From: Mikolaj Kucharski Subject: Re: Update M2Crypto to 0.46.2 (salt testers wanted) To: Theo Buehler Cc: ports@openbsd.org Date: Fri, 17 Oct 2025 07:46:01 +0000 Hi Theo, I've built your package and upgraded -current minion with M2Crypto 0.46.2. No obvious signs of breakage. I couldn't test on master as it's on 7.7 and major versions of libs don't match (crypto.57.1 vs 56.0, pthread.28.0 vs 27.1, ssl.60.1 vs 59.1). Salt as-is on my infa has a lot of issues. I have different generation of OSs, some older, some more current and communication breakage between minions and master are happening all the time. From my perpective I don't see any obvious blockers. If there will be an issue, we can go from there and fix forward. saltmaster# salt 'pc1.*' pkg.version py3-M2Crypto pc1.home.local: 0.46.2 On Fri, Oct 17, 2025 at 04:46:40AM +0200, Theo Buehler wrote: > If anyone using salt could give this a spin to see if there are runtime > issues, that would be great. That's the only serious use of this from > ports. It works for me in tlsfuzzer. > > Salt needed to fix a few things for M2Crypto 0.44, so if 0.46.2 doesn't > work, we could try and jump only to 0.44: > > https://github.com/saltstack/salt/pull/67782 > > Tests aren't looking fantastic, but it seems ok since they don't seem to > affect anything important. Most of the failures are due to differing > verifier errors, some tests fail because they want to connect to the > internet, some rely on undocumented output strings we changed, and the > membuf failures are due to a fix of UB in libcrypto. There's nonsense > like trying to set a CSR version to 1 (aka 2) which we don't allow since > the spec only defines 0 (aka 1). Proxy certs and some RAND nonsense > are expected not to work since we removed support a long time ago. > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/py-M2Crypto/Makefile,v > diff -u -p -r1.49 Makefile > --- Makefile 29 Apr 2025 10:39:48 -0000 1.49 > +++ Makefile 17 Oct 2025 02:05:53 -0000 > @@ -1,9 +1,8 @@ > COMMENT= crypto and TLS toolkit for Python > > -MODPY_DISTV= 0.41.0 > -DISTNAME= M2Crypto-${MODPY_DISTV} > -PKGNAME= py-${DISTNAME} > -REVISION= 4 > +MODPY_DISTV= 0.46.2 > +DISTNAME= m2crypto-${MODPY_DISTV} > +PKGNAME= py-M2Crypto-${MODPY_DISTV} > > CATEGORIES= security > > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/py-M2Crypto/distinfo,v > diff -u -p -r1.21 distinfo > --- distinfo 7 May 2024 07:43:48 -0000 1.21 > +++ distinfo 17 Oct 2025 01:55:20 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (M2Crypto-0.41.0.tar.gz) = OhNYx+6EkEbZF4Knd/F4a/AnocHVG1+vjxlDW/w/FJU= > -SIZE (M2Crypto-0.41.0.tar.gz) = 1151680 > +SHA256 (m2crypto-0.46.2.tar.gz) = E8L6iVYve4r0DMdLVfSQvl4quMz7c58RwW085iIaYbo= > +SIZE (m2crypto-0.46.2.tar.gz) = 501816 > Index: patches/patch-src_SWIG__evp_i > =================================================================== > RCS file: patches/patch-src_SWIG__evp_i > diff -N patches/patch-src_SWIG__evp_i > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_SWIG__evp_i 17 Oct 2025 02:00:24 -0000 > @@ -0,0 +1,12 @@ > +Index: src/SWIG/_evp.i > +--- src/SWIG/_evp.i.orig > ++++ src/SWIG/_evp.i > +@@ -364,7 +364,7 @@ PyObject *hmac_init(HMAC_CTX *ctx, PyObject *key, cons > + return NULL; > + } > + > +- if (!HMAC_Init(ctx, kbuf.buf, kbuf.len, md)) { > ++ if (!HMAC_Init_ex(ctx, kbuf.buf, kbuf.len, md, NULL)) { > + PyErr_SetString(_evp_err, "HMAC_Init failed"); > + m2_PyBuffer_Release(key, &kbuf); > + return NULL; > Index: patches/patch-src_SWIG__lib11_compat_i > =================================================================== > RCS file: /cvs/ports/security/py-M2Crypto/patches/patch-src_SWIG__lib11_compat_i,v > diff -u -p -r1.3 patch-src_SWIG__lib11_compat_i > --- patches/patch-src_SWIG__lib11_compat_i 11 Mar 2022 19:53:53 -0000 1.3 > +++ patches/patch-src_SWIG__lib11_compat_i 17 Oct 2025 01:58:11 -0000 > @@ -11,8 +11,8 @@ Index: src/SWIG/_lib11_compat.i > +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) > > #include > - #include > -@@ -24,6 +24,8 @@ static void *CRYPTO_zalloc(size_t num, const char *fil > + > +@@ -23,6 +23,8 @@ static void *CRYPTO_zalloc(size_t num, const char *fil > return ret; > } > > Index: patches/patch-src_SWIG__lib_i > =================================================================== > RCS file: patches/patch-src_SWIG__lib_i > diff -N patches/patch-src_SWIG__lib_i > --- patches/patch-src_SWIG__lib_i 2 Mar 2024 12:00:46 -0000 1.5 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,70 +0,0 @@ > -Fix build with LibreSSL > - > -Index: src/SWIG/_lib.i > ---- src/SWIG/_lib.i.orig > -+++ src/SWIG/_lib.i > -@@ -21,7 +21,7 @@ > - > - %{ > - /* OpenSSL 1.0.2 copmatbility shim */ > --#if OPENSSL_VERSION_NUMBER < 0x10002000L > -+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) > - typedef void (*OPENSSL_sk_freefunc)(void *); > - typedef void *(*OPENSSL_sk_copyfunc)(const void *); > - typedef struct stack_st OPENSSL_STACK; > -@@ -31,47 +31,21 @@ typedef struct stack_st OPENSSL_STACK; > - > - void OPENSSL_sk_free(OPENSSL_STACK *st) > - { > -- if (st == NULL) > -- return; > -- OPENSSL_free(st->data); > -- OPENSSL_free(st); > -+ sk_free(st); > - } > - > - OPENSSL_STACK *OPENSSL_sk_deep_copy(const OPENSSL_STACK *sk, > - OPENSSL_sk_copyfunc copy_func, > - OPENSSL_sk_freefunc free_func) > - { > -- OPENSSL_STACK *ret; > -- int i; > -+ /* Do not support this. It relies on UB via function pointer casting. */ > -+ return NULL; > -+} > - > -- if (sk->num < 0) > -- return NULL; > -- > -- if ((ret = OPENSSL_malloc(sizeof(*ret))) == NULL) > -- return NULL; > -- > -- /* direct structure assignment */ > -- *ret = *sk; > -- > -- ret->num_alloc = sk->num > MIN_NODES ? (size_t)sk->num : MIN_NODES; > -- ret->data = OPENSSL_zalloc(sizeof(*ret->data) * ret->num_alloc); > -- if (ret->data == NULL) { > -- OPENSSL_free(ret); > -- return NULL; > -- } > -- > -- for (i = 0; i < ret->num; ++i) { > -- if (sk->data[i] == NULL) > -- continue; > -- if ((ret->data[i] = copy_func(sk->data[i])) == NULL) { > -- while (--i >= 0) > -- if (ret->data[i] != NULL) > -- free_func((void *)ret->data[i]); > -- OPENSSL_sk_free(ret); > -- return NULL; > -- } > -- } > -- return ret; > -+int sk_find_ex(OPENSSL_STACK *sk, void *wanted) > -+{ > -+ /* Let's see if anything fails. */ > -+ return -1; > - } > - #endif /* OpenSSL 1.0.2 copmatbility shim */ > - > Index: patches/patch-src_SWIG__x509_i > =================================================================== > RCS file: /cvs/ports/security/py-M2Crypto/patches/patch-src_SWIG__x509_i,v > diff -u -p -r1.2 patch-src_SWIG__x509_i > --- patches/patch-src_SWIG__x509_i 8 Feb 2025 04:13:06 -0000 1.2 > +++ patches/patch-src_SWIG__x509_i 17 Oct 2025 01:57:54 -0000 > @@ -3,7 +3,7 @@ X509_check_trust() and X509_NAME_print() > Index: src/SWIG/_x509.i > --- src/SWIG/_x509.i.orig > +++ src/SWIG/_x509.i > -@@ -108,8 +108,10 @@ extern int X509_cmp_current_time(ASN1_TIME *); > +@@ -110,8 +110,10 @@ extern int X509_cmp_current_time(ASN1_TIME *); > > %rename(x509_check_purpose) X509_check_purpose; > extern int X509_check_purpose(X509 *, int, int); > @@ -14,7 +14,7 @@ Index: src/SWIG/_x509.i > > %rename(x509_write_pem) PEM_write_bio_X509; > %threadallow PEM_write_bio_X509; > -@@ -144,9 +146,11 @@ extern int X509V3_EXT_print(BIO *, X509_EXTENSION *, u > +@@ -146,9 +148,11 @@ extern int X509V3_EXT_print(BIO *, X509_EXTENSION *, u > extern X509_NAME *X509_NAME_new( void ); > %rename(x509_name_free) X509_NAME_free; > extern void X509_NAME_free(X509_NAME *); > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/security/py-M2Crypto/pkg/PLIST,v > diff -u -p -r1.17 PLIST > --- pkg/PLIST 29 Apr 2025 10:39:48 -0000 1.17 > +++ pkg/PLIST 17 Oct 2025 02:06:12 -0000 > @@ -8,7 +8,6 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/M2Crypto/DSA.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/EC.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/EVP.py > -lib/python${MODPY_VERSION}/site-packages/M2Crypto/Engine.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/Err.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/RC4.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/RSA.py > @@ -19,6 +18,7 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/Cipher.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/Connection.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/Context.py > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/SSLError.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/SSLServer.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/Session.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/TwistedProtocolWrapper.py > @@ -32,6 +32,8 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}Connection.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}Context.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}Context.${MODPY_PYC_MAGIC_TAG}pyc > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}SSLError.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}SSLError.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}SSLServer.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}SSLServer.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/SSL/${MODPY_PYCACHE}Session.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > @@ -65,8 +67,6 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}EC.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}EVP.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}EVP.${MODPY_PYC_MAGIC_TAG}pyc > -lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}Engine.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > -lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}Engine.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}Err.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}Err.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}RC4.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > @@ -99,9 +99,12 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}m2xmlrpclib.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}threading.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}threading.${MODPY_PYC_MAGIC_TAG}pyc > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}types.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}types.${MODPY_PYC_MAGIC_TAG}pyc > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}util.${MODPY_PYC_MAGIC_TAG}${MODPY_PYOEXTENSION} > lib/python${MODPY_VERSION}/site-packages/M2Crypto/${MODPY_PYCACHE}util.${MODPY_PYC_MAGIC_TAG}pyc > @so lib/python${MODPY_VERSION}/site-packages/M2Crypto/_m2crypto.${MODPY_PYC_MAGIC_TAG}so > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/_m2crypto.pyi > lib/python${MODPY_VERSION}/site-packages/M2Crypto/callback.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/ftpslib.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/httpslib.py > @@ -110,12 +113,15 @@ lib/python${MODPY_VERSION}/site-packages > lib/python${MODPY_VERSION}/site-packages/M2Crypto/m2urllib.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/m2urllib2.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/m2xmlrpclib.py > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/py.typed > lib/python${MODPY_VERSION}/site-packages/M2Crypto/threading.py > +lib/python${MODPY_VERSION}/site-packages/M2Crypto/types.py > lib/python${MODPY_VERSION}/site-packages/M2Crypto/util.py > lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/ > lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/METADATA > lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/RECORD > lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/WHEEL > lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/licenses/ > -lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/licenses/LICENCE > +lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/licenses/LICENSES/ > +lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/licenses/LICENSES/BSD-2-Clause.txt > lib/python${MODPY_VERSION}/site-packages/m2crypto-${MODPY_DISTV}.dist-info/top_level.txt -- Regards, Mikolaj