From 57f0222d06997477c03849063c0ccabba1dc9328 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sun, 22 Oct 2023 13:03:37 -0400 Subject: [PATCH] Drop support for LibreSSL 3.6.x (#9747) Per https://endoflife.date/openbsd, the OpenBSD release it corresponds to is now EOL --- .github/workflows/ci.yml | 1 - src/_cffi_src/openssl/cryptography.py | 15 --------------- src/_cffi_src/openssl/evp.py | 14 -------------- src/_cffi_src/openssl/nid.py | 6 ------ src/_cffi_src/openssl/x509v3.py | 6 +++--- .../hazmat/backends/openssl/backend.py | 4 ++-- .../hazmat/bindings/openssl/_conditional.py | 7 ------- .../hazmat/primitives/asymmetric/ed25519.py | 6 ++---- .../hazmat/primitives/asymmetric/x25519.py | 8 ++------ src/rust/build.rs | 8 ++------ src/rust/src/backend/mod.rs | 4 ---- src/rust/src/backend/utils.rs | 2 -- 12 files changed, 11 insertions(+), 70 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45f6644a2ced..baff52c5ff16 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,7 +39,6 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.1.3", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}} - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0-alpha2"}} - - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index f5fcb04405b5..44c325749172 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -42,14 +42,6 @@ #define CRYPTOGRAPHY_IS_BORINGSSL 0 #endif -#if CRYPTOGRAPHY_IS_LIBRESSL -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 \ - (LIBRESSL_VERSION_NUMBER < 0x3070000f) - -#else -#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 (0) -#endif - #if OPENSSL_VERSION_NUMBER < 0x10101040 #error "pyca/cryptography MUST be linked with Openssl 1.1.1d or later" #endif @@ -59,19 +51,12 @@ #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \ (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL) -/* Ed25519 support is in all supported OpenSSLs as well as LibreSSL 3.7.0. */ -#define CRYPTOGRAPHY_HAS_WORKING_ED25519 \ - (!CRYPTOGRAPHY_IS_LIBRESSL || \ - (CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370)) """ TYPES = """ static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; -static const int CRYPTOGRAPHY_HAS_WORKING_ED25519; - -static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370; static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index 48ad0b8e58b1..7e80f36229f8 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -102,14 +102,6 @@ static const long Cryptography_HAS_SCRYPT = 1; #endif -/* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519 - conditional to remove it. OpenSSL 1.1.0 didn't have this define, but - 1.1.1 will when it is released. We can remove this in the distant - future when we drop 1.1.0 support. */ -#ifndef EVP_PKEY_X25519 -#define EVP_PKEY_X25519 NID_X25519 -#endif - /* This is tied to X448 support so we reuse the Cryptography_HAS_X448 conditional to remove it. OpenSSL 1.1.1 adds this define. We can remove this in the distant future when we drop 1.1.0 support. */ @@ -117,12 +109,6 @@ #define EVP_PKEY_X448 NID_X448 #endif -/* This is tied to ED25519 support so we reuse the Cryptography_HAS_ED25519 - conditional to remove it. */ -#ifndef EVP_PKEY_ED25519 -#define EVP_PKEY_ED25519 0 -#endif - /* This is tied to ED448 support so we reuse the Cryptography_HAS_ED448 conditional to remove it. */ #ifndef EVP_PKEY_ED448 diff --git a/src/_cffi_src/openssl/nid.py b/src/_cffi_src/openssl/nid.py index b35a70464ae6..0a38fe038da7 100644 --- a/src/_cffi_src/openssl/nid.py +++ b/src/_cffi_src/openssl/nid.py @@ -10,7 +10,6 @@ TYPES = """ static const int Cryptography_HAS_ED448; -static const int Cryptography_HAS_ED25519; static const int Cryptography_HAS_POLY1305; static const int NID_undef; @@ -27,11 +26,6 @@ """ CUSTOMIZATIONS = """ -#ifndef NID_ED25519 -static const long Cryptography_HAS_ED25519 = 0; -#else -static const long Cryptography_HAS_ED25519 = 1; -#endif #ifndef NID_ED448 static const long Cryptography_HAS_ED448 = 0; #else diff --git a/src/_cffi_src/openssl/x509v3.py b/src/_cffi_src/openssl/x509v3.py index 5dafabc3a89c..7f04a2cbce35 100644 --- a/src/_cffi_src/openssl/x509v3.py +++ b/src/_cffi_src/openssl/x509v3.py @@ -30,7 +30,7 @@ static const int GEN_DNS; static const int GEN_URI; -typedef struct stack_st_GENERAL_NAME GENERAL_NAMES; +typedef ... GENERAL_NAMES; /* Only include the one union element used by pyOpenSSL. */ typedef struct { @@ -56,8 +56,8 @@ void X509V3_set_ctx_nodb(X509V3_CTX *); -int sk_GENERAL_NAME_num(struct stack_st_GENERAL_NAME *); -GENERAL_NAME *sk_GENERAL_NAME_value(struct stack_st_GENERAL_NAME *, int); +int sk_GENERAL_NAME_num(GENERAL_NAMES *); +GENERAL_NAME *sk_GENERAL_NAME_value(GENERAL_NAMES *, int); """ CUSTOMIZATIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index a909900db6a2..dd1ca9044937 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -867,7 +867,7 @@ def dh_x942_serialization_supported(self) -> bool: def x25519_supported(self) -> bool: if self._fips_enabled: return False - return not self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 + return True def x448_supported(self) -> bool: if self._fips_enabled: @@ -880,7 +880,7 @@ def x448_supported(self) -> bool: def ed25519_supported(self) -> bool: if self._fips_enabled: return False - return self._lib.CRYPTOGRAPHY_HAS_WORKING_ED25519 + return True def ed448_supported(self) -> bool: if self._fips_enabled: diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 6dffae404d6f..ebd287b51f17 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -52,12 +52,6 @@ def cryptography_has_ed448() -> list[str]: ] -def cryptography_has_ed25519() -> list[str]: - return [ - "EVP_PKEY_ED25519", - ] - - def cryptography_has_ssl_sigalgs() -> list[str]: return [ "SSL_CTX_set1_sigalgs_list", @@ -238,7 +232,6 @@ def cryptography_has_evp_aead() -> list[str]: cryptography_has_x509_store_ctx_get_issuer ), "Cryptography_HAS_ED448": cryptography_has_ed448, - "Cryptography_HAS_ED25519": cryptography_has_ed25519, "Cryptography_HAS_SIGALGS": cryptography_has_ssl_sigalgs, "Cryptography_HAS_PSK": cryptography_has_psk, "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13, diff --git a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py index c06c2c86aac6..3a26185d7dbc 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/ed25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/ed25519.py @@ -54,8 +54,7 @@ def __eq__(self, other: object) -> bool: """ -if hasattr(rust_openssl, "ed25519"): - Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey) +Ed25519PublicKey.register(rust_openssl.ed25519.Ed25519PublicKey) class Ed25519PrivateKey(metaclass=abc.ABCMeta): @@ -114,5 +113,4 @@ def sign(self, data: bytes) -> bytes: """ -if hasattr(rust_openssl, "x25519"): - Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey) +Ed25519PrivateKey.register(rust_openssl.ed25519.Ed25519PrivateKey) diff --git a/src/cryptography/hazmat/primitives/asymmetric/x25519.py b/src/cryptography/hazmat/primitives/asymmetric/x25519.py index ac5e670c303f..912f8f2ca5c9 100644 --- a/src/cryptography/hazmat/primitives/asymmetric/x25519.py +++ b/src/cryptography/hazmat/primitives/asymmetric/x25519.py @@ -48,9 +48,7 @@ def __eq__(self, other: object) -> bool: """ -# For LibreSSL -if hasattr(rust_openssl, "x25519"): - X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey) +X25519PublicKey.register(rust_openssl.x25519.X25519PublicKey) class X25519PrivateKey(metaclass=abc.ABCMeta): @@ -108,6 +106,4 @@ def exchange(self, peer_public_key: X25519PublicKey) -> bytes: """ -# For LibreSSL -if hasattr(rust_openssl, "x25519"): - X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey) +X25519PrivateKey.register(rust_openssl.x25519.X25519PrivateKey) diff --git a/src/rust/build.rs b/src/rust/build.rs index 49740fccecfb..a0b4566a753c 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -14,14 +14,10 @@ fn main() { } } - if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") { - let version = u64::from_str_radix(&version, 16).unwrap(); - + if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL"); - if version >= 0x3_07_00_00_0 { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER"); - } } + if env::var("DEP_OPENSSL_BORINGSSL").is_ok() { println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_BORINGSSL"); } diff --git a/src/rust/src/backend/mod.rs b/src/rust/src/backend/mod.rs index eb5ef8144146..4251bacfbaf3 100644 --- a/src/rust/src/backend/mod.rs +++ b/src/rust/src/backend/mod.rs @@ -6,7 +6,6 @@ pub(crate) mod aead; pub(crate) mod dh; pub(crate) mod dsa; pub(crate) mod ec; -#[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] pub(crate) mod ed25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod ed448; @@ -16,7 +15,6 @@ pub(crate) mod kdf; pub(crate) mod poly1305; pub(crate) mod rsa; pub(crate) mod utils; -#[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] pub(crate) mod x25519; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] pub(crate) mod x448; @@ -27,12 +25,10 @@ pub(crate) fn add_to_module(module: &pyo3::prelude::PyModule) -> pyo3::PyResult< module.add_submodule(dsa::create_module(module.py())?)?; module.add_submodule(ec::create_module(module.py())?)?; - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] module.add_submodule(ed25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(ed448::create_module(module.py())?)?; - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] module.add_submodule(x25519::create_module(module.py())?)?; #[cfg(all(not(CRYPTOGRAPHY_IS_LIBRESSL), not(CRYPTOGRAPHY_IS_BORINGSSL)))] module.add_submodule(x448::create_module(module.py())?)?; diff --git a/src/rust/src/backend/utils.rs b/src/rust/src/backend/utils.rs index 6c387cbbb1f6..09dc6d67cc3e 100644 --- a/src/rust/src/backend/utils.rs +++ b/src/rust/src/backend/utils.rs @@ -71,7 +71,6 @@ pub(crate) fn pkey_private_bytes<'p>( )); } - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] if raw_allowed && (encoding.is(types::ENCODING_RAW.get(py)?) || format.is(types::PRIVATE_FORMAT_RAW.get(py)?)) @@ -258,7 +257,6 @@ pub(crate) fn pkey_public_bytes<'p>( )); } - #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_370_OR_GREATER))] if raw_allowed && (encoding.is(types::ENCODING_RAW.get(py)?) || format.is(types::PUBLIC_FORMAT_RAW.get(py)?))