From e7c1f700b4674ce9422837997c0ef9a54afaeff8 Mon Sep 17 00:00:00 2001 From: JeremiahM37 Date: Tue, 5 Aug 2025 16:46:15 -0600 Subject: [PATCH 1/2] python cryptography ossl hardload patch --- wolfProvider/python-cryptography/README.md | 1 + .../python-cryptography-38.0.4-wolfprov.patch | 71 +++++++++++++++++++ 2 files changed, 72 insertions(+) create mode 100644 wolfProvider/python-cryptography/README.md create mode 100644 wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch diff --git a/wolfProvider/python-cryptography/README.md b/wolfProvider/python-cryptography/README.md new file mode 100644 index 00000000..07a64566 --- /dev/null +++ b/wolfProvider/python-cryptography/README.md @@ -0,0 +1 @@ +Removes the openssl hardloads in favor of libwolfprov in python cryptography version 38.0.4 diff --git a/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch b/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch new file mode 100644 index 00000000..f42ab81f --- /dev/null +++ b/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch @@ -0,0 +1,71 @@ +diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py +index 2b4c574b4..a089a4221 100644 +--- a/src/cryptography/hazmat/bindings/openssl/binding.py ++++ b/src/cryptography/hazmat/bindings/openssl/binding.py +@@ -170,18 +170,36 @@ class Binding: + # are ugly legacy, but we aren't going to get rid of them + # any time soon. + if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: +- cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( +- cls.ffi.NULL, b"legacy" +- ) +- _openssl_assert( +- cls.lib, cls._legacy_provider != cls.ffi.NULL +- ) +- cls._default_provider = cls.lib.OSSL_PROVIDER_load( +- cls.ffi.NULL, b"default" +- ) +- _openssl_assert( +- cls.lib, cls._default_provider != cls.ffi.NULL +- ) ++ # Check if wolfProvider is configured via OPENSSL_CONF ++ import os ++ openssl_conf = os.environ.get('OPENSSL_CONF', '') ++ if openssl_conf and 'wolfProvider' in openssl_conf: ++ # Load wolfProvider instead of default providers ++ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"libwolfprov" ++ ) ++ _openssl_assert( ++ cls.lib, cls._legacy_provider != cls.ffi.NULL ++ ) ++ cls._default_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"libwolfprov" ++ ) ++ _openssl_assert( ++ cls.lib, cls._default_provider != cls.ffi.NULL ++ ) ++ else: ++ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"legacy" ++ ) ++ _openssl_assert( ++ cls.lib, cls._legacy_provider != cls.ffi.NULL ++ ) ++ cls._default_provider = cls.lib.OSSL_PROVIDER_load( ++ cls.ffi.NULL, b"default" ++ ) ++ _openssl_assert( ++ cls.lib, cls._default_provider != cls.ffi.NULL ++ ) + + @classmethod + def init_static_locks(cls): +diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py +index 2605566bd..406a4d2e0 100644 +--- a/tests/hazmat/backends/test_openssl_memleak.py ++++ b/tests/hazmat/backends/test_openssl_memleak.py +@@ -97,8 +97,10 @@ def main(argv): + gc.collect() + + if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: +- lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) +- lib.OSSL_PROVIDER_unload(backend._binding._default_provider) ++ if backend._binding._legacy_provider is not None: ++ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) ++ if backend._binding._default_provider is not None: ++ lib.OSSL_PROVIDER_unload(backend._binding._default_provider) + + if lib.Cryptography_HAS_OPENSSL_CLEANUP: + lib.OPENSSL_cleanup() + From 364ed78f9956dac5e0079b7db53832c8544a3142 Mon Sep 17 00:00:00 2001 From: JeremiahM37 Date: Wed, 6 Aug 2025 09:18:32 -0600 Subject: [PATCH 2/2] remove legacy provider --- .../python-cryptography-38.0.4-wolfprov.patch | 62 ++++++------------- 1 file changed, 18 insertions(+), 44 deletions(-) diff --git a/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch b/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch index f42ab81f..8284df89 100644 --- a/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch +++ b/wolfProvider/python-cryptography/python-cryptography-38.0.4-wolfprov.patch @@ -1,8 +1,16 @@ diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py -index 2b4c574b4..a089a4221 100644 +index 2b4c574b4..c5acb761f 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py -@@ -170,18 +170,36 @@ class Binding: +@@ -123,7 +123,6 @@ class Binding: + ffi = ffi + _lib_loaded = False + _init_lock = threading.Lock() +- _legacy_provider: typing.Any = None + _default_provider: typing.Any = None + + def __init__(self): +@@ -170,14 +169,9 @@ class Binding: # are ugly legacy, but we aren't going to get rid of them # any time soon. if cls.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: @@ -12,57 +20,23 @@ index 2b4c574b4..a089a4221 100644 - _openssl_assert( - cls.lib, cls._legacy_provider != cls.ffi.NULL - ) -- cls._default_provider = cls.lib.OSSL_PROVIDER_load( ++ # Always load libwolfprov instead of default provider + cls._default_provider = cls.lib.OSSL_PROVIDER_load( - cls.ffi.NULL, b"default" -- ) -- _openssl_assert( -- cls.lib, cls._default_provider != cls.ffi.NULL -- ) -+ # Check if wolfProvider is configured via OPENSSL_CONF -+ import os -+ openssl_conf = os.environ.get('OPENSSL_CONF', '') -+ if openssl_conf and 'wolfProvider' in openssl_conf: -+ # Load wolfProvider instead of default providers -+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"libwolfprov" -+ ) -+ _openssl_assert( -+ cls.lib, cls._legacy_provider != cls.ffi.NULL -+ ) -+ cls._default_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"libwolfprov" -+ ) -+ _openssl_assert( -+ cls.lib, cls._default_provider != cls.ffi.NULL -+ ) -+ else: -+ cls._legacy_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"legacy" -+ ) -+ _openssl_assert( -+ cls.lib, cls._legacy_provider != cls.ffi.NULL -+ ) -+ cls._default_provider = cls.lib.OSSL_PROVIDER_load( -+ cls.ffi.NULL, b"default" -+ ) -+ _openssl_assert( -+ cls.lib, cls._default_provider != cls.ffi.NULL -+ ) - - @classmethod - def init_static_locks(cls): ++ cls.ffi.NULL, b"libwolfprov" + ) + _openssl_assert( + cls.lib, cls._default_provider != cls.ffi.NULL diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py -index 2605566bd..406a4d2e0 100644 +index 2605566bd..fbe565826 100644 --- a/tests/hazmat/backends/test_openssl_memleak.py +++ b/tests/hazmat/backends/test_openssl_memleak.py -@@ -97,8 +97,10 @@ def main(argv): +@@ -97,8 +97,8 @@ def main(argv): gc.collect() if lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: - lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) - lib.OSSL_PROVIDER_unload(backend._binding._default_provider) -+ if backend._binding._legacy_provider is not None: -+ lib.OSSL_PROVIDER_unload(backend._binding._legacy_provider) + if backend._binding._default_provider is not None: + lib.OSSL_PROVIDER_unload(backend._binding._default_provider)