Dropped support for LibreSSL 2.7, 2.8, and 2.9.0 (2.9.1+ are still supported) (#5231)

8 files changed, 3 insertions, 72 deletions

diff --git a/.travis.yml b/.travis.yml
index ebfc818d..e8dff4c3 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -44,10 +44,6 @@ matrix:
         - python: 3.8
           env: TOXENV=py38 OPENSSL=1.1.1g OPENSSL_CONFIG_FLAGS="no-engine no-rc2"
         - python: 3.8
-          env: TOXENV=py38 LIBRESSL=2.7.5
-        - python: 3.8
-          env: TOXENV=py38 LIBRESSL=2.8.3
-        - python: 3.8
           env: TOXENV=py38 LIBRESSL=2.9.2
         - python: 3.8
           env: TOXENV=py38 LIBRESSL=3.0.2
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 6da06409..7dc2b992 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -12,6 +12,8 @@ Changelog
   :class:`~cryptography.x509.Extension` instance to
   :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
   as per our deprecation policy.
+* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
+  been removed (2.9.1+ is still supported).
 
 .. _v2-9-2:
 
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index 0da882c6..cd583313 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -33,16 +33,6 @@ INCLUDES = """
 #include <Winsock2.h>
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
-#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \
-    (LIBRESSL_VERSION_NUMBER >= 0x2080000f)
-#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \
-    (LIBRESSL_VERSION_NUMBER >= 0x2090100f)
-#else
-#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0)
-#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0)
-#endif
-
 #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
@@ -72,8 +62,6 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
 
 static const int CRYPTOGRAPHY_IS_LIBRESSL;
-
-static const int CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER;
 """
 
 FUNCTIONS = """
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index c803ae7a..4ba86693 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -26,7 +26,6 @@ static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE;
 static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE;
 static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
 static const long Cryptography_HAS_DTLS;
-static const long Cryptography_HAS_GENERIC_DTLS_METHOD;
 static const long Cryptography_HAS_SIGALGS;
 static const long Cryptography_HAS_PSK;
 static const long Cryptography_HAS_CIPHER_DETAILS;
@@ -710,15 +709,6 @@ static const long TLS_ST_BEFORE = 0;
 static const long TLS_ST_OK = 0;
 #endif
 
-/* LibreSSL 2.9.1 added only the DTLS_*_method functions */
-#if CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
-static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
-const SSL_METHOD *(*DTLS_method)(void) = NULL;
-const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
-const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
-#else
-static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
-#endif
 #if CRYPTOGRAPHY_IS_LIBRESSL
 static const long SSL_OP_NO_DTLSv1 = 0;
 static const long SSL_OP_NO_DTLSv1_2 = 0;
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index b089f65b..3bc879c4 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -102,18 +102,6 @@ def cryptography_has_scrypt():
     ]
 
 
-def cryptography_has_generic_dtls_method():
-    return [
-        "DTLS_method",
-        "DTLS_server_method",
-        "DTLS_client_method",
-        "SSL_OP_NO_DTLSv1",
-        "SSL_OP_NO_DTLSv1_2",
-        "DTLS_set_link_mtu",
-        "DTLS_get_link_min_mtu",
-    ]
-
-
 def cryptography_has_evp_pkey_dhx():
     return [
         "EVP_PKEY_DHX",
@@ -336,9 +324,6 @@ CONDITIONAL_NAMES = {
     "Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
     "Cryptography_HAS_LOCKING_CALLBACKS": cryptography_has_locking_callbacks,
     "Cryptography_HAS_SCRYPT": cryptography_has_scrypt,
-    "Cryptography_HAS_GENERIC_DTLS_METHOD": (
-        cryptography_has_generic_dtls_method
-    ),
     "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx,
     "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions,
     "Cryptography_HAS_SCT": cryptography_has_sct,
diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py
index a20a80f3..72cb30c3 100644
--- a/src/cryptography/hazmat/primitives/ciphers/aead.py
+++ b/src/cryptography/hazmat/primitives/ciphers/aead.py
@@ -80,12 +80,6 @@ class AESCCM(object):
 
         self._tag_length = tag_length
 
-        if not backend.aead_cipher_supported(self):
-            raise exceptions.UnsupportedAlgorithm(
-                "AESCCM is not supported by this version of OpenSSL",
-                exceptions._Reasons.UNSUPPORTED_CIPHER
-            )
-
     @classmethod
     def generate_key(cls, bit_length):
         if not isinstance(bit_length, int):
diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py
index e1a17a97..4f6bc7f4 100644
--- a/tests/hazmat/primitives/test_aead.py
+++ b/tests/hazmat/primitives/test_aead.py
@@ -183,20 +183,6 @@ class TestChaCha20Poly1305(object):
         assert computed_pt2 == pt
 
 
-@pytest.mark.skipif(
-    _aead_supported(AESCCM),
-    reason="Requires OpenSSL without AES-CCM support"
-)
-@pytest.mark.requires_backend_interface(interface=CipherBackend)
-def test_aesccm_unsupported_on_older_openssl(backend):
-    with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER):
-        AESCCM(AESCCM.generate_key(128))
-
-
-@pytest.mark.skipif(
-    not _aead_supported(AESCCM),
-    reason="Does not support AESCCM"
-)
 @pytest.mark.requires_backend_interface(interface=CipherBackend)
 class TestAESCCM(object):
     def test_data_too_large(self):
diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py
index 12f2901b..8a971d98 100644
--- a/tests/wycheproof/test_rsa.py
+++ b/tests/wycheproof/test_rsa.py
@@ -38,7 +38,7 @@ def should_verify(backend, wycheproof):
         if (
             (
                 backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or
-                backend._lib.CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER
+                backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             ) and wycheproof.has_flag("MissingNull")
         ):
             return False
@@ -48,16 +48,6 @@ def should_verify(backend, wycheproof):
 
 
 @pytest.mark.requires_backend_interface(interface=RSABackend)
-@pytest.mark.supported(
-    only_if=lambda backend: (
-        not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL or
-        backend._lib.CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER
-    ),
-    skip_message=(
-        "Many of these tests fail on OpenSSL < 1.0.2 and since upstream isn't"
-        " maintaining it, they'll never be fixed."
-    ),
-)
 @pytest.mark.wycheproof_tests(
     "rsa_signature_test.json",
     "rsa_signature_2048_sha224_test.json",