OpenBSD: fix tests and disallow LibreSSL (#4888)

Author: gpotter2

scapy/config.py

@@ -745,10 +745,13 @@ def isCryptographyValid():
     Check if the cryptography module >= 2.0.0 is present. This is the minimum
     version for most usages in Scapy.
     """
+    # Check import
     try:
         import cryptography
     except ImportError:
         return False
+
+    # Check minimum version
     return _version_checker(cryptography, (2, 0, 0))
 
 
@@ -771,6 +774,23 @@ def isCryptographyAdvanced():
         return True
 
 
+def isCryptographyBackendCompatible() -> bool:
+    """
+    Check if the cryptography backend is compatible
+    """
+    # Check for LibreSSL
+    try:
+        from cryptography.hazmat.backends import default_backend
+        if "LibreSSL" in default_backend().openssl_version_text():
+            # BUG: LibreSSL - https://marc.info/?l=libressl&m=173846028619304&w=2
+            # It takes 5 whole minutes to import RFC3526's modp parameters. This is
+            # not okay.
+            return False
+        return True
+    except Exception:
+        return True
+
+
 def isPyPy():
     # type: () -> bool
     """Returns either scapy is running under PyPy or not"""
@@ -1199,6 +1219,17 @@ def __getattribute__(self, attr):
 conf = Conf()  # type: Conf
 
 
+if not isCryptographyBackendCompatible():
+    conf.crypto_valid = False
+    conf.crypto_valid_advanced = False
+    log_scapy.error(
+        "Scapy does not support LibreSSL as a backend to cryptography ! "
+        "See https://cryptography.io/en/latest/installation/#static-wheels "
+        "for instructions on how to recompile cryptography with another "
+        "backend."
+    )
+
+
 def crypto_validator(func):
     # type: (DecoratorCallable) -> DecoratorCallable
     """
@@ -1209,7 +1240,7 @@ def func_in(*args, **kwargs):
         # type: (*Any, **Any) -> Any
         if not conf.crypto_valid:
             raise ImportError("Cannot execute crypto-related method! "
-                              "Please install python-cryptography v1.7 or later.")  # noqa: E501
+                              "Please install python-cryptography v2.0 or later.")  # noqa: E501
         return func(*args, **kwargs)
     return func_in
 

scapy/contrib/automotive/autosar/secoc.py

@@ -16,7 +16,7 @@
     from cryptography.hazmat.primitives import cmac
     from cryptography.hazmat.primitives.ciphers import algorithms
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled SecOC calculate_cmac.")
 
 from scapy.config import conf

scapy/contrib/macsec.py

@@ -33,7 +33,7 @@
         modes,
     )
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled MACsec encryption/authentication.")
 
 

scapy/contrib/psp.py

@@ -65,7 +65,7 @@
         aead,
     )
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled PSP encryption/authentication.")
 
 ###############################################################################

scapy/layers/dot11.py

@@ -73,7 +73,7 @@
         decrepit_algorithms = algorithms
 else:
     default_backend = Ciphers = algorithms = decrepit_algorithms = None
-    log_loading.info("Can't import python-cryptography v1.7+. Disabled WEP decryption/encryption. (Dot11)")  # noqa: E501
+    log_loading.info("Can't import python-cryptography v2.0+. Disabled WEP decryption/encryption. (Dot11)")  # noqa: E501
 
 
 #########

scapy/layers/inet.py

@@ -19,8 +19,17 @@
     linehexdump, strxor, whois, colgen
 from scapy.ansmachine import AnsweringMachine
 from scapy.base_classes import Gen, Net, _ScopedIP
-from scapy.data import ETH_P_IP, ETH_P_ALL, DLT_RAW, DLT_RAW_ALT, DLT_IPV4, \
-    IP_PROTOS, TCP_SERVICES, UDP_SERVICES
+from scapy.consts import OPENBSD
+from scapy.data import (
+    ETH_P_IP,
+    ETH_P_ALL,
+    DLT_RAW,
+    DLT_RAW_ALT,
+    DLT_IPV4,
+    IP_PROTOS,
+    TCP_SERVICES,
+    UDP_SERVICES,
+)
 from scapy.layers.l2 import (
     CookedLinux,
     Dot3,
@@ -1358,6 +1367,8 @@ def mysummary(self):
 conf.l2types.register(DLT_RAW, IP)
 conf.l2types.register_num2layer(DLT_RAW_ALT, IP)
 conf.l2types.register(DLT_IPV4, IP)
+if OPENBSD:
+    conf.l2types.register_num2layer(228, IP)
 
 conf.l3types.register(ETH_P_IP, IP)
 conf.l3types.register_num2layer(ETH_P_ALL, IP)

scapy/layers/inet6.py

@@ -22,7 +22,7 @@
 from scapy.as_resolvers import AS_resolver_riswhois
 from scapy.base_classes import Gen, _ScopedIP
 from scapy.compat import chb, orb, raw, plain_str, bytes_encode
-from scapy.consts import WINDOWS
+from scapy.consts import WINDOWS, OPENBSD
 from scapy.config import conf
 from scapy.data import (
     DLT_IPV6,
@@ -4213,6 +4213,8 @@ def _load_dict(d):
 conf.l2types.register(DLT_IPV6, IPv6)
 conf.l2types.register(DLT_RAW, IPv46)
 conf.l2types.register_num2layer(DLT_RAW_ALT, IPv46)
+if OPENBSD:
+    conf.l2types.register_num2layer(229, IPv6)
 
 bind_layers(Ether, IPv6, type=0x86dd)
 bind_layers(CookedLinux, IPv6, proto=0x86dd)

scapy/layers/ipsec.py

@@ -221,7 +221,7 @@ def data_for_encryption(self):
     DES.key_sizes = decrepit_algorithms.TripleDES.key_sizes
     DES.block_size = decrepit_algorithms.TripleDES.block_size
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled IPsec encryption/authentication.")
     default_backend = None
     InvalidTag = Exception

scapy/layers/tls/__init__.py

@@ -91,5 +91,5 @@
 if not conf.crypto_valid:
     import logging
     log_loading = logging.getLogger("scapy.loading")
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled PKI & TLS crypto-related features.")

test/regression.uts

@@ -533,7 +533,7 @@ if len(routes6) > 2 and not WINDOWS:
     # Identify routes to fe80::/64
     assert sum(1 for r in routes6 if r[0] == "::1" and r[4] == ["::1"]) >= 1
     if len(iflist) >= 2:
-        assert sum(1 for r in routes6 if ll_route.match(r[0]) and r[1] == 64) >= 1
+        assert sum(1 for r in routes6 if ll_route.match(r[0])) >= 1
         try:
             # Identify a route to a node IPv6 link-local address
             assert sum(1 for r in routes6 if in6_islladdr(r[0]) and r[1] == 128) >= 1
@@ -2941,11 +2941,12 @@ class BSDLoader:
         for p in self.patches:
             p.start()        
         return pfroute
-    def __exit__(self, *args, **kwargs):
+    def __exit__(self, type, value, traceback):
         for p in self.loadpatches:
             p.stop()
         for p in self.patches:
             p.stop()
+        importlib.reload(scapy.arch.bpf.pfroute)
 
 
 = OpenBSD 7.5 amd64 - read_routes()