From 7743074a897b9983efa3221a11d39fd310d51ce2 Mon Sep 17 00:00:00 2001
From: gpotter2 <10530980+gpotter2@users.noreply.github.com>
Date: Wed, 24 Dec 2025 01:23:14 +0100
Subject: [PATCH] OpenBSD: fix tests and disallow LibreSSL

---
 scapy/config.py                           | 33 ++++++++++++++++++++++-
 scapy/contrib/automotive/autosar/secoc.py |  2 +-
 scapy/contrib/macsec.py                   |  2 +-
 scapy/contrib/psp.py                      |  2 +-
 scapy/layers/dot11.py                     |  2 +-
 scapy/layers/inet.py                      | 15 +++++++++--
 scapy/layers/inet6.py                     |  4 ++-
 scapy/layers/ipsec.py                     |  2 +-
 scapy/layers/tls/__init__.py              |  2 +-
 test/regression.uts                       |  5 ++--
 test/tuntap.uts                           |  4 +--
 11 files changed, 59 insertions(+), 14 deletions(-)

diff --git a/scapy/config.py b/scapy/config.py
index be3cb25b278..3c5f05cf49b 100755
--- a/scapy/config.py
+++ b/scapy/config.py
@@ -745,10 +745,13 @@ def isCryptographyValid():
     Check if the cryptography module >= 2.0.0 is present. This is the minimum
     version for most usages in Scapy.
     """
+    # Check import
     try:
         import cryptography
     except ImportError:
         return False
+
+    # Check minimum version
     return _version_checker(cryptography, (2, 0, 0))
 
 
@@ -771,6 +774,23 @@ def isCryptographyAdvanced():
         return True
 
 
+def isCryptographyBackendCompatible() -> bool:
+    """
+    Check if the cryptography backend is compatible
+    """
+    # Check for LibreSSL
+    try:
+        from cryptography.hazmat.backends import default_backend
+        if "LibreSSL" in default_backend().openssl_version_text():
+            # BUG: LibreSSL - https://marc.info/?l=libressl&m=173846028619304&w=2
+            # It takes 5 whole minutes to import RFC3526's modp parameters. This is
+            # not okay.
+            return False
+        return True
+    except Exception:
+        return True
+
+
 def isPyPy():
     # type: () -> bool
     """Returns either scapy is running under PyPy or not"""
@@ -1199,6 +1219,17 @@ def __getattribute__(self, attr):
 conf = Conf()  # type: Conf
 
 
+if not isCryptographyBackendCompatible():
+    conf.crypto_valid = False
+    conf.crypto_valid_advanced = False
+    log_scapy.error(
+        "Scapy does not support LibreSSL as a backend to cryptography ! "
+        "See https://cryptography.io/en/latest/installation/#static-wheels "
+        "for instructions on how to recompile cryptography with another "
+        "backend."
+    )
+
+
 def crypto_validator(func):
     # type: (DecoratorCallable) -> DecoratorCallable
     """
@@ -1209,7 +1240,7 @@ def func_in(*args, **kwargs):
         # type: (*Any, **Any) -> Any
         if not conf.crypto_valid:
             raise ImportError("Cannot execute crypto-related method! "
-                              "Please install python-cryptography v1.7 or later.")  # noqa: E501
+                              "Please install python-cryptography v2.0 or later.")  # noqa: E501
         return func(*args, **kwargs)
     return func_in
 
diff --git a/scapy/contrib/automotive/autosar/secoc.py b/scapy/contrib/automotive/autosar/secoc.py
index d93f62aa3c5..d83949e268e 100644
--- a/scapy/contrib/automotive/autosar/secoc.py
+++ b/scapy/contrib/automotive/autosar/secoc.py
@@ -16,7 +16,7 @@
     from cryptography.hazmat.primitives import cmac
     from cryptography.hazmat.primitives.ciphers import algorithms
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled SecOC calculate_cmac.")
 
 from scapy.config import conf
diff --git a/scapy/contrib/macsec.py b/scapy/contrib/macsec.py
index ac90972246a..f3e75d61afa 100755
--- a/scapy/contrib/macsec.py
+++ b/scapy/contrib/macsec.py
@@ -33,7 +33,7 @@
         modes,
     )
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled MACsec encryption/authentication.")
 
 
diff --git a/scapy/contrib/psp.py b/scapy/contrib/psp.py
index ded095ed4ee..cf656b67754 100644
--- a/scapy/contrib/psp.py
+++ b/scapy/contrib/psp.py
@@ -65,7 +65,7 @@
         aead,
     )
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled PSP encryption/authentication.")
 
 ###############################################################################
diff --git a/scapy/layers/dot11.py b/scapy/layers/dot11.py
index 63b3aeec551..3e70571509e 100644
--- a/scapy/layers/dot11.py
+++ b/scapy/layers/dot11.py
@@ -73,7 +73,7 @@
         decrepit_algorithms = algorithms
 else:
     default_backend = Ciphers = algorithms = decrepit_algorithms = None
-    log_loading.info("Can't import python-cryptography v1.7+. Disabled WEP decryption/encryption. (Dot11)")  # noqa: E501
+    log_loading.info("Can't import python-cryptography v2.0+. Disabled WEP decryption/encryption. (Dot11)")  # noqa: E501
 
 
 #########
diff --git a/scapy/layers/inet.py b/scapy/layers/inet.py
index 6e01c9b253f..cc3ea479a62 100644
--- a/scapy/layers/inet.py
+++ b/scapy/layers/inet.py
@@ -19,8 +19,17 @@
     linehexdump, strxor, whois, colgen
 from scapy.ansmachine import AnsweringMachine
 from scapy.base_classes import Gen, Net, _ScopedIP
-from scapy.data import ETH_P_IP, ETH_P_ALL, DLT_RAW, DLT_RAW_ALT, DLT_IPV4, \
-    IP_PROTOS, TCP_SERVICES, UDP_SERVICES
+from scapy.consts import OPENBSD
+from scapy.data import (
+    ETH_P_IP,
+    ETH_P_ALL,
+    DLT_RAW,
+    DLT_RAW_ALT,
+    DLT_IPV4,
+    IP_PROTOS,
+    TCP_SERVICES,
+    UDP_SERVICES,
+)
 from scapy.layers.l2 import (
     CookedLinux,
     Dot3,
@@ -1358,6 +1367,8 @@ def mysummary(self):
 conf.l2types.register(DLT_RAW, IP)
 conf.l2types.register_num2layer(DLT_RAW_ALT, IP)
 conf.l2types.register(DLT_IPV4, IP)
+if OPENBSD:
+    conf.l2types.register_num2layer(228, IP)
 
 conf.l3types.register(ETH_P_IP, IP)
 conf.l3types.register_num2layer(ETH_P_ALL, IP)
diff --git a/scapy/layers/inet6.py b/scapy/layers/inet6.py
index b585c92ea70..dc101664796 100644
--- a/scapy/layers/inet6.py
+++ b/scapy/layers/inet6.py
@@ -22,7 +22,7 @@
 from scapy.as_resolvers import AS_resolver_riswhois
 from scapy.base_classes import Gen, _ScopedIP
 from scapy.compat import chb, orb, raw, plain_str, bytes_encode
-from scapy.consts import WINDOWS
+from scapy.consts import WINDOWS, OPENBSD
 from scapy.config import conf
 from scapy.data import (
     DLT_IPV6,
@@ -4213,6 +4213,8 @@ def _load_dict(d):
 conf.l2types.register(DLT_IPV6, IPv6)
 conf.l2types.register(DLT_RAW, IPv46)
 conf.l2types.register_num2layer(DLT_RAW_ALT, IPv46)
+if OPENBSD:
+    conf.l2types.register_num2layer(229, IPv6)
 
 bind_layers(Ether, IPv6, type=0x86dd)
 bind_layers(CookedLinux, IPv6, proto=0x86dd)
diff --git a/scapy/layers/ipsec.py b/scapy/layers/ipsec.py
index 921f9800748..8cff919102a 100644
--- a/scapy/layers/ipsec.py
+++ b/scapy/layers/ipsec.py
@@ -221,7 +221,7 @@ def data_for_encryption(self):
     DES.key_sizes = decrepit_algorithms.TripleDES.key_sizes
     DES.block_size = decrepit_algorithms.TripleDES.block_size
 else:
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled IPsec encryption/authentication.")
     default_backend = None
     InvalidTag = Exception
diff --git a/scapy/layers/tls/__init__.py b/scapy/layers/tls/__init__.py
index ecdcac9a096..80e213fbbef 100644
--- a/scapy/layers/tls/__init__.py
+++ b/scapy/layers/tls/__init__.py
@@ -91,5 +91,5 @@
 if not conf.crypto_valid:
     import logging
     log_loading = logging.getLogger("scapy.loading")
-    log_loading.info("Can't import python-cryptography v1.7+. "
+    log_loading.info("Can't import python-cryptography v2.0+. "
                      "Disabled PKI & TLS crypto-related features.")
diff --git a/test/regression.uts b/test/regression.uts
index 86b8c7f064b..4beb41787ac 100644
--- a/test/regression.uts
+++ b/test/regression.uts
@@ -533,7 +533,7 @@ if len(routes6) > 2 and not WINDOWS:
     # Identify routes to fe80::/64
     assert sum(1 for r in routes6 if r[0] == "::1" and r[4] == ["::1"]) >= 1
     if len(iflist) >= 2:
-        assert sum(1 for r in routes6 if ll_route.match(r[0]) and r[1] == 64) >= 1
+        assert sum(1 for r in routes6 if ll_route.match(r[0])) >= 1
         try:
             # Identify a route to a node IPv6 link-local address
             assert sum(1 for r in routes6 if in6_islladdr(r[0]) and r[1] == 128) >= 1
@@ -2941,11 +2941,12 @@ class BSDLoader:
         for p in self.patches:
             p.start()        
         return pfroute
-    def __exit__(self, *args, **kwargs):
+    def __exit__(self, type, value, traceback):
         for p in self.loadpatches:
             p.stop()
         for p in self.patches:
             p.stop()
+        importlib.reload(scapy.arch.bpf.pfroute)
 
 
 = OpenBSD 7.5 amd64 - read_routes()
diff --git a/test/tuntap.uts b/test/tuntap.uts
index 1ba470ea175..2caaf632baa 100644
--- a/test/tuntap.uts
+++ b/test/tuntap.uts
@@ -37,10 +37,10 @@ assert p.addr_family == 2
 assert isinstance(p.payload, IP)
 
 p = DarwinUtunPacketInfo()/IPv6()
-assert p.addr_family == 30
+assert p.addr_family == socket.AF_INET6
 
 p = DarwinUtunPacketInfo(raw(p))
-assert p.addr_family == 30
+assert p.addr_family == socket.AF_INET6
 assert isinstance(p.payload, IPv6)
 
 #######