From 4054596afc6f2b6cfcc54f56c35c34e0e429cb66 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Mon, 27 Nov 2023 19:26:51 -0500 Subject: [PATCH] Backport LibreSSL 3.8.2 support for a 41.0.7 release (#9931) * Backport LibreSSL 3.8.2 support for a 41.0.7 release * ci fixes * LibreSSL 3.8.1 and later is OPENSSL_NO_ENGINE (#9456) Unfortunately, some projects are not prepared to build without ENGINE symbols, so just like BoringSSL we needed to keep some stubs. * Don't build dh code on BoringSSL (#9103) It doesn't support DH via EVP * Update ci.yml (#9527) --------- Co-authored-by: Theo Buehler --- .github/workflows/ci.yml | 6 +++--- CHANGELOG.rst | 7 +++++++ pyproject.toml | 2 +- src/_cffi_src/openssl/engine.py | 13 ++++++++----- src/cryptography/__about__.py | 2 +- src/rust/Cargo.lock | 18 ++++++++++++------ src/rust/src/backend/dh.rs | 6 ++++++ src/rust/src/backend/ed25519.rs | 3 ++- vectors/cryptography_vectors/__about__.py | 2 +- vectors/pyproject.toml | 2 +- 10 files changed, 42 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0f385e3421e4..219937b0523f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,11 +40,11 @@ jobs: - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}} + - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} - {VERSION: "3.11", NOXSESSION: "tests-randomorder"} - {VERSION: "3.12-dev", NOXSESSION: "tests"} - # Latest commit on the BoringSSL master branch, as of May 27, 2023. - - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0a026f8541c551854efd617021bb276f1fe5c23"}} + # Latest commit on the BoringSSL master branch, as of Nov 24, 2023. + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}} # Latest commit on the OpenSSL master branch, as of May 30, 2023. - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36424806d699233b9a90a3a97fff3011828e2548"}} # Builds with various Rust versions. Includes MSRV and potential diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 857a32f67384..4aa25566d32b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,13 @@ Changelog ========= +.. _v41-0-7: + +41.0.7 - 2023-11-27 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.8.2. + .. _v41-0-6: 41.0.6 - 2023-11-27 diff --git a/pyproject.toml b/pyproject.toml index 900fbb502904..ab696ed00970 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "41.0.6" +version = "41.0.7" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py index 609313ec57ae..9629a2c8f929 100644 --- a/src/_cffi_src/openssl/engine.py +++ b/src/_cffi_src/openssl/engine.py @@ -42,18 +42,20 @@ typedef void UI_METHOD; #endif -/* Despite being OPENSSL_NO_ENGINE, BoringSSL defines these symbols. */ -#if !CRYPTOGRAPHY_IS_BORINGSSL +/* Despite being OPENSSL_NO_ENGINE, BoringSSL/LibreSSL define these symbols. */ +#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL int (*ENGINE_free)(ENGINE *) = NULL; void (*ENGINE_load_builtin_engines)(void) = NULL; #endif -ENGINE *(*ENGINE_by_id)(const char *) = NULL; -int (*ENGINE_init)(ENGINE *) = NULL; -int (*ENGINE_finish)(ENGINE *) = NULL; ENGINE *(*ENGINE_get_default_RAND)(void) = NULL; int (*ENGINE_set_default_RAND)(ENGINE *) = NULL; void (*ENGINE_unregister_RAND)(ENGINE *) = NULL; + +#if !CRYPTOGRAPHY_IS_LIBRESSL +ENGINE *(*ENGINE_by_id)(const char *) = NULL; +int (*ENGINE_init)(ENGINE *) = NULL; +int (*ENGINE_finish)(ENGINE *) = NULL; int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *, void (*)(void), int) = NULL; @@ -66,6 +68,7 @@ void *) = NULL; EVP_PKEY *(*ENGINE_load_public_key)(ENGINE *, const char *, UI_METHOD *, void *) = NULL; +#endif #else static const long Cryptography_HAS_ENGINE = 1; diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index d267dc785605..014e0adb66c4 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "41.0.6" +__version__ = "41.0.7" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 5dcbe68034c8..d92f67d44152 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -52,6 +52,12 @@ version = "1.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" +[[package]] +name = "bitflags" +version = "2.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" + [[package]] name = "cc" version = "1.0.79" @@ -162,11 +168,11 @@ checksum = "9670a07f94779e00908f3e686eab508878ebb390ba6e604d3a284c00e8d0487b" [[package]] name = "openssl" -version = "0.10.54" +version = "0.10.60" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69b3f656a17a6cbc115b5c7a40c616947d213ba182135b014d6051b73ab6f019" +checksum = "79a4c6c3a2b158f7f8f2a2fc5a969fa3a068df6fc9dbb4a43845436e3af7c800" dependencies = [ - "bitflags", + "bitflags 2.4.1", "cfg-if", "foreign-types", "libc", @@ -188,9 +194,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.88" +version = "0.9.96" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2ce0f250f34a308dcfdbb351f511359857d4ed2134ba715a4eadd46e1ffd617" +checksum = "3812c071ba60da8b5677cc12bcb1d42989a65553772897a7e0355545a819838f" dependencies = [ "cc", "libc", @@ -367,7 +373,7 @@ version = "0.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a" dependencies = [ - "bitflags", + "bitflags 1.3.2", ] [[package]] diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs index d5993ff5a056..9612106c5262 100644 --- a/src/rust/src/backend/dh.rs +++ b/src/rust/src/backend/dh.rs @@ -105,6 +105,7 @@ fn dh_parameters_from_numbers( Ok(openssl::dh::Dh::from_pqg(p, q, g)?) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pyo3::prelude::pyfunction] fn from_private_numbers( py: pyo3::Python<'_>, @@ -131,6 +132,7 @@ fn from_private_numbers( Ok(DHPrivateKey { pkey }) } +#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] #[pyo3::prelude::pyfunction] fn from_public_numbers( py: pyo3::Python<'_>, @@ -226,6 +228,7 @@ impl DHPrivateKey { )?) } + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn public_key(&self) -> CryptographyResult { let orig_dh = self.pkey.dh().unwrap(); let dh = clone_dh(&orig_dh)?; @@ -353,6 +356,7 @@ impl DHPublicKey { #[pyo3::prelude::pymethods] impl DHParameters { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn generate_private_key(&self) -> CryptographyResult { let dh = clone_dh(&self.dh)?.generate_key()?; Ok(DHPrivateKey { @@ -424,7 +428,9 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?; + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?; m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?; diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs index 7bee88104482..5ac482343dd7 100644 --- a/src/rust/src/backend/ed25519.rs +++ b/src/rust/src/backend/ed25519.rs @@ -121,7 +121,8 @@ impl Ed25519PrivateKey { impl Ed25519PublicKey { fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> { let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)? - .verify_oneshot(signature, data)?; + .verify_oneshot(signature, data) + .unwrap_or(false); if !valid { return Err(CryptographyError::from( diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 98da9267aa4c..db453861a5f7 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "41.0.6" +__version__ = "41.0.7" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index a37e2da94326..c7827ff7a053 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography_vectors" -version = "41.0.6" +version = "41.0.7" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ]