Drop support for LibreSSL 3.6.x (#9747)

Per https://endoflife.date/openbsd, the OpenBSD release it corresponds to is now EOL

.github/workflows/ci.yml

@@ -39,7 +39,6 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}}
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}}
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}

src/_cffi_src/openssl/cryptography.py

@@ -42,14 +42,6 @@
 #define CRYPTOGRAPHY_IS_BORINGSSL 0
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 \
-    (LIBRESSL_VERSION_NUMBER < 0x3070000f)
-
-#else
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 (0)
-#endif
-
 #if OPENSSL_VERSION_NUMBER < 0x10101040
     #error "pyca/cryptography MUST be linked with Openssl 1.1.1d or later"
 #endif
@@ -59,19 +51,12 @@
 
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \
     (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL)
-/* Ed25519 support is in all supported OpenSSLs as well as LibreSSL 3.7.0. */
-#define CRYPTOGRAPHY_HAS_WORKING_ED25519 \
-    (!CRYPTOGRAPHY_IS_LIBRESSL || \
-    (CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370))
 """
 
 TYPES = """
 static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
 
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
-static const int CRYPTOGRAPHY_HAS_WORKING_ED25519;
-
-static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370;
 
 static const int CRYPTOGRAPHY_IS_LIBRESSL;
 static const int CRYPTOGRAPHY_IS_BORINGSSL;

src/_cffi_src/openssl/evp.py

@@ -102,27 +102,13 @@
 static const long Cryptography_HAS_SCRYPT = 1;
 #endif
 
-/* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519
-   conditional to remove it. OpenSSL 1.1.0 didn't have this define, but
-   1.1.1 will when it is released. We can remove this in the distant
-   future when we drop 1.1.0 support. */
-#ifndef EVP_PKEY_X25519
-#define EVP_PKEY_X25519 NID_X25519
-#endif
-
 /* This is tied to X448 support so we reuse the Cryptography_HAS_X448
    conditional to remove it. OpenSSL 1.1.1 adds this define.  We can remove
    this in the distant future when we drop 1.1.0 support. */
 #ifndef EVP_PKEY_X448
 #define EVP_PKEY_X448 NID_X448
 #endif
 
-/* This is tied to ED25519 support so we reuse the Cryptography_HAS_ED25519
-   conditional to remove it. */
-#ifndef EVP_PKEY_ED25519
-#define EVP_PKEY_ED25519 0
-#endif
-
 /* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448
    conditional to remove it. */
 #ifndef EVP_PKEY_ED448

src/_cffi_src/openssl/nid.py

@@ -10,7 +10,6 @@
 
 TYPES = """
 static const int Cryptography_HAS_ED448;
-static const int Cryptography_HAS_ED25519;
 static const int Cryptography_HAS_POLY1305;
 
 static const int NID_undef;
@@ -27,11 +26,6 @@
 """
 
 CUSTOMIZATIONS = """
-#ifndef NID_ED25519
-static const long Cryptography_HAS_ED25519 = 0;
-#else
-static const long Cryptography_HAS_ED25519 = 1;
-#endif
 #ifndef NID_ED448
 static const long Cryptography_HAS_ED448 = 0;
 #else

src/_cffi_src/openssl/x509v3.py

@@ -30,7 +30,7 @@
 static const int GEN_DNS;
 static const int GEN_URI;
 
-typedef struct stack_st_GENERAL_NAME GENERAL_NAMES;
+typedef ... GENERAL_NAMES;
 
 /* Only include the one union element used by pyOpenSSL. */
 typedef struct {
@@ -56,8 +56,8 @@
 
 void X509V3_set_ctx_nodb(X509V3_CTX *);
 
-int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *);
-GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int);
+int sk_GENERAL_NAME_num(GENERAL_NAMES *);
+GENERAL_NAME *sk_GENERAL_NAME_value(GENERAL_NAMES *, int);
 """
 
 CUSTOMIZATIONS = """

src/cryptography/hazmat/backends/openssl/backend.py

@@ -867,7 +867,7 @@ def dh_x942_serialization_supported(self) -> bool:
     def x25519_supported(self) -> bool:
         if self._fips_enabled:
             return False
-        return not self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370
+        return True
 
     def x448_supported(self) -> bool:
         if self._fips_enabled:
@@ -880,7 +880,7 @@ def x448_supported(self) -> bool:
     def ed25519_supported(self) -> bool:
         if self._fips_enabled:
             return False
-        return self._lib.CRYPTOGRAPHY_HAS_WORKING_ED25519
+        return True
 
     def ed448_supported(self) -> bool:
         if self._fips_enabled:

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -52,12 +52,6 @@ def cryptography_has_ed448() -> list[str]:
     ]
 
 
-def cryptography_has_ed25519() -> list[str]:
-    return [
-        "EVP_PKEY_ED25519",
-    ]
-
-
 def cryptography_has_ssl_sigalgs() -> list[str]:
     return [
         "SSL_CTX_set1_sigalgs_list",
@@ -238,7 +232,6 @@ def cryptography_has_evp_aead() -> list[str]:
         cryptography_has_x509_store_ctx_get_issuer
     ),
     "Cryptography_HAS_ED448": cryptography_has_ed448,
-    "Cryptography_HAS_ED25519": cryptography_has_ed25519,
     "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs,
     "Cryptography_HAS_PSK": cryptography_has_psk,
     "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13,

src/cryptography/hazmat/primitives/asymmetric/ed25519.py

@@ -54,8 +54,7 @@ def __eq__(self, other: object) -> bool:
         """
 
 
-if hasattr(rust_openssl, "ed25519"):
-    Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey)
+Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey)
 
 
 class Ed25519PrivateKey(metaclass=abc.ABCMeta):
@@ -114,5 +113,4 @@ def sign(self, data: bytes) -> bytes:
         """
 
 
-if hasattr(rust_openssl, "x25519"):
-    Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey)
+Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey)

src/cryptography/hazmat/primitives/asymmetric/x25519.py

@@ -48,9 +48,7 @@ def __eq__(self, other: object) -> bool:
         """
 
 
-# For LibreSSL
-if hasattr(rust_openssl, "x25519"):
-    X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey)
+X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey)
 
 
 class X25519PrivateKey(metaclass=abc.ABCMeta):
@@ -108,6 +106,4 @@ def exchange(self, peer_public_key: X25519PublicKey) -> bytes:
         """
 
 
-# For LibreSSL
-if hasattr(rust_openssl, "x25519"):
-    X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey)
+X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey)

src/rust/build.rs

@@ -14,14 +14,10 @@ fn main() {
         }
     }
 
-    if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") {
-        let version = u64::from_str_radix(&version, 16).unwrap();
-
+    if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL");
-        if version >= 0x3_07_00_00_0 {
-            println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER");
-        }
     }
+
     if env::var("DEP_OPENSSL_BORINGSSL").is_ok() {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL");
     }

src/rust/src/backend/mod.rs

@@ -6,7 +6,6 @@ pub(crate) mod aead;
 pub(crate) mod dh;
 pub(crate) mod dsa;
 pub(crate) mod ec;
-#[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))]
 pub(crate) mod ed25519;
 #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
 pub(crate) mod ed448;
@@ -16,7 +15,6 @@ pub(crate) mod kdf;
 pub(crate) mod poly1305;
 pub(crate) mod rsa;
 pub(crate) mod utils;
-#[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))]
 pub(crate) mod x25519;
 #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
 pub(crate) mod x448;
@@ -27,12 +25,10 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult<
     module.add_submodule(dsa::create_module(module.py())?)?;
     module.add_submodule(ec::create_module(module.py())?)?;
 
-    #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))]
     module.add_submodule(ed25519::create_module(module.py())?)?;
     #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
     module.add_submodule(ed448::create_module(module.py())?)?;
 
-    #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))]
     module.add_submodule(x25519::create_module(module.py())?)?;
     #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))]
     module.add_submodule(x448::create_module(module.py())?)?;

src/rust/src/backend/utils.rs

@@ -71,7 +71,6 @@ pub(crate) fn pkey_private_bytes<'p>(
         ));
     }
 
-    #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))]
     if raw_allowed
         && (encoding.is(types::ENCODING_RAW.get(py)?)
             || format.is(types::PRIVATE_FORMAT_RAW.get(py)?))
@@ -258,7 +257,6 @@ pub(crate) fn pkey_public_bytes<'p>(
         ));
     }
 
-    #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))]
     if raw_allowed
         && (encoding.is(types::ENCODING_RAW.get(py)?)
             || format.is(types::PUBLIC_FORMAT_RAW.get(py)?))