:location}/lib -L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib -L${curl:location}/lib -L${pcre:location}/lib -L${jemalloc:location}/lib -L${libmicrohttpd:location}/lib
LDFLAGS=-L${openssl:location}/lib -Wl,-rpath -Wl,${gnutls:location}/lib -L${gnutls:location}/lib -Wl,-rpath=${curl:location}/lib -L${libtool:location}/lib -
Wl,-rpath -Wl,${libuuid:location}/lib -L${libuuid:location}/lib -
L${zlib:location}/lib -Wl,-rpath -Wl,${zlib:location}/lib -L${curl:location}/lib -L${pcre:location}/lib -L${jemalloc:location}/lib -L${libmicrohttpd:location}/lib
CMAKE_INCLUDE_PATH=${openssl:location}/include:${gnutls:location}/include:${curl:location}/include:${pcre:location}/include:${jemalloc:location}/include:${libmicrohttpd:location}/include:${zlib:location}/include
CMAKE_INCLUDE_PATH=${openssl:location}/include:${gnutls:location}/include:${curl:location}/include:${pcre:location}/include:${jemalloc:location}/include:${libmicrohttpd:location}/include:${zlib:location}/include
CMAKE_LIBRARY_PATH=${openssl:location}/lib:${gnutls:location}/lib:${curl:location}/lib:${pcre:location}/lib:${jemalloc:location}/lib:${libmicrohttpd:location}/lib:${zlib:location}/lib
CMAKE_LIBRARY_PATH=${openssl:location}/lib:${gnutls:location}/lib:${curl:location}/lib:${pcre:location}/lib:${jemalloc:location}/lib:${libmicrohttpd:location}/lib:${zlib:location}/lib
LIBTOOL=libtool
LIBTOOL=libtool
ACLOCAL_PATH=${pkgconfig:location}/share/aclocal:${libtool:location}/share/aclocal
ACLOCAL_PATH=${pkgconfig:location}/share/aclocal:${libtool:location}/share/aclocal
patch-options = -p1
patches =
# PR #3402 (mariadb_client: backport patch to fix syntax error in cmake 3.20)
https://github.com/sysown/proxysql/commit/a3cfa56d257219f7610cd5711045bb5d84485a91.patch#34fd6366d4a75fde821cee93d25eee10
component/python-cryptography/buildout.cfg
View file @
b13d20e9
...
@@ -12,6 +12,8 @@ recipe = zc.recipe.egg:custom
...
@@ -12,6 +12,8 @@ recipe = zc.recipe.egg:custom
egg = cryptography
egg = cryptography
environment = python-cryptography-env
environment = python-cryptography-env
setup-eggs = ${python-cffi:egg}
setup-eggs = ${python-cffi:egg}
cryptography-patches = ${:_profile_base_location_}/cryptography-3.3.2-openssl-3.0.patch#aa055c3cfab6110fd616f2de049e1388
cryptography-patch-options = -p0
library-dirs =
library-dirs =
${openssl:location}/lib/
${openssl:location}/lib/
rpath =
rpath =
...
...
component/python-cryptography/cryptography-3.3.2-openssl-3.0.patch
0 → 100644
View file @
b13d20e9
Minimal changes to support OpenSSL 3.0 based on the following commits :
* f08a7de651f9e6475c8c0a67d2a61ed8b669ddf6 [WIP] 3.0.0 support (#5250)
*
50ec692749b7e2e62685b443f5e629627b03987e remove unneeded binding (#6150)
*
77fb53c75e47f50e09b1b3be3a4d10c7e4e34dc2 3.0.0 deprecated func and it isn't useful to us in general (#6148)
diff --git src/_cffi_src/build_openssl.py src/_cffi_src/build_openssl.py
index 4380c3396..928f5fe4f 100644
--- src/_cffi_src/build_openssl.py
+++ src/_cffi_src/build_openssl.py
@@ -105,6 +105,7 @@
ffi = build_ffi_for_binding(
"osrandom_engine",
"pem",
"pkcs12",
+ "provider",
"rand",
"rsa",
"ssl",
diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
index f24bee5a4..920a86dea 100644
--- src/_cffi_src/openssl/cryptography.py
+++ src/_cffi_src/openssl/cryptography.py
@@ -35,6 +35,8 @@
INCLUDES = """
#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
(OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
(OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
@@ -54,6 +56,7 @@
INCLUDES = """
TYPES = """
static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
diff --git src/_cffi_src/openssl/err.py src/_cffi_src/openssl/err.py
index 0dd741467..c2486953d 100644
--- src/_cffi_src/openssl/err.py
+++ src/_cffi_src/openssl/err.py
@@ -19,6 +19,7 @@
static const int EVP_R_UNKNOWN_PBE_ALGORITHM;
static const int ERR_LIB_EVP;
static const int ERR_LIB_PEM;
+static const int ERR_LIB_PROV;
static const int ERR_LIB_ASN1;
static const int ERR_LIB_PKCS12;
@@ -40,10 +41,14 @@
void ERR_clear_error(void);
void ERR_put_error(int, int, int, const char *, int);
int ERR_GET_LIB(unsigned long);
-int ERR_GET_FUNC(unsigned long);
int ERR_GET_REASON(unsigned long);
"""
CUSTOMIZATIONS = """
+/* This define is tied to provider support and is conditionally
+ removed if Cryptography_HAS_PROVIDERS is false */
+#ifndef ERR_LIB_PROV
+#define ERR_LIB_PROV 0
+#endif
"""
diff --git src/_cffi_src/openssl/fips.py src/_cffi_src/openssl/fips.py
index c92bca494..38bfa231f 100644
--- src/_cffi_src/openssl/fips.py
+++ src/_cffi_src/openssl/fips.py
@@ -18,7 +18,7 @@
int FIPS_mode(void);
"""
CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
static const long Cryptography_HAS_FIPS = 0;
int (*FIPS_mode_set)(int) = NULL;
int (*FIPS_mode)(void) = NULL;
diff --git src/_cffi_src/openssl/provider.py src/_cffi_src/openssl/provider.py
new file mode 100644
index 000000000..d7d659ea5
--- /dev/null
+++ src/_cffi_src/openssl/provider.py
@@ -0,0 +1,40 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+
+INCLUDES = """
+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+#include <openssl/provider.h>
+#include <openssl/proverr.h>
+#endif
+"""
+
+TYPES = """
+static const long Cryptography_HAS_PROVIDERS;
+
+typedef ... OSSL_PROVIDER;
+typedef ... OSSL_LIB_CTX;
+
+static const long PROV_R_BAD_DECRYPT;
+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH;
+"""
+
+FUNCTIONS = """
+OSSL_PROVIDER *OSSL_PROVIDER_load(OSSL_LIB_CTX *, const char *);
+int OSSL_PROVIDER_unload(OSSL_PROVIDER *prov);
+"""
+
+CUSTOMIZATIONS = """
+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+static const long Cryptography_HAS_PROVIDERS = 1;
+#else
+static const long Cryptography_HAS_PROVIDERS = 0;
+typedef void OSSL_PROVIDER;
+typedef void OSSL_LIB_CTX;
+static const long PROV_R_BAD_DECRYPT = 0;
+static const long PROV_R_WRONG_FINAL_BLOCK_LENGTH = 0;
+OSSL_PROVIDER *(*OSSL_PROVIDER_load)(OSSL_LIB_CTX *, const char *) = NULL;
+int (*OSSL_PROVIDER_unload)(OSSL_PROVIDER *) = NULL;
+#endif
+"""
diff --git src/cryptography/hazmat/backends/openssl/backend.py src/cryptography/hazmat/backends/openssl/backend.py
index 45d4a1a1e..1b48355da 100644
--- src/cryptography/hazmat/backends/openssl/backend.py
+++ src/cryptography/hazmat/backends/openssl/backend.py
@@ -1307,6 +1307,11 @@
class Backend(object):
def _evp_pkey_from_der_traditional_key(self, bio_data, password):
key = self._lib.d2i_PrivateKey_bio(bio_data.bio, self._ffi.NULL)
if key != self._ffi.NULL:
+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will
+ # successfully load but errors are still put on the stack. Tracked
+ # as https://github.com/openssl/openssl/issues/14996
+ self._consume_errors()
+
key = self._ffi.gc(key, self._lib.EVP_PKEY_free)
if password is not None:
raise TypeError(
@@ -1474,6 +1479,11 @@
class Backend(object):
else:
self._handle_key_loading_error()
+ # In OpenSSL 3.0.0-alpha15 there exist scenarios where the key will
+ # successfully load but errors are still put on the stack. Tracked
+ # as https://github.com/openssl/openssl/issues/14996
+ self._consume_errors()
+
evp_pkey = self._ffi.gc(evp_pkey, self._lib.EVP_PKEY_free)
if password is not None and userdata.called == 0:
@@ -1496,11 +1506,22 @@
class Backend(object):
"incorrect format or it may be encrypted with an unsupported "
"algorithm."
)
- elif errors[0]._lib_reason_match(
- self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
- ) or errors[0]._lib_reason_match(
- self._lib.ERR_LIB_PKCS12,
- self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
+
+ elif (
+ errors[0]._lib_reason_match(
+ self._lib.ERR_LIB_EVP, self._lib.EVP_R_BAD_DECRYPT
+ )
+ or errors[0]._lib_reason_match(
+ self._lib.ERR_LIB_PKCS12,
+ self._lib.PKCS12_R_PKCS12_CIPHERFINAL_ERROR,
+ )
+ or (
+ self._lib.Cryptography_HAS_PROVIDERS
+ and errors[0]._lib_reason_match(
+ self._lib.ERR_LIB_PROV,
+ self._lib.PROV_R_BAD_DECRYPT,
+ )
+ )
):
raise ValueError("Bad decrypt. Incorrect password?")
@@ -2546,7 +2567,15 @@
class Backend(object):
if sk_x509_ptr[0] != self._ffi.NULL:
sk_x509 = self._ffi.gc(sk_x509_ptr[0], self._lib.sk_X509_free)
num = self._lib.sk_X509_num(sk_x509_ptr[0])
- for i in range(num):
+
+ # In OpenSSL < 3.0.0 PKCS12 parsing reverses the order of the
+ # certificates.
+ if self._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
+ indices = range(num)
+ else:
+ indices = reversed(range(num))
+
+ for i in indices:
x509 = self._lib.sk_X509_value(sk_x509, i)
self.openssl_assert(x509 != self._ffi.NULL)
x509 = self._ffi.gc(x509, self._lib.X509_free)
diff --git src/cryptography/hazmat/backends/openssl/ciphers.py src/cryptography/hazmat/backends/openssl/ciphers.py
index ad5dad3f7..f4c869a40 100644
--- src/cryptography/hazmat/backends/openssl/ciphers.py
+++ src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -146,7 +146,14 @@
class _CipherContext(object):
res = self._backend._lib.EVP_CipherUpdate(
self._ctx, outbuf, outlen, inbuf, inlen
)
- self._backend.openssl_assert(res != 0)
+ if res == 0 and isinstance(self._mode, modes.XTS):
+ self._backend._consume_errors()
+ raise ValueError(
+ "In XTS mode you must supply at least a full block in the "
+ "first update call. For AES this is 16 bytes."
+ )
+ else:
+ self._backend.openssl_assert(res != 0)
data_processed += inlen
total_out += outlen[0]
@@ -175,6 +182,13 @@
class _CipherContext(object):
errors[0]._lib_reason_match(
self._backend._lib.ERR_LIB_EVP,
self._backend._lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH,
+ )
+ or (
+ self._backend._lib.Cryptography_HAS_PROVIDERS
+ and errors[0]._lib_reason_match(
+ self._backend._lib.ERR_LIB_PROV,
+ self._backend._lib.PROV_R_WRONG_FINAL_BLOCK_LENGTH,
+ )
),
errors=errors,
)
diff --git src/cryptography/hazmat/bindings/openssl/_conditional.py src/cryptography/hazmat/bindings/openssl/_conditional.py
index ca50fed13..fdcead1a5 100644
--- src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -271,6 +271,16 @@
def cryptography_has_get_proto_version():
]
+def cryptography_has_providers():
+ return [
+ "OSSL_PROVIDER_load",
+ "OSSL_PROVIDER_unload",
+ "ERR_LIB_PROV",
+ "PROV_R_WRONG_FINAL_BLOCK_LENGTH",
+ "PROV_R_BAD_DECRYPT",
+ ]
+
+
# This is a mapping of
# {condition: function-returning-names-dependent-on-that-condition} so we can
# loop over them and delete unsupported names at runtime. It will be removed
@@ -319,4 +329,5 @@
CONDITIONAL_NAMES = {
"Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain,
"Cryptography_HAS_SRTP": cryptography_has_srtp,
"Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version,
+ "Cryptography_HAS_PROVIDERS": cryptography_has_providers,
}
diff --git src/cryptography/hazmat/bindings/openssl/binding.py src/cryptography/hazmat/bindings/openssl/binding.py
index 7a84a340e..c0b0d8238 100644
--- src/cryptography/hazmat/bindings/openssl/binding.py
+++ src/cryptography/hazmat/bindings/openssl/binding.py
@@ -15,15 +15,14 @@
from cryptography.hazmat.bindings._openssl import ffi, lib
from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES
_OpenSSLErrorWithText = collections.namedtuple(
- "_OpenSSLErrorWithText", ["code", "lib", "func", "reason", "reason_text"]
+ "_OpenSSLErrorWithText", ["code", "lib", "reason", "reason_text"]
)
class _OpenSSLError(object):
- def __init__(self, code, lib, func, reason):
+ def __init__(self, code, lib, reason):
self._code = code
self._lib = lib
- self._func = func
self._reason = reason
def _lib_reason_match(self, lib, reason):
@@ -31,7 +30,6 @@
class _OpenSSLError(object):
code = utils.read_only_property("_code")
lib = utils.read_only_property("_lib")
- func = utils.read_only_property("_func")
reason = utils.read_only_property("_reason")
@@ -43,10 +41,9 @@
def _consume_errors(lib):
break
err_lib = lib.ERR_GET_LIB(code)
- err_func = lib.ERR_GET_FUNC(code)
err_reason = lib.ERR_GET_REASON(code)
- errors.append(_OpenSSLError(code, err_lib, err_func, err_reason))
+ errors.append(_OpenSSLError(code, err_lib, err_reason))
return errors
@@ -60,7 +57,7 @@
def _errors_with_text(errors):
errors_with_text.append(
_OpenSSLErrorWithText(
- err.code, err.lib, err.func, err.reason, err_text_reason
+ err.code, err.lib, err.reason, err_text_reason
)
)
@@ -140,6 +137,24 @@
class Binding(object):
# adds all ciphers/digests for EVP
cls.lib.OpenSSL_add_all_algorithms()
cls._register_osrandom_engine()
+ # As of OpenSSL 3.0.0 we must register a legacy cipher provider
+ # to get RC2 (needed for junk asymmetric private key
+ # serialization), RC4, Blowfish, IDEA, SEED, etc. These things
+ # are ugly legacy, but we aren't going to get rid of them
+ # any time soon.
+ if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load(
+ cls.ffi.NULL, b"legacy"
+ )
+ _openssl_assert(
+ cls.lib, cls._legacy_provider != cls.ffi.NULL
+ )
+ cls._default_provider = cls.lib.OSSL_PROVIDER_load(
+ cls.ffi.NULL, b"default"
+ )
+ _openssl_assert(
+ cls.lib, cls._default_provider != cls.ffi.NULL
+ )
@classmethod
def init_static_locks(cls):
component/qjs-wrapper/buildout.cfg
View file @
b13d20e9
...
@@ -19,4 +19,4 @@ path = ${qjs-wrapper-source:location}
...
@@ -19,4 +19,4 @@ path = ${qjs-wrapper-source:location}
autopilot-wrapper =
autopilot-wrapper =
environment =
environment =
C_INCLUDE_PATH=include:${open62541:location}/include:${open62541:location}/deps:${open62541:location}/src/pubsub:${quickjs:location}/include
C_INCLUDE_PATH=include:${open62541:location}/include:${open62541:location}/deps:${open62541:location}/src/pubsub:${quickjs:location}/include
LDFLAGS=-L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -L${:autopilot-wrapper}/lib -Wl,-rpath=${:autopilot-wrapper}/lib
LDFLAGS=-L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -L${:autopilot-wrapper}/lib -Wl,-rpath=${:autopilot-wrapper}/lib
-fPIC
software/fluentd/buildout.hash.cfg
View file @
b13d20e9
...
@@ -14,7 +14,7 @@
...
@@ -14,7 +14,7 @@
# not need these here).
# not need these here).
[instance-profile]
[instance-profile]
filename = instance.cfg
filename = instance.cfg
md5sum =
82c476f22e6b55b674640abef959c3c2
md5sum =
1fe38a024766347454ad7a3d9fb52d01
[template-fluentd]
[template-fluentd]
filename = instance-fluentd.cfg
filename = instance-fluentd.cfg
...
...
software/fluentd/instance-input-schema.json
View file @
b13d20e9
...
@@ -4,10 +4,11 @@
...
@@ -4,10 +4,11 @@
"description"
:
"Parameters to instantiate Fluentd"
,
"description"
:
"Parameters to instantiate Fluentd"
,
"additionalProperties"
:
false
,
"additionalProperties"
:
false
,
"properties"
:
{
"properties"
:
{
"conf_text"
:
{
"conf-text"
:
{
"description"
:
"Fluentd configuration. You can write it entirely by yourself. See fluentd-agent.conf.jinja2.in"
,
"title"
:
"Configuration"
,
"default"
:
""
,
"description"
:
"Fluentd configuration. See: https://docs.fluentd.org/configuration"
,
"type"
:
"string"
"type"
:
"string"
,
"textarea"
:
true
}
}
}
}
}
}
software/fluentd/instance.cfg
View file @
b13d20e9
...
@@ -42,7 +42,7 @@ recipe = slapos.recipe.build
...
@@ -42,7 +42,7 @@ recipe = slapos.recipe.build
slapparameter-dict = $${slap-configuration:configuration}
slapparameter-dict = $${slap-configuration:configuration}
init =
init =
import re
import re
options['text'] = options['slapparameter-dict'].get('conf
_
text') or ' '
options['text'] = options['slapparameter-dict'].get('conf
-
text') or ' '
options['port-list'] = re.findall(r'<source>.*port (\d+).*<\/source>', options['text'], re.DOTALL)
options['port-list'] = re.findall(r'<source>.*port (\d+).*<\/source>', options['text'], re.DOTALL)
[fluentd-agent-conf]
[fluentd-agent-conf]
...
...
software/fluentd/software.cfg.json
0 → 100644
View file @
b13d20e9
{
"name"
:
"Fluentd"
,
"description"
:
"Fluentd"
,
"serialisation"
:
"xml"
,
"software-type"
:
{
"default"
:
{
"title"
:
"Default"
,
"description"
:
"Fluentd"
,
"request"
:
"instance-input-schema.json"
,
"index"
:
0
}
}
}
software/fluentd/test/test.py
View file @
b13d20e9
...
@@ -88,7 +88,7 @@ class WendelinTutorialTestCase(FluentdTestCase):
...
@@ -88,7 +88,7 @@ class WendelinTutorialTestCase(FluentdTestCase):
@
classmethod
@
classmethod
def
getInstanceParameterDict
(
cls
):
def
getInstanceParameterDict
(
cls
):
return
{
'conf
_
text'
:
cls
.
_conf
,}
return
{
'conf
-
text'
:
cls
.
_conf
,}
@
classmethod
@
classmethod
def
measureDict
(
cls
):
def
measureDict
(
cls
):
...
...
software/js-drone/software-c-astral.cfg
View file @
b13d20e9
...
@@ -21,7 +21,7 @@ url = https://lab.nexedi.com/nexedi/c-astral-wrapper/-/archive/v2.1/c-astral-wra
...
@@ -21,7 +21,7 @@ url = https://lab.nexedi.com/nexedi/c-astral-wrapper/-/archive/v2.1/c-astral-wra
md5sum = cca66724e1b7a61c1b9559fde95c420b
md5sum = cca66724e1b7a61c1b9559fde95c420b
environment =
environment =
CPLUS_INCLUDE_PATH=${qjs-wrapper-source:location}/include:${mavsdk:location}/include:${mavsdk:location}/include/mavsdk
CPLUS_INCLUDE_PATH=${qjs-wrapper-source:location}/include:${mavsdk:location}/include:${mavsdk:location}/include/mavsdk
LDFLAGS=-L${mavsdk:location}/lib -Wl,-rpath=${mavsdk:location}/lib
LDFLAGS=-L${mavsdk:location}/lib -Wl,-rpath=${mavsdk:location}/lib
-fPIC
[qjs-wrapper]
[qjs-wrapper]
autopilot-wrapper = ${c-astral-wrapper:location}
autopilot-wrapper = ${c-astral-wrapper:location}
...
...
software/osie-coupler/software.cfg
View file @
b13d20e9
...
@@ -17,15 +17,9 @@ extends =
...
@@ -17,15 +17,9 @@ extends =
# we want this SR to use a fixed gcc (so that we have the same gcc as open62541 component)
# we want this SR to use a fixed gcc (so that we have the same gcc as open62541 component)
max_version = 0
max_version = 0
# we need open62541's sources even after compiling and linking in [open62541]
# section. Reasons is that coupler's C application depends on it.
[open62541-source]
recipe = slapos.recipe.build:download-unpacked
shared = true
url = ${open62541:url}
md5sum = ${open62541:md5sum}
[open62541]
[open62541]
pre-configure +=
${git:location}/bin/git clone -b v1.1.6 https://github.com/LiamBindle/MQTT-C.git deps/mqtt-c
configure-options =
configure-options =
-DBUILD_SHARED_LIBS=ON
-DBUILD_SHARED_LIBS=ON
-DCMAKE_BUILD_TYPE=Release
-DCMAKE_BUILD_TYPE=Release
...
@@ -44,6 +38,10 @@ configure-options =
...
@@ -44,6 +38,10 @@ configure-options =
-DUA_ENABLE_PUBSUB_MQTT=ON
-DUA_ENABLE_PUBSUB_MQTT=ON
environment +=
environment +=
LDFLAGS=-L${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib
LDFLAGS=-L${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib
# we need open62541's sources even after compiling and linking in [open62541]
# section. Reasons is that coupler's C application depends on it.
keep-compile-dir = true
source-location = @@LOCATION@@/.build/open62541-pack-${open62541:tag}
[osie-repository]
[osie-repository]
recipe = slapos.recipe.build:gitclone
recipe = slapos.recipe.build:gitclone
...
@@ -58,8 +56,8 @@ bin_dir = ${:path}/bin/
...
@@ -58,8 +56,8 @@ bin_dir = ${:path}/bin/
environment =
environment =
PATH=${gcc:prefix}/bin:/usr/bin
PATH=${gcc:prefix}/bin:/usr/bin
OPEN62541_HOME = ${open62541:location}
OPEN62541_HOME = ${open62541:location}
OPEN62541_SOURCE_HOME = ${open62541
-source:
location}
OPEN62541_SOURCE_HOME = ${open62541
:source-
location}
C_COMPILER_EXTRA_FLAGS = -L ${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib -l:libopen62541.so -L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -I${open62541:location}/include -I${open62541
-source:location}/src/pubsub/ -I${open62541-source:
location}/deps
C_COMPILER_EXTRA_FLAGS = -L ${mbedtls:location}/lib -Wl,-rpath=${mbedtls:location}/lib -l:libopen62541.so -L${open62541:location}/lib -Wl,-rpath=${open62541:location}/lib -I${open62541:location}/include -I${open62541
:source-location}/src/pubsub/ -I${open62541:source-
location}/deps
configure-command = true
configure-command = true
[instance-profile]
[instance-profile]
...
...
stack/slapos.cfg
View file @
b13d20e9
...
@@ -182,7 +182,7 @@ comm = 0.2.1:whl
...
@@ -182,7 +182,7 @@ comm = 0.2.1:whl
configparser = 4.0.2:whl
configparser = 4.0.2:whl
contextlib2 = 0.6.0.post1
contextlib2 = 0.6.0.post1
croniter = 0.3.25
croniter = 0.3.25
cryptography = 3.3.2
cryptography = 3.3.2
+SlapOSPatched001
dataclasses = 0.8
dataclasses = 0.8
dateparser = 0.7.6
dateparser = 0.7.6
debugpy = 1.8.1
debugpy = 1.8.1
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment