Drop 1.0.0 (#3312)

* delete the 1.0.0 support

* drop the version check

* drop the AES-CTR stuff

* Update the example

* openssl truncates for us now

* delete unused test

* unused imports

* Remove a bunch of conditional bindings for NPN

* no more 1.0.0 builders

* libressl fix

* update the docs

* remove dead branches

* oops

* this is a word, damnit

* spelling

* try removing this

* this test is not needed

* unused import

4 files changed, 8 insertions, 177 deletions

diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 47c46065..6d6f3452 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -4,7 +4,6 @@
 
 from __future__ import absolute_import, division, print_function
 
-import datetime
 import itertools
 import os
 import subprocess
@@ -26,11 +25,9 @@ from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding
 from cryptography.hazmat.primitives.ciphers import Cipher
 from cryptography.hazmat.primitives.ciphers.algorithms import AES
-from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR
+from cryptography.hazmat.primitives.ciphers.modes import CBC
 
-from ..primitives.fixtures_dsa import DSA_KEY_2048
 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512
-from ..primitives.test_ec import _skip_curve_unsupported
 from ...doubles import (
     DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode
 )
@@ -77,11 +74,6 @@ class TestOpenSSL(object):
     def test_supports_cipher(self):
         assert backend.cipher_supported(None, None) is False
 
-    def test_aes_ctr_always_available(self):
-        # AES CTR should always be available, even in 1.0.0.
-        assert backend.cipher_supported(AES(b"\x00" * 16),
-                                        CTR(b"\x00" * 16)) is True
-
     def test_register_duplicate_cipher_adapter(self):
         with pytest.raises(ValueError):
             backend.register_cipher_adapter(AES, CBC, None)
@@ -325,35 +317,6 @@ class TestOpenSSLRSA(object):
             backend.generate_rsa_private_key(public_exponent=65537,
                                              key_size=256)
 
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_non_sha1_pss_mgf1_hash_algorithm_on_old_openssl(self):
-        private_key = RSA_KEY_512.private_key(backend)
-        with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
-            private_key.signer(
-                padding.PSS(
-                    mgf=padding.MGF1(
-                        algorithm=hashes.SHA256(),
-                    ),
-                    salt_length=padding.PSS.MAX_LENGTH
-                ),
-                hashes.SHA1()
-            )
-        public_key = private_key.public_key()
-        with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH):
-            public_key.verifier(
-                b"sig",
-                padding.PSS(
-                    mgf=padding.MGF1(
-                        algorithm=hashes.SHA256(),
-                    ),
-                    salt_length=padding.PSS.MAX_LENGTH
-                ),
-                hashes.SHA1()
-            )
-
     def test_rsa_padding_unsupported_pss_mgf1_hash(self):
         assert backend.rsa_padding_supported(
             padding.PSS(mgf=padding.MGF1(DummyHashAlgorithm()), salt_length=0)
@@ -500,39 +463,12 @@ class TestOpenSSLRSA(object):
             )
 
 
-@pytest.mark.skipif(
-    backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101,
-    reason="Requires an OpenSSL version >= 1.0.1"
-)
 class TestOpenSSLCMAC(object):
     def test_unsupported_cipher(self):
         with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER):
             backend.create_cmac_ctx(DummyCipherAlgorithm())
 
 
-class TestOpenSSLCreateX509CSR(object):
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_unsupported_dsa_keys(self):
-        private_key = DSA_KEY_2048.private_key(backend)
-
-        with pytest.raises(NotImplementedError):
-            backend.create_x509_csr(object(), private_key, hashes.SHA1())
-
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_unsupported_ec_keys(self):
-        _skip_curve_unsupported(backend, ec.SECP256R1())
-        private_key = ec.generate_private_key(ec.SECP256R1(), backend)
-
-        with pytest.raises(NotImplementedError):
-            backend.create_x509_csr(object(), private_key, hashes.SHA1())
-
-
 class TestOpenSSLSignX509Certificate(object):
     def test_requires_certificate_builder(self):
         private_key = RSA_KEY_2048.private_key(backend)
@@ -542,55 +478,6 @@ class TestOpenSSLSignX509Certificate(object):
                 object(), private_key, DummyHashAlgorithm()
             )
 
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_sign_with_dsa_private_key_is_unsupported(self):
-        private_key = DSA_KEY_2048.private_key(backend)
-        builder = x509.CertificateBuilder()
-        builder = builder.subject_name(
-            x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
-        ).issuer_name(
-            x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
-        ).serial_number(
-            1
-        ).public_key(
-            private_key.public_key()
-        ).not_valid_before(
-            datetime.datetime(2002, 1, 1, 12, 1)
-        ).not_valid_after(
-            datetime.datetime(2032, 1, 1, 12, 1)
-        )
-
-        with pytest.raises(NotImplementedError):
-            builder.sign(private_key, hashes.SHA512(), backend)
-
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_sign_with_ec_private_key_is_unsupported(self):
-        _skip_curve_unsupported(backend, ec.SECP256R1())
-        private_key = ec.generate_private_key(ec.SECP256R1(), backend)
-        builder = x509.CertificateBuilder()
-        builder = builder.subject_name(
-            x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
-        ).issuer_name(
-            x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
-        ).serial_number(
-            1
-        ).public_key(
-            private_key.public_key()
-        ).not_valid_before(
-            datetime.datetime(2002, 1, 1, 12, 1)
-        ).not_valid_after(
-            datetime.datetime(2032, 1, 1, 12, 1)
-        )
-
-        with pytest.raises(NotImplementedError):
-            builder.sign(private_key, hashes.SHA512(), backend)
-
 
 class TestOpenSSLSignX509CertificateRevocationList(object):
     def test_invalid_builder(self):
@@ -599,43 +486,6 @@ class TestOpenSSLSignX509CertificateRevocationList(object):
         with pytest.raises(TypeError):
             backend.create_x509_crl(object(), private_key, hashes.SHA256())
 
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_sign_with_dsa_private_key_is_unsupported(self):
-        private_key = DSA_KEY_2048.private_key(backend)
-        builder = x509.CertificateRevocationListBuilder()
-        builder = builder.issuer_name(
-            x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
-        ).last_update(
-            datetime.datetime(2002, 1, 1, 12, 1)
-        ).next_update(
-            datetime.datetime(2032, 1, 1, 12, 1)
-        )
-
-        with pytest.raises(NotImplementedError):
-            builder.sign(private_key, hashes.SHA1(), backend)
-
-    @pytest.mark.skipif(
-        backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
-        reason="Requires an older OpenSSL. Must be < 1.0.1"
-    )
-    def test_sign_with_ec_private_key_is_unsupported(self):
-        _skip_curve_unsupported(backend, ec.SECP256R1())
-        private_key = ec.generate_private_key(ec.SECP256R1(), backend)
-        builder = x509.CertificateRevocationListBuilder()
-        builder = builder.issuer_name(
-            x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')])
-        ).last_update(
-            datetime.datetime(2002, 1, 1, 12, 1)
-        ).next_update(
-            datetime.datetime(2032, 1, 1, 12, 1)
-        )
-
-        with pytest.raises(NotImplementedError):
-            builder.sign(private_key, hashes.SHA512(), backend)
-
 
 class TestOpenSSLCreateRevokedCertificate(object):
     def test_invalid_builder(self):
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 3e01717c..85b51725 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -8,7 +8,7 @@ import pytest
 
 from cryptography.exceptions import InternalError
 from cryptography.hazmat.bindings.openssl.binding import (
-    Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version
+    Binding, _OpenSSLErrorWithText, _openssl_assert
 )
 
 
@@ -79,11 +79,14 @@ class TestOpenSSL(object):
     def test_conditional_removal(self):
         b = Binding()
 
-        if b.lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER:
-            assert b.lib.CMAC_Init
+        if (
+            b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
+            not b.lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ):
+            assert b.lib.TLS_ST_OK
         else:
             with pytest.raises(AttributeError):
-                b.lib.CMAC_Init
+                b.lib.TLS_ST_OK
 
     def test_openssl_assert_error_on_stack(self):
         b = Binding()
@@ -107,9 +110,3 @@ class TestOpenSSL(object):
                 b'ex:data not multiple of block length'
             )
         )]
-
-    def test_verify_openssl_version(self, monkeypatch):
-        monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False)
-        with pytest.raises(RuntimeError):
-            # OpenSSL 1.0.0
-            _verify_openssl_version(0x100000F)
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 966cba6f..1ecf6b6a 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -2082,9 +2082,6 @@ class TestCertificateBuilder(object):
     @pytest.mark.requires_backend_interface(interface=DSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_build_cert_with_dsa_private_key(self, backend):
-        if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
-            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
         issuer_private_key = DSA_KEY_2048.private_key(backend)
         subject_private_key = DSA_KEY_2048.private_key(backend)
 
@@ -2130,9 +2127,6 @@ class TestCertificateBuilder(object):
     @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_build_cert_with_ec_private_key(self, backend):
-        if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
-            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
         _skip_curve_unsupported(backend, ec.SECP256R1())
         issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
         subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend)
@@ -2734,9 +2728,6 @@ class TestCertificateSigningRequestBuilder(object):
 
     @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
     def test_build_ca_request_with_ec(self, backend):
-        if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
-            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
         _skip_curve_unsupported(backend, ec.SECP256R1())
         private_key = ec.generate_private_key(ec.SECP256R1(), backend)
 
@@ -2764,9 +2755,6 @@ class TestCertificateSigningRequestBuilder(object):
 
     @pytest.mark.requires_backend_interface(interface=DSABackend)
     def test_build_ca_request_with_dsa(self, backend):
-        if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
-            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
-
         private_key = DSA_KEY_2048.private_key(backend)
 
         request = x509.CertificateSigningRequestBuilder().subject_name(
diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py
index 0d29a3ea..f0306ef0 100644
--- a/tests/test_x509_crlbuilder.py
+++ b/tests/test_x509_crlbuilder.py
@@ -347,8 +347,6 @@ class TestCertificateRevocationListBuilder(object):
     @pytest.mark.requires_backend_interface(interface=DSABackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_sign_dsa_key(self, backend):
-        if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
-            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
         private_key = DSA_KEY_2048.private_key(backend)
         invalidity_date = x509.InvalidityDate(
             datetime.datetime(2002, 1, 1, 0, 0)
@@ -393,8 +391,6 @@ class TestCertificateRevocationListBuilder(object):
     @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
     @pytest.mark.requires_backend_interface(interface=X509Backend)
     def test_sign_ec_key_unsupported(self, backend):
-        if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
-            pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
         _skip_curve_unsupported(backend, ec.SECP256R1())
         private_key = ec.generate_private_key(ec.SECP256R1(), backend)
         invalidity_date = x509.InvalidityDate(