Drop LibreSSL <3.8.0 (#10283)

pyca · Jan 28, 2024 · e44e124 · e44e124
1 parent 98d7648
commit e44e124
Show file tree

Hide file tree

Showing 7 changed files with 4 additions and 29 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -40,7 +40,6 @@ jobs:
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "3.2.0", CONFIG_FLAGS: "no-legacy", NO_LEGACY: "1"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.4"}}
           - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.0"}}
-          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
           - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}}
           - {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
           # Latest commit on the BoringSSL master branch, as of Jan 27, 2024.

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -8,6 +8,7 @@ Changelog
 
 .. note:: This version is not yet released and is under active development.
 
+* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.8.
 * :func:`~cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key`
   now enforces a minimum RSA key size of 1024-bit. Note that 1024-bit is still
   considered insecure, users should generally use a key size of 2048-bits.

diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
@@ -53,14 +53,6 @@
 
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \
     (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL)
-
-#if CRYPTOGRAPHY_IS_LIBRESSL
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 \
-    (LIBRESSL_VERSION_NUMBER < 0x3080000f)
-
-#else
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380 (0)
-#endif
 """
 
 TYPES = """
@@ -69,8 +61,6 @@
 
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
 
-static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380;
-
 static const int CRYPTOGRAPHY_IS_LIBRESSL;
 static const int CRYPTOGRAPHY_IS_BORINGSSL;
 """

diff --git a/src/rust/build.rs b/src/rust/build.rs
@@ -17,13 +17,8 @@ fn main() {
         }
     }
 
-    if let Ok(version) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") {
-        let version = u64::from_str_radix(&version, 16).unwrap();
-
+    if env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER").is_ok() {
         println!("cargo:rustc-cfg=CRYPTOGRAPHY_IS_LIBRESSL");
-        if version >= 0x3_08_00_00_0 {
-            println!("cargo:rustc-cfg=CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER");
-        }
     }
 
     if env::var("DEP_OPENSSL_BORINGSSL").is_ok() {

diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs
@@ -90,15 +90,6 @@ fn py_curve_from_curve<'p>(
     py: pyo3::Python<'p>,
     curve: &openssl::ec::EcGroupRef,
 ) -> CryptographyResult<&'p pyo3::PyAny> {
-    let name = curve
-        .curve_name()
-        .ok_or_else(|| {
-            pyo3::exceptions::PyValueError::new_err(
-                "ECDSA keys with explicit parameters are unsupported at this time",
-            )
-        })?
-        .short_name()?;
-
     if curve.asn1_flag() == openssl::ec::Asn1Flag::EXPLICIT_CURVE {
         return Err(CryptographyError::from(
             pyo3::exceptions::PyValueError::new_err(
@@ -107,6 +98,8 @@ fn py_curve_from_curve<'p>(
         ));
     }
 
+    let name = curve.curve_name().unwrap().short_name()?;
+
     types::CURVE_TYPES
         .get(py)?
         .extract::<&pyo3::types::PyDict>()?

diff --git a/src/rust/src/backend/keys.rs b/src/rust/src/backend/keys.rs
@@ -83,7 +83,6 @@ fn private_key_from_pkey(
             unsafe_skip_rsa_key_validation,
         )?
         .into_py(py)),
-        #[cfg(any(not(CRYPTOGRAPHY_IS_LIBRESSL), CRYPTOGRAPHY_LIBRESSL_380_OR_GREATER))]
         openssl::pkey::Id::RSA_PSS => {
             // At the moment the way we handle RSA PSS keys is to strip the
             // PSS constraints from them and treat them as normal RSA keys

diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
@@ -256,7 +256,6 @@ def test_load_pss_vect_example_keys(self, pkcs1_example):
             and (
                 not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E
                 or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
-                and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380
             )
         ),
         skip_message="Does not support RSA PSS loading",
@@ -314,7 +313,6 @@ def test_load_pss_pub_keys_strips_constraints(self, backend):
             and (
                 not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E
                 or backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
-                and not backend._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_380
             )
         ),
         skip_message="Test requires a backend without RSA-PSS key support",