diff options
author | Alex Gaynor <alex.gaynor@gmail.com> | 2020-04-25 23:42:20 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-04-25 22:42:20 -0500 |
commit | 01eb304b082b4ae5769eb0b2e1184dbca010961a (patch) | |
tree | a2be5eadd79023732937261f6e58b1ddd0f74c30 | |
parent | b87a238dc10f46daddd8616efd8a9b0237a858c6 (diff) | |
download | cryptography-01eb304b082b4ae5769eb0b2e1184dbca010961a.tar.gz cryptography-01eb304b082b4ae5769eb0b2e1184dbca010961a.tar.bz2 cryptography-01eb304b082b4ae5769eb0b2e1184dbca010961a.zip |
Dropped support for LibreSSL 2.7, 2.8, and 2.9.0 (2.9.1+ are still supported) (#5231)
-rw-r--r-- | .travis.yml | 4 | ||||
-rw-r--r-- | CHANGELOG.rst | 2 | ||||
-rw-r--r-- | src/_cffi_src/openssl/cryptography.py | 12 | ||||
-rw-r--r-- | src/_cffi_src/openssl/ssl.py | 10 | ||||
-rw-r--r-- | src/cryptography/hazmat/bindings/openssl/_conditional.py | 15 | ||||
-rw-r--r-- | src/cryptography/hazmat/primitives/ciphers/aead.py | 6 | ||||
-rw-r--r-- | tests/hazmat/primitives/test_aead.py | 14 | ||||
-rw-r--r-- | tests/wycheproof/test_rsa.py | 12 |
8 files changed, 3 insertions, 72 deletions
diff --git a/.travis.yml b/.travis.yml index ebfc818d..e8dff4c3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -44,10 +44,6 @@ matrix: - python: 3.8 env: TOXENV=py38 OPENSSL=1.1.1g OPENSSL_CONFIG_FLAGS="no-engine no-rc2" - python: 3.8 - env: TOXENV=py38 LIBRESSL=2.7.5 - - python: 3.8 - env: TOXENV=py38 LIBRESSL=2.8.3 - - python: 3.8 env: TOXENV=py38 LIBRESSL=2.9.2 - python: 3.8 env: TOXENV=py38 LIBRESSL=3.0.2 diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6da06409..7dc2b992 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -12,6 +12,8 @@ Changelog :class:`~cryptography.x509.Extension` instance to :meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`, as per our deprecation policy. +* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has + been removed (2.9.1+ is still supported). .. _v2-9-2: diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 0da882c6..cd583313 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -33,16 +33,6 @@ INCLUDES = """ #include <Winsock2.h> #endif -#if CRYPTOGRAPHY_IS_LIBRESSL -#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \ - (LIBRESSL_VERSION_NUMBER >= 0x2080000f) -#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \ - (LIBRESSL_VERSION_NUMBER >= 0x2090100f) -#else -#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0) -#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0) -#endif - #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ @@ -72,8 +62,6 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; static const int CRYPTOGRAPHY_IS_LIBRESSL; - -static const int CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER; """ FUNCTIONS = """ diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index c803ae7a..4ba86693 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -26,7 +26,6 @@ static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE; static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE; static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; static const long Cryptography_HAS_DTLS; -static const long Cryptography_HAS_GENERIC_DTLS_METHOD; static const long Cryptography_HAS_SIGALGS; static const long Cryptography_HAS_PSK; static const long Cryptography_HAS_CIPHER_DETAILS; @@ -710,15 +709,6 @@ static const long TLS_ST_BEFORE = 0; static const long TLS_ST_OK = 0; #endif -/* LibreSSL 2.9.1 added only the DTLS_*_method functions */ -#if CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER -static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0; -const SSL_METHOD *(*DTLS_method)(void) = NULL; -const SSL_METHOD *(*DTLS_server_method)(void) = NULL; -const SSL_METHOD *(*DTLS_client_method)(void) = NULL; -#else -static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1; -#endif #if CRYPTOGRAPHY_IS_LIBRESSL static const long SSL_OP_NO_DTLSv1 = 0; static const long SSL_OP_NO_DTLSv1_2 = 0; diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index b089f65b..3bc879c4 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -102,18 +102,6 @@ def cryptography_has_scrypt(): ] -def cryptography_has_generic_dtls_method(): - return [ - "DTLS_method", - "DTLS_server_method", - "DTLS_client_method", - "SSL_OP_NO_DTLSv1", - "SSL_OP_NO_DTLSv1_2", - "DTLS_set_link_mtu", - "DTLS_get_link_min_mtu", - ] - - def cryptography_has_evp_pkey_dhx(): return [ "EVP_PKEY_DHX", @@ -336,9 +324,6 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, "Cryptography_HAS_LOCKING_CALLBACKS": cryptography_has_locking_callbacks, "Cryptography_HAS_SCRYPT": cryptography_has_scrypt, - "Cryptography_HAS_GENERIC_DTLS_METHOD": ( - cryptography_has_generic_dtls_method - ), "Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx, "Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions, "Cryptography_HAS_SCT": cryptography_has_sct, diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py index a20a80f3..72cb30c3 100644 --- a/src/cryptography/hazmat/primitives/ciphers/aead.py +++ b/src/cryptography/hazmat/primitives/ciphers/aead.py @@ -80,12 +80,6 @@ class AESCCM(object): self._tag_length = tag_length - if not backend.aead_cipher_supported(self): - raise exceptions.UnsupportedAlgorithm( - "AESCCM is not supported by this version of OpenSSL", - exceptions._Reasons.UNSUPPORTED_CIPHER - ) - @classmethod def generate_key(cls, bit_length): if not isinstance(bit_length, int): diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py index e1a17a97..4f6bc7f4 100644 --- a/tests/hazmat/primitives/test_aead.py +++ b/tests/hazmat/primitives/test_aead.py @@ -183,20 +183,6 @@ class TestChaCha20Poly1305(object): assert computed_pt2 == pt -@pytest.mark.skipif( - _aead_supported(AESCCM), - reason="Requires OpenSSL without AES-CCM support" -) -@pytest.mark.requires_backend_interface(interface=CipherBackend) -def test_aesccm_unsupported_on_older_openssl(backend): - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): - AESCCM(AESCCM.generate_key(128)) - - -@pytest.mark.skipif( - not _aead_supported(AESCCM), - reason="Does not support AESCCM" -) @pytest.mark.requires_backend_interface(interface=CipherBackend) class TestAESCCM(object): def test_data_too_large(self): diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py index 12f2901b..8a971d98 100644 --- a/tests/wycheproof/test_rsa.py +++ b/tests/wycheproof/test_rsa.py @@ -38,7 +38,7 @@ def should_verify(backend, wycheproof): if ( ( backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or - backend._lib.CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER + backend._lib.CRYPTOGRAPHY_IS_LIBRESSL ) and wycheproof.has_flag("MissingNull") ): return False @@ -48,16 +48,6 @@ def should_verify(backend, wycheproof): @pytest.mark.requires_backend_interface(interface=RSABackend) -@pytest.mark.supported( - only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL or - backend._lib.CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER - ), - skip_message=( - "Many of these tests fail on OpenSSL < 1.0.2 and since upstream isn't" - " maintaining it, they'll never be fixed." - ), -) @pytest.mark.wycheproof_tests( "rsa_signature_test.json", "rsa_signature_2048_sha224_test.json", |