security/py-cryptography: revert Update to 38.0.1

This reverts commit f5711e95bcd17b154bdd697cb3f1650a788fdf3c.

Revert due to multiple breakage reports.

5 files changed, 195 insertions, 36 deletions

diff --git a/security/py-cryptography/Makefile b/security/py-cryptography/Makefile
index e916d5950eb6..d46db25e295f 100644
--- a/security/py-cryptography/Makefile
+++ b/security/py-cryptography/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	cryptography
-PORTVERSION=	38.0.1
+PORTVERSION=	3.4.8
+PORTEPOCH=	1
 CATEGORIES=	security python
 MASTER_SITES=	CHEESESHOP
 PKGNAMEPREFIX=	${PYTHON_PKGNAMEPREFIX}
@@ -19,7 +20,6 @@ TEST_DEPENDS=	${PYTHON_PKGNAMEPREFIX}cryptography-vectors>=${PORTVERSION}:securi
 		${PYTHON_PKGNAMEPREFIX}hypothesis>=1.11.4:devel/py-hypothesis@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}iso8601>=0:devel/py-iso8601@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pretend>=0:devel/py-pretend@${PY_FLAVOR} \
-		${PYTHON_PKGNAMEPREFIX}pytest-benchmark>=0:devel/py-pytest-benchmark@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pytest-cov>=0:devel/py-pytest-cov@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pytest-subtests>=0:devel/py-pytest-subtests@${PY_FLAVOR} \
 		${PYTHON_PKGNAMEPREFIX}pytest-xdist>=0,1:devel/py-pytest-xdist@${PY_FLAVOR} \
@@ -31,15 +31,15 @@ USE_PYTHON=	autoplist concurrent distutils pytest
 
 CFLAGS+=	-I${OPENSSLINC}
 LDFLAGS+=	-L${OPENSSLLIB}
+MAKE_ENV=	CRYPTOGRAPHY_DONT_BUILD_RUST=1
 TEST_ENV=	PYTHONPATH=${STAGEDIR}${PYTHON_SITELIBDIR}
 
 CPE_VENDOR=	cryptography_project
 
 .include <bsd.port.pre.mk>
 
-post-patch:
-	@${RM} -r ${WRKSRC}/src/rust/
 .if ${CHOSEN_COMPILER_TYPE} == gcc && ${COMPILER_VERSION} <= 42
+post-patch:
 	@${REINPLACE_CMD} -e 's|"-Wno-error=sign-conversion"||' ${WRKSRC}/src/_cffi_src/build_openssl.py
 .endif
 
diff --git a/security/py-cryptography/distinfo b/security/py-cryptography/distinfo
index 060da2afdcf9..cb800cc11b12 100644
--- a/security/py-cryptography/distinfo
+++ b/security/py-cryptography/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1665073152
-SHA256 (cryptography-38.0.1.tar.gz) = 1db3d807a14931fa317f96435695d9ec386be7b84b618cc61cfa5d08b0ae33d7
-SIZE (cryptography-38.0.1.tar.gz) = 599412
+TIMESTAMP = 1652122693
+SHA256 (cryptography-3.4.8.tar.gz) = 94cc5ed4ceaefcbe5bf38c8fba6a21fc1d365bb8fb826ea1688e3370b2e24a1c
+SIZE (cryptography-3.4.8.tar.gz) = 546907
diff --git a/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988 b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
new file mode 100644
index 000000000000..deb9c6408832
--- /dev/null
+++ b/security/py-cryptography/files/patch-Fix-build-with-LibreSSL-3.3.2-5988
@@ -0,0 +1,62 @@
+From 94590a9aecc9e5ef6fc8eda52bae43643a4c44bd Mon Sep 17 00:00:00 2001
+From: Charlie Li <vishwin@users.noreply.github.com>
+Date: Mon, 19 Apr 2021 18:38:38 -0400
+Subject: [PATCH] Fix build with LibreSSL 3.3.2 (#5988)
+
+* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS*
+
+While here, bump CI
+
+* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS*
+
+DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2
+
+* Switch to LESS_THAN context for LibreSSL 3.3.2
+
+While here, fix indents
+
+* Remove extra C variable declaration
+
+The variable is not actually used from Python
+---
+ .github/workflows/ci.yml              | 2 +-
+ src/_cffi_src/openssl/cryptography.py | 7 +++++++
+ src/_cffi_src/openssl/ssl.py          | 2 ++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
+index e2b5a132..b9c7a793 100644
+--- src/_cffi_src/openssl/cryptography.py
++++ src/_cffi_src/openssl/cryptography.py
+@@ -32,6 +32,13 @@ INCLUDES = """
+ #include <Winsock2.h>
+ #endif
+ 
++#if CRYPTOGRAPHY_IS_LIBRESSL
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
++    (LIBRESSL_VERSION_NUMBER < 0x3030200f)
++#else
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
++#endif
++
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+ 
+diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
+index 11a7d63a..081ef041 100644
+--- src/_cffi_src/openssl/ssl.py
++++ src/_cffi_src/openssl/ssl.py
+@@ -586,8 +586,10 @@ static const long TLS_ST_OK = 0;
+ #endif
+ 
+ #if CRYPTOGRAPHY_IS_LIBRESSL
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332
+ static const long SSL_OP_NO_DTLSv1 = 0;
+ static const long SSL_OP_NO_DTLSv1_2 = 0;
++#endif
+ long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
+ long (*DTLS_get_link_min_mtu)(SSL *) = NULL;
+ #endif
+-- 
+2.31.1
+
diff --git a/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360 b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
new file mode 100644
index 000000000000..a8bb6dc6da43
--- /dev/null
+++ b/security/py-cryptography/files/patch-Support-LibreSSL-3.4.0-6360
@@ -0,0 +1,98 @@
+From 7a341a5d3cb9380e77b0241b5198373ab6fc355e Mon Sep 17 00:00:00 2001
+From: Charlie Li <vishwin@users.noreply.github.com>
+Date: Sun, 3 Oct 2021 00:20:31 -0400
+Subject: [PATCH] Support LibreSSL 3.4.0 (#6360)
+
+* Add LibreSSL 3.4.0 to CI
+
+* Add a LibreSSL 3.4.0 guard
+
+Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
+
+* DTLS_get_data_mtu does not exist in LibreSSL
+
+* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
+
+* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
+
+* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
+
+While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
+---
+ .github/workflows/ci.yml              |  6 ++++--
+ src/_cffi_src/openssl/cryptography.py |  3 +++
+ src/_cffi_src/openssl/evp.py          | 15 ++++++++++-----
+ src/_cffi_src/openssl/ssl.py          |  3 ++-
+ 4 files changed, 19 insertions(+), 8 deletions(-)
+
+diff --git src/_cffi_src/openssl/cryptography.py src/_cffi_src/openssl/cryptography.py
+index 878d22d8..821ddc9f 100644
+--- src/_cffi_src/openssl/cryptography.py
++++ src/_cffi_src/openssl/cryptography.py
+@@ -36,8 +36,11 @@ INCLUDES = """
+ #if CRYPTOGRAPHY_IS_LIBRESSL
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 \
+     (LIBRESSL_VERSION_NUMBER < 0x3030200f)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
++    (LIBRESSL_VERSION_NUMBER < 0x3040000f)
+ #else
+ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
++#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
+ #endif
+ 
+ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
+diff --git src/_cffi_src/openssl/evp.py src/_cffi_src/openssl/evp.py
+index ab7cfeb3..cad3339a 100644
+--- src/_cffi_src/openssl/evp.py
++++ src/_cffi_src/openssl/evp.py
+@@ -203,15 +203,21 @@ int (*EVP_PKEY_set1_tls_encodedpoint)(EVP_PKEY *, const unsigned char *,
+                                       size_t) = NULL;
+ #endif
+ 
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
+-static const long Cryptography_HAS_RAW_KEY = 0;
+-static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
+-int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
+                       const unsigned char *tbs, size_t) = NULL;
+ int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
+                         const unsigned char *, size_t) = NULL;
++#else
++static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
++#endif
++
++#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++static const long Cryptography_HAS_RAW_KEY = 0;
++static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;
++int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_private_key)(int, ENGINE *, const unsigned char *,
+                                        size_t) = NULL;
+ EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(int, ENGINE *, const unsigned char *,
+@@ -221,7 +227,6 @@ int (*EVP_PKEY_get_raw_private_key)(const EVP_PKEY *, unsigned char *,
+ int (*EVP_PKEY_get_raw_public_key)(const EVP_PKEY *, unsigned char *,
+                                    size_t *) = NULL;
+ #else
+-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
+ static const long Cryptography_HAS_RAW_KEY = 1;
+ static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
+ #endif
+diff --git src/_cffi_src/openssl/ssl.py src/_cffi_src/openssl/ssl.py
+index ca275e91..0830a463 100644
+--- src/_cffi_src/openssl/ssl.py
++++ src/_cffi_src/openssl/ssl.py
+@@ -678,7 +678,8 @@ int (*SSL_set_tlsext_use_srtp)(SSL *, const char *) = NULL;
+ SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
+ #endif
+ 
+-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
++#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \
++    (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL)
+ static const long Cryptography_HAS_TLSv1_3 = 0;
+ static const long SSL_OP_NO_TLSv1_3 = 0;
+ static const long SSL_VERIFY_POST_HANDSHAKE = 0;
+-- 
+2.32.0
+
diff --git a/security/py-cryptography/files/patch-setup.py b/security/py-cryptography/files/patch-setup.py
index b0cfd33df0bc..7e15e74dffd4 100644
--- a/security/py-cryptography/files/patch-setup.py
+++ b/security/py-cryptography/files/patch-setup.py
@@ -1,8 +1,8 @@
---- setup.py.orig	2022-09-07 12:20:58 UTC
+--- setup.py.orig	2021-03-25 17:19:57 UTC
 +++ setup.py
-@@ -13,23 +13,6 @@ import sys
+@@ -10,23 +10,7 @@ import sys
  
- from setuptools import setup
+ from setuptools import find_packages, setup
  
 -try:
 -    from setuptools_rust import RustExtension
@@ -12,7 +12,7 @@
 -        =============================DEBUG ASSISTANCE==========================
 -        If you are seeing an error here please try the following to
 -        successfully install cryptography:
--
+ 
 -        Upgrade to the latest pip and try again. This will fix errors for most
 -        users. See: https://pip.pypa.io/en/stable/installing/#upgrading-pip
 -        =============================DEBUG ASSISTANCE==========================
@@ -24,33 +24,32 @@
  base_dir = os.path.dirname(__file__)
  src_dir = os.path.join(base_dir, "src")
  
-@@ -43,20 +26,6 @@ try:
-         cffi_modules=[
+@@ -41,9 +25,8 @@ with open(os.path.join(src_dir, "cryptography", "__abo
+ 
+ # `install_requirements` and `setup_requirements` must be kept in sync with
+ # `pyproject.toml`
+-setuptools_rust = "setuptools-rust>=0.11.4"
+ install_requirements = ["cffi>=1.12"]
+-setup_requirements = install_requirements + [setuptools_rust]
++setup_requirements = install_requirements
+ 
+ if os.environ.get("CRYPTOGRAPHY_DONT_BUILD_RUST"):
+     rust_extensions = []
+@@ -129,9 +112,6 @@ try:
+                 "twine >= 1.12.0",
+                 "sphinxcontrib-spelling >= 4.0.1",
+             ],
+-            "sdist": [
+-                setuptools_rust,
+-            ],
+             "pep8test": [
+                 "black",
+                 "flake8",
+@@ -149,7 +129,6 @@ try:
              "src/_cffi_src/build_openssl.py:ffi",
+             "src/_cffi_src/build_padding.py:ffi",
          ],
--        rust_extensions=[
--            RustExtension(
--                "cryptography.hazmat.bindings._rust",
--                "src/rust/Cargo.toml",
--                py_limited_api=True,
--                # Enable abi3 mode if we're not using PyPy.
--                features=(
--                    []
--                    if platform.python_implementation() == "PyPy"
--                    else ["pyo3/abi3-py36"]
--                ),
--                rust_version=">=1.48.0",
--            )
--        ],
+-        rust_extensions=rust_extensions,
      )
  except:  # noqa: E722
      # Note: This is a bare exception that re-raises so that we don't interfere
-@@ -86,7 +55,7 @@ except:  # noqa: E722
-     )
-     print(f"    Python: {'.'.join(str(v) for v in sys.version_info[:3])}")
-     print(f"    platform: {platform.platform()}")
--    for dist in ["pip", "setuptools", "setuptools_rust"]:
-+    for dist in ["pip", "setuptools"]:
-         try:
-             version = pkg_resources.get_distribution(dist).version
-         except pkg_resources.DistributionNotFound: