diff --git a/noxfile.py b/noxfile.py index 4aab73149c18..ea4f205e1764 100644 --- a/noxfile.py +++ b/noxfile.py @@ -292,7 +292,7 @@ def local(session): "noxfile.py", ) - install(session, "cryptography @ .") + install(session, ".") if session.posargs: tests = session.posargs diff --git a/src/rust/cryptography-openssl/src/aead.rs b/src/rust/cryptography-openssl/src/aead.rs index 000d5a9c65f9..42f0fd7f8041 100644 --- a/src/rust/cryptography-openssl/src/aead.rs +++ b/src/rust/cryptography-openssl/src/aead.rs @@ -17,15 +17,19 @@ foreign_types::foreign_type! { pub struct AeadCtxRef; } +// SAFETY: Can safely be used from multiple threads concurrently. unsafe impl Sync for AeadCtx {} +// SAFETY: Can safely be sent between threads. unsafe impl Send for AeadCtx {} impl AeadCtx { pub fn new(aead: AeadType, key: &[u8]) -> OpenSSLResult { let aead = match aead { + // SAFETY: No preconditions. AeadType::ChaCha20Poly1305 => unsafe { ffi::EVP_aead_chacha20_poly1305() }, }; + // SAFETY: We're passing a valid key and aead. unsafe { let ctx = cvt_p(ffi::EVP_AEAD_CTX_new( aead, @@ -47,6 +51,7 @@ impl AeadCtxRef { out: &mut [u8], ) -> OpenSSLResult<()> { let mut out_len = out.len(); + // SAFETY: All the lengths and pointers are known valid. unsafe { cvt(ffi::EVP_AEAD_CTX_seal( self.as_ptr(), @@ -72,6 +77,7 @@ impl AeadCtxRef { out: &mut [u8], ) -> OpenSSLResult<()> { let mut out_len = out.len(); + // SAFETY: All the lengths and pointers are known valid. unsafe { cvt(ffi::EVP_AEAD_CTX_open( self.as_ptr(), diff --git a/src/rust/cryptography-openssl/src/hmac.rs b/src/rust/cryptography-openssl/src/hmac.rs index 84b3a1e3b9b5..64abf83d40ae 100644 --- a/src/rust/cryptography-openssl/src/hmac.rs +++ b/src/rust/cryptography-openssl/src/hmac.rs @@ -22,6 +22,9 @@ unsafe impl Sync for Hmac {} unsafe impl Send for Hmac {} impl Hmac { + // On BoringSSL, the length is a size_t, so the length conversion is a + // no-op. + #[cfg_attr(CRYPTOGRAPHY_IS_BORINGSSL, allow(clippy::useless_conversion))] pub fn new(key: &[u8], md: openssl::hash::MessageDigest) -> OpenSSLResult { // SAFETY: All FFI conditions are handled. unsafe { diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 7afd7a172e94..2438ae644cb6 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -276,6 +276,7 @@ struct LazyEvpCipherAead { } impl LazyEvpCipherAead { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn new( cipher: &'static openssl::cipher::CipherRef, key: pyo3::Py, @@ -706,12 +707,15 @@ impl AesCcm { ) -> CryptographyResult { cfg_if::cfg_if! { if #[cfg(CRYPTOGRAPHY_IS_BORINGSSL)] { - return Err(CryptographyError::from( + let _ = py; + let _ = key; + let _ = tag_length; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "AES-CCM is not supported by this version of OpenSSL", exceptions::Reasons::UNSUPPORTED_CIPHER, )), - )); + )) } else { let key_buf = key.extract::>(py)?; let cipher = match key_buf.as_bytes().len() { diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs index f4faecdb5c9e..6af0b923aebc 100644 --- a/src/rust/src/backend/keys.rs +++ b/src/rust/src/backend/keys.rs @@ -243,9 +243,11 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu #[cfg(test)] mod tests { + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] use super::public_key_from_pkey; #[test] + #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))] fn test_public_key_from_pkey_unknown_key() { pyo3::prepare_freethreaded_python(); diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index a21f3986dd18..56093af012fb 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -4,9 +4,11 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use openssl::provider; +#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] use std::env; mod asn1; diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs index f307cf483ad7..28edd016b863 100644 --- a/src/rust/src/pkcs7.rs +++ b/src/rust/src/pkcs7.rs @@ -345,12 +345,14 @@ fn load_pem_pkcs7_certificates<'p>( })?; load_pkcs7_certificates(py, pkcs7_decoded) } else { - return Err(CryptographyError::from( + let _ = py; + let _ = data; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), - )); + )) } } } @@ -369,12 +371,14 @@ fn load_der_pkcs7_certificates<'p>( })?; load_pkcs7_certificates(py, pkcs7_decoded) } else { - return Err(CryptographyError::from( + let _ = py; + let _ = data; + Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( "PKCS#7 is not supported by this backend.", exceptions::Reasons::UNSUPPORTED_SERIALIZATION, )), - )); + )) } } } diff --git a/src/rust/src/types.rs b/src/rust/src/types.rs index ddd5d8f452ff..10272e14aa8f 100644 --- a/src/rust/src/types.rs +++ b/src/rust/src/types.rs @@ -473,6 +473,7 @@ pub static AES256: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["AES256"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SM4"))] pub static SM4: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["SM4"], @@ -480,14 +481,17 @@ pub static SM4: LazyPyImport = LazyPyImport::new( #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_SEED"))] pub static SEED: LazyPyImport = LazyPyImport::new("cryptography.hazmat.decrepit.ciphers.algorithms", &["SEED"]); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAMELLIA"))] pub static CAMELLIA: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.primitives.ciphers.algorithms", &["Camellia"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] pub static BLOWFISH: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.decrepit.ciphers.algorithms", &["Blowfish"], ); +#[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_CAST"))] pub static CAST5: LazyPyImport = LazyPyImport::new( "cryptography.hazmat.decrepit.ciphers.algorithms", &["CAST5"],