diff options
| -rw-r--r-- | .travis.yml | 5 | ||||
| -rwxr-xr-x | .travis/install.sh | 7 | ||||
| -rwxr-xr-x | .travis/run.sh | 3 | ||||
| -rw-r--r-- | CHANGELOG.rst | 1 | ||||
| -rw-r--r-- | docs/installation.rst | 1 | ||||
| -rw-r--r-- | src/_cffi_src/openssl/cryptography.py | 10 | ||||
| -rw-r--r-- | src/cryptography/hazmat/backends/openssl/backend.py | 4 | ||||
| -rw-r--r-- | tests/hazmat/backends/test_openssl.py | 22 | ||||
| -rw-r--r-- | tests/hazmat/bindings/test_openssl.py | 6 |
9 files changed, 50 insertions, 9 deletions
diff --git a/.travis.yml b/.travis.yml index 74e8b264..1b33c6f5 100644 --- a/.travis.yml +++ b/.travis.yml @@ -6,6 +6,7 @@ cache: directories: - $HOME/.cache/pip - $HOME/ossl-100t + - $HOME/ossl-110 matrix: include: @@ -30,6 +31,10 @@ matrix: - python: 3.5 env: TOXENV=py35 OPENSSL=1.0.0 - python: 2.7 + env: TOXENV=py27 OPENSSL=1.1.0 + - python: 3.5 + env: TOXENV=py35 OPENSSL=1.1.0 + - python: 2.7 env: TOXENV=docs addons: apt: diff --git a/.travis/install.sh b/.travis/install.sh index b8ff31ad..5c09b258 100755 --- a/.travis/install.sh +++ b/.travis/install.sh @@ -63,6 +63,10 @@ else OPENSSL_VERSION_NUMBER="1.0.0t" OPENSSL_DIR="ossl-100t" fi + if [[ "${OPENSSL}" == "1.1.0" ]]; then + OPENSSL_VERSION_NUMBER="1.1.0" + OPENSSL_DIR="ossl-110" + fi # download, compile, and install if it's not already present via travis # cache if [ -n "$OPENSSL_DIR" ]; then @@ -72,7 +76,8 @@ else cd openssl-$OPENSSL_VERSION_NUMBER ./config shared no-asm no-ssl2 -fPIC --prefix="$HOME/$OPENSSL_DIR" # modify the shlib version to a unique one to make sure the dynamic - # linker doesn't load the system one. + # linker doesn't load the system one. This isn't required for 1.1.0 at the + # moment since our Travis builders have a diff shlib version, but it doesn't hurt sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile diff --git a/.travis/run.sh b/.travis/run.sh index 5c8b53f9..22beba06 100755 --- a/.travis/run.sh +++ b/.travis/run.sh @@ -29,6 +29,9 @@ else if [[ "${OPENSSL}" == "1.0.0" ]]; then OPENSSL_DIR="ossl-100t" fi + if [[ "${OPENSSL}" == "1.1.0" ]]; then + OPENSSL_DIR="ossl-110" + fi if [ -n "$OPENSSL_DIR" ]; then export PATH="$HOME/$OPENSSL_DIR/bin:$PATH" diff --git a/CHANGELOG.rst b/CHANGELOG.rst index fad6454e..f8740739 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -24,6 +24,7 @@ Changelog :class:`~cryptography.x509.CertificateRevocationListBuilder`, and :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone aware ``datetime`` objects as method arguments +* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target. 1.4 - 2016-06-04 diff --git a/docs/installation.rst b/docs/installation.rst index 2e1b3ae4..3d10c367 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -34,6 +34,7 @@ OpenSSL releases: * ``OpenSSL 1.0.1j-freebsd`` * ``OpenSSL 1.0.1f`` * ``OpenSSL 1.0.2-latest`` +* ``OpenSSL 1.1.0`` .. warning:: OpenSSL 1.0.0 is no longer supported by the OpenSSL project. Cryptography diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index c3b0a1dc..69824010 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -36,12 +36,22 @@ INCLUDES = """ (OPENSSL_VERSION_NUMBER < 0x10100000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \ (OPENSSL_VERSION_NUMBER < 0x10100005) + +#if defined(LIBRESSL_VERSION_NUMBER) +#define CRYPTOGRAPHY_IS_LIBRESSL 1 +#else +#define CRYPTOGRAPHY_IS_LIBRESSL 0 +#endif """ TYPES = """ static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER; +static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; + static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101; + +static const int CRYPTOGRAPHY_IS_LIBRESSL; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 3449e217..a1de1a89 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1475,7 +1475,9 @@ class Backend(object): check_y = self._lib.BN_CTX_get(bn_ctx) res = set_func(group, point, bn_x, bn_y, bn_ctx) - self.openssl_assert(res == 1) + if res != 1: + self._consume_errors() + raise ValueError("EC point not on curve") res = get_func(group, point, check_x, check_y, bn_ctx) self.openssl_assert(res == 1) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 38f11347..4ec8d84e 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -728,10 +728,18 @@ class TestGOSTCertificate(object): x509.load_der_x509_certificate, backend ) - with pytest.raises(ValueError) as exc: - cert.subject - - # We assert on the message in this case because if the certificate - # fails to load it will also raise a ValueError and this test could - # erroneously pass. - assert str(exc.value) == "Unsupported ASN1 string type. Type: 18" + if ( + not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or + backend._lib.CRYPTOGRAPHY_IS_LIBRESSL + ): + with pytest.raises(ValueError) as exc: + cert.subject + + # We assert on the message in this case because if the certificate + # fails to load it will also raise a ValueError and this test could + # erroneously pass. + assert str(exc.value) == "Unsupported ASN1 string type. Type: 18" + else: + assert cert.subject.get_attributes_for_oid( + x509.ObjectIdentifier("1.2.643.3.131.1.1") + )[0].value == "007710474375" diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index f41bcf35..1c395c25 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -21,6 +21,12 @@ class TestOpenSSL(object): def test_crypto_lock_init(self): b = Binding() + if ( + b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and + not b.lib.CRYPTOGRAPHY_IS_LIBRESSL + ): + pytest.skip("Requires an older OpenSSL. Must be < 1.1.0") + b.init_static_locks() lock_cb = b.lib.CRYPTO_get_locking_callback() assert lock_cb != b.ffi.NULL |