Drop support for OpenSSL 1.0.1 (#5178)

7 files changed, 10 insertions, 149 deletions

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 96fa9ff6..6fd191f0 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -194,7 +194,7 @@ class Backend(object):
         Friendly string name of the loaded OpenSSL library. This is not
         necessarily the same version as it was compiled against.
 
-        Example: OpenSSL 1.0.1e 11 Feb 2013
+        Example: OpenSSL 1.1.1d  10 Sep 2019
         """
         return self._ffi.string(
             self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION)
@@ -988,9 +988,7 @@ class Backend(object):
         for revoked_cert in builder._revoked_certificates:
             # Duplicating because the X509_CRL takes ownership and will free
             # this memory when X509_CRL_free is called.
-            revoked = self._lib.Cryptography_X509_REVOKED_dup(
-                revoked_cert._x509_revoked
-            )
+            revoked = self._lib.X509_REVOKED_dup(revoked_cert._x509_revoked)
             self.openssl_assert(revoked != self._ffi.NULL)
             res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked)
             self.openssl_assert(res == 1)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 94b48f52..4568f71f 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -94,15 +94,6 @@ class _CipherContext(object):
                 )
                 self._backend.openssl_assert(res != 0)
                 self._tag = mode.tag
-            elif (
-                self._operation == self._DECRYPT and
-                self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
-                not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
-            ):
-                raise NotImplementedError(
-                    "delayed passing of GCM tag requires OpenSSL >= 1.0.2."
-                    " To use this feature please update OpenSSL"
-                )
 
         # pass key/iv
         res = self._backend._lib.EVP_CipherInit_ex(
@@ -197,14 +188,6 @@ class _CipherContext(object):
         return self._backend._ffi.buffer(buf)[:outlen[0]]
 
     def finalize_with_tag(self, tag):
-        if (
-            self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
-            not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
-        ):
-            raise NotImplementedError(
-                "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
-                "method please update OpenSSL"
-            )
         if len(tag) < self._mode._min_tag_length:
             raise ValueError(
                 "Authentication tag must be {} bytes or longer.".format(
diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py
index 095f0623..961f1769 100644
--- a/src/cryptography/hazmat/backends/openssl/dh.py
+++ b/src/cryptography/hazmat/backends/openssl/dh.py
@@ -17,8 +17,8 @@ def _dh_params_dup(dh_cdata, backend):
     param_cdata = lib.DHparams_dup(dh_cdata)
     backend.openssl_assert(param_cdata != ffi.NULL)
     param_cdata = ffi.gc(param_cdata, lib.DH_free)
-    if lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102:
-        # In OpenSSL versions < 1.0.2 or libressl DHparams_dup don't copy q
+    if lib.CRYPTOGRAPHY_IS_LIBRESSL:
+        # In libressl DHparams_dup don't copy q
         q = ffi.new("BIGNUM **")
         lib.DH_get0_pqg(dh_cdata, ffi.NULL, q, ffi.NULL)
         q_dup = lib.BN_dup(q[0])
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index a293fb09..ea4ae4c6 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -13,18 +13,6 @@ def cryptography_has_ec2m():
     ]
 
 
-def cryptography_has_ec_1_0_2():
-    return [
-        "EC_curve_nid2nist",
-    ]
-
-
-def cryptography_has_set_ecdh_auto():
-    return [
-        "SSL_CTX_set_ecdh_auto",
-    ]
-
-
 def cryptography_has_rsa_r_pkcs_decoding_error():
     return [
         "RSA_R_PKCS_DECODING_ERROR"
@@ -51,15 +39,6 @@ def cryptography_has_ssl3_method():
     ]
 
 
-def cryptography_has_alpn():
-    return [
-        "SSL_CTX_set_alpn_protos",
-        "SSL_set_alpn_protos",
-        "SSL_CTX_set_alpn_select_cb",
-        "SSL_get0_alpn_selected",
-    ]
-
-
 def cryptography_has_compression():
     return [
         "SSL_get_current_compression",
@@ -68,13 +47,7 @@ def cryptography_has_compression():
     ]
 
 
-def cryptography_has_get_server_tmp_key():
-    return [
-        "SSL_get_server_tmp_key",
-    ]
-
-
-def cryptography_has_102_verification_error_codes():
+def cryptography_has_102_verification():
     return [
         'X509_V_ERR_SUITE_B_INVALID_VERSION',
         'X509_V_ERR_SUITE_B_INVALID_ALGORITHM',
@@ -82,29 +55,9 @@ def cryptography_has_102_verification_error_codes():
         'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM',
         'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED',
         'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256',
-        'X509_V_ERR_HOSTNAME_MISMATCH',
-        'X509_V_ERR_EMAIL_MISMATCH',
-        'X509_V_ERR_IP_ADDRESS_MISMATCH'
-    ]
-
-
-def cryptography_has_102_verification_params():
-    return [
         "X509_V_FLAG_SUITEB_128_LOS_ONLY",
         "X509_V_FLAG_SUITEB_192_LOS",
         "X509_V_FLAG_SUITEB_128_LOS",
-        "X509_VERIFY_PARAM_set1_host",
-        "X509_VERIFY_PARAM_set1_email",
-        "X509_VERIFY_PARAM_set1_ip",
-        "X509_VERIFY_PARAM_set1_ip_asc",
-        "X509_VERIFY_PARAM_set_hostflags",
-        "SSL_get0_param",
-        "SSL_CTX_get0_param",
-        "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT",
-        "X509_CHECK_FLAG_NO_WILDCARDS",
-        "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS",
-        "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS",
-        "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS"
     ]
 
 
@@ -114,18 +67,6 @@ def cryptography_has_110_verification_params():
     ]
 
 
-def cryptography_has_x509_v_flag_trusted_first():
-    return [
-        "X509_V_FLAG_TRUSTED_FIRST",
-    ]
-
-
-def cryptography_has_x509_v_flag_partial_chain():
-    return [
-        "X509_V_FLAG_PARTIAL_CHAIN",
-    ]
-
-
 def cryptography_has_set_cert_cb():
     return [
         "SSL_CTX_set_cert_cb",
@@ -372,32 +313,17 @@ def cryptography_has_verified_chain():
 # lists so we can use coverage to measure which are used.
 CONDITIONAL_NAMES = {
     "Cryptography_HAS_EC2M": cryptography_has_ec2m,
-    "Cryptography_HAS_EC_1_0_2": cryptography_has_ec_1_0_2,
-    "Cryptography_HAS_SET_ECDH_AUTO": cryptography_has_set_ecdh_auto,
     "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": (
         cryptography_has_rsa_r_pkcs_decoding_error
     ),
     "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
     "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
     "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
-    "Cryptography_HAS_ALPN": cryptography_has_alpn,
     "Cryptography_HAS_COMPRESSION": cryptography_has_compression,
-    "Cryptography_HAS_GET_SERVER_TMP_KEY": cryptography_has_get_server_tmp_key,
-    "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": (
-        cryptography_has_102_verification_error_codes
-    ),
-    "Cryptography_HAS_102_VERIFICATION_PARAMS": (
-        cryptography_has_102_verification_params
-    ),
+    "Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification,
     "Cryptography_HAS_110_VERIFICATION_PARAMS": (
         cryptography_has_110_verification_params
     ),
-    "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": (
-        cryptography_has_x509_v_flag_trusted_first
-    ),
-    "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": (
-        cryptography_has_x509_v_flag_partial_chain
-    ),
     "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb,
     "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st,
     "Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 1e0f34c9..4e23cd53 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -5,10 +5,8 @@
 from __future__ import absolute_import, division, print_function
 
 import collections
-import os
 import threading
 import types
-import warnings
 
 import cryptography
 from cryptography import utils
@@ -152,26 +150,6 @@ class Binding(object):
             _openssl_assert(cls.lib, res == 1)
 
 
-def _verify_openssl_version(lib):
-    if (
-        lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
-        not lib.CRYPTOGRAPHY_IS_LIBRESSL
-    ):
-        if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_101"):
-            warnings.warn(
-                "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
-                "project, please upgrade. The next version of cryptography "
-                "will completely remove support for it.",
-                utils.CryptographyDeprecationWarning
-            )
-        else:
-            raise RuntimeError(
-                "You are linking against OpenSSL 1.0.1, which is no longer "
-                "supported by the OpenSSL project. You need to upgrade to a "
-                "newer version of OpenSSL."
-            )
-
-
 def _verify_package_version(version):
     # Occasionally we run into situations where the version of the Python
     # package does not match the version of the shared object that is loaded.
@@ -201,5 +179,3 @@ _verify_package_version(cryptography.__version__)
 # condition registering the OpenSSL locks. On Python 3.4+ the import lock
 # is per module so this approach will not work.
 Binding.init_static_locks()
-
-_verify_openssl_version(Binding.lib)
diff --git a/src/cryptography/hazmat/primitives/constant_time.py b/src/cryptography/hazmat/primitives/constant_time.py
index 35ceafe0..7f41b9ef 100644
--- a/src/cryptography/hazmat/primitives/constant_time.py
+++ b/src/cryptography/hazmat/primitives/constant_time.py
@@ -5,31 +5,10 @@
 from __future__ import absolute_import, division, print_function
 
 import hmac
-import warnings
 
-from cryptography import utils
-from cryptography.hazmat.bindings._constant_time import lib
 
+def bytes_eq(a, b):
+    if not isinstance(a, bytes) or not isinstance(b, bytes):
+        raise TypeError("a and b must be bytes.")
 
-if hasattr(hmac, "compare_digest"):
-    def bytes_eq(a, b):
-        if not isinstance(a, bytes) or not isinstance(b, bytes):
-            raise TypeError("a and b must be bytes.")
-
-        return hmac.compare_digest(a, b)
-
-else:
-    warnings.warn(
-        "Support for your Python version is deprecated. The next version of "
-        "cryptography will remove support. Please upgrade to a release "
-        "(2.7.7+) that supports hmac.compare_digest as soon as possible.",
-        utils.PersistentlyDeprecated2018,
-    )
-
-    def bytes_eq(a, b):
-        if not isinstance(a, bytes) or not isinstance(b, bytes):
-            raise TypeError("a and b must be bytes.")
-
-        return lib.Cryptography_constant_time_bytes_eq(
-            a, len(a), b, len(b)
-        ) == 1
+    return hmac.compare_digest(a, b)
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index e895aa05..698b492d 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -21,7 +21,6 @@ class CryptographyDeprecationWarning(UserWarning):
 # ubiquity of their use. They should not be removed until we agree on when that
 # cycle ends.
 PersistentlyDeprecated2017 = CryptographyDeprecationWarning
-PersistentlyDeprecated2018 = CryptographyDeprecationWarning
 PersistentlyDeprecated2019 = CryptographyDeprecationWarning
 DeprecatedIn27 = CryptographyDeprecationWarning