From aece5b3d47282beed31f7119e273b65816a0cf93 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 4 Apr 2020 17:08:08 -0400 Subject: Drop support for OpenSSL 1.0.1 (#5178) --- src/_cffi_src/openssl/cryptography.py | 5 -- src/_cffi_src/openssl/ec.py | 8 --- src/_cffi_src/openssl/ecdh.py | 7 -- src/_cffi_src/openssl/ssl.py | 63 ++--------------- src/_cffi_src/openssl/x509.py | 35 +--------- src/_cffi_src/openssl/x509_vfy.py | 72 ++------------------ .../hazmat/backends/openssl/backend.py | 6 +- .../hazmat/backends/openssl/ciphers.py | 17 ----- src/cryptography/hazmat/backends/openssl/dh.py | 4 +- .../hazmat/bindings/openssl/_conditional.py | 78 +--------------------- .../hazmat/bindings/openssl/binding.py | 24 ------- .../hazmat/primitives/constant_time.py | 29 ++------ src/cryptography/utils.py | 1 - 13 files changed, 23 insertions(+), 326 deletions(-) (limited to 'src') diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index ddcbf2bd..0da882c6 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -43,8 +43,6 @@ INCLUDES = """ #define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0) #endif -#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ @@ -52,8 +50,6 @@ INCLUDES = """ #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL) -#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ - (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I \ (OPENSSL_VERSION_NUMBER < 0x1000209f || CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \ @@ -72,7 +68,6 @@ static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I; -static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 52f60014..6432fc22 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -11,7 +11,6 @@ INCLUDES = """ TYPES = """ static const int Cryptography_HAS_EC2M; -static const int Cryptography_HAS_EC_1_0_2; static const int OPENSSL_EC_NAMED_CURVE; @@ -124,11 +123,4 @@ int (*EC_POINT_set_compressed_coordinates_GF2m)(const EC_GROUP *, EC_POINT *, #else static const long Cryptography_HAS_EC2M = 1; #endif - -#if (!CRYPTOGRAPHY_IS_LIBRESSL && CRYPTOGRAPHY_OPENSSL_LESS_THAN_102) -static const long Cryptography_HAS_EC_1_0_2 = 0; -const char *(*EC_curve_nid2nist)(int) = NULL; -#else -static const long Cryptography_HAS_EC_1_0_2 = 1; -#endif """ diff --git a/src/_cffi_src/openssl/ecdh.py b/src/_cffi_src/openssl/ecdh.py index 5db12571..c73cc9f3 100644 --- a/src/_cffi_src/openssl/ecdh.py +++ b/src/_cffi_src/openssl/ecdh.py @@ -9,7 +9,6 @@ INCLUDES = """ """ TYPES = """ -static const int Cryptography_HAS_SET_ECDH_AUTO; """ FUNCTIONS = """ @@ -19,10 +18,4 @@ long SSL_CTX_set_ecdh_auto(SSL_CTX *, int); """ CUSTOMIZATIONS = """ -#ifndef SSL_CTX_set_ecdh_auto -static const long Cryptography_HAS_SET_ECDH_AUTO = 0; -long (*SSL_CTX_set_ecdh_auto)(SSL_CTX *, int) = NULL; -#else -static const long Cryptography_HAS_SET_ECDH_AUTO = 1; -#endif """ diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 1b7d02f3..faad5605 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -23,7 +23,6 @@ static const long Cryptography_HAS_COMPRESSION; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB; static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP; static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE; -static const long Cryptography_HAS_GET_SERVER_TMP_KEY; static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE; static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; static const long Cryptography_HAS_DTLS; @@ -556,10 +555,7 @@ int SSL_CTX_set_max_early_data(SSL_CTX *, uint32_t); """ CUSTOMIZATIONS = """ -/* Added in 1.0.2 but we need it in all versions now due to the great - opaquing. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 -/* from ssl/ssl_lib.c */ +#if CRYPTOGRAPHY_IS_LIBRESSL const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) { return ctx->method; } @@ -653,38 +649,9 @@ static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1; static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1; static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1; static const long Cryptography_HAS_NEXTPROTONEG = 1; - -/* SSL_get0_param was added in OpenSSL 1.0.2. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL -X509_VERIFY_PARAM *(*SSL_get0_param)(SSL *) = NULL; -X509_VERIFY_PARAM *(*SSL_CTX_get0_param)(SSL_CTX *) = NULL; -#else -#endif - -/* ALPN was added in OpenSSL 1.0.2. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL -int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, - const unsigned char *, - unsigned) = NULL; -int (*SSL_set_alpn_protos)(SSL *, const unsigned char *, unsigned) = NULL; -void (*SSL_CTX_set_alpn_select_cb)(SSL_CTX *, - int (*) (SSL *, - const unsigned char **, - unsigned char *, - const unsigned char *, - unsigned int, - void *), - void *) = NULL; -void (*SSL_get0_alpn_selected)(const SSL *, - const unsigned char **, - unsigned *) = NULL; -static const long Cryptography_HAS_ALPN = 0; -#else static const long Cryptography_HAS_ALPN = 1; -#endif -/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 +#if CRYPTOGRAPHY_IS_LIBRESSL void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL; void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL; static const long Cryptography_HAS_SET_CERT_CB = 0; @@ -692,7 +659,6 @@ static const long Cryptography_HAS_SET_CERT_CB = 0; static const long Cryptography_HAS_SET_CERT_CB = 1; #endif - /* In OpenSSL 1.0.2i+ the handling of COMP_METHOD when OPENSSL_NO_COMP was changed and we no longer need to typedef void */ #if (defined(OPENSSL_NO_COMP) && CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I) || \ @@ -703,13 +669,6 @@ typedef void COMP_METHOD; static const long Cryptography_HAS_COMPRESSION = 1; #endif -#if defined(SSL_CTRL_GET_SERVER_TMP_KEY) -static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 1; -#else -static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 0; -long (*SSL_get_server_tmp_key)(SSL *, EVP_PKEY **) = NULL; -#endif - static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1; static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 1; @@ -734,7 +693,7 @@ static const long TLS_ST_OK = 0; #endif /* LibreSSL 2.9.1 added only the DTLS_*_method functions */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER +#if CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0; const SSL_METHOD *(*DTLS_method)(void) = NULL; const SSL_METHOD *(*DTLS_server_method)(void) = NULL; @@ -742,7 +701,7 @@ const SSL_METHOD *(*DTLS_client_method)(void) = NULL; #else static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1; #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 +#if CRYPTOGRAPHY_IS_LIBRESSL static const long SSL_OP_NO_DTLSv1 = 0; static const long SSL_OP_NO_DTLSv1_2 = 0; long (*DTLS_set_link_mtu)(SSL *, long) = NULL; @@ -769,7 +728,7 @@ long Cryptography_DTLSv1_get_timeout(SSL *ssl, time_t *ptv_sec, return r; } -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 +#if CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_SIGALGS = 0; const int (*SSL_get_sigalgs)(SSL *, int, int *, int *, int *, unsigned char *, unsigned char *) = NULL; @@ -801,41 +760,31 @@ void (*SSL_CTX_set_psk_client_callback)(SSL_CTX *, static const long Cryptography_HAS_PSK = 1; #endif -/* - * Custom extensions were added in 1.0.2. 1.1.1 is adding a more general - * SSL_CTX_add_custom_ext function, but we're not binding that yet. - */ -#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER +#if !CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_CUSTOM_EXT = 1; #else static const long Cryptography_HAS_CUSTOM_EXT = 0; - typedef int (*custom_ext_add_cb)(SSL *, unsigned int, const unsigned char **, size_t *, int *, void *); - typedef void (*custom_ext_free_cb)(SSL *, unsigned int, const unsigned char *, void *); - typedef int (*custom_ext_parse_cb)(SSL *, unsigned int, const unsigned char *, size_t, int *, void *); - int (*SSL_CTX_add_client_custom_ext)(SSL_CTX *, unsigned int, custom_ext_add_cb, custom_ext_free_cb, void *, custom_ext_parse_cb, void *) = NULL; - int (*SSL_CTX_add_server_custom_ext)(SSL_CTX *, unsigned int, custom_ext_add_cb, custom_ext_free_cb, void *, custom_ext_parse_cb, void *) = NULL; - int (*SSL_extension_supported)(unsigned int) = NULL; #endif diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py index 991e1f09..0135a89a 100644 --- a/src/_cffi_src/openssl/x509.py +++ b/src/_cffi_src/openssl/x509.py @@ -185,6 +185,7 @@ int X509_CRL_get_ext_count(X509_CRL *); int X509_CRL_get0_by_serial(X509_CRL *, X509_REVOKED **, ASN1_INTEGER *); +X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *); X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *); /* new in 1.0.2 */ @@ -268,30 +269,7 @@ void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **, """ CUSTOMIZATIONS = """ -/* Added in 1.0.2 beta but we need it in all versions now due to the great - opaquing. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL -/* from x509/x_x509.c version 1.0.2 */ -void X509_get0_signature(const ASN1_BIT_STRING **psig, - const X509_ALGOR **palg, const X509 *x) -{ - if (psig) - *psig = x->signature; - if (palg) - *palg = x->sig_alg; -} - -int X509_get_signature_nid(const X509 *x) -{ - return OBJ_obj2nid(x->sig_alg->algorithm); -} - -#endif - -/* Added in 1.0.2 but we need it in all versions now due to the great - opaquing. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 -/* from x509/x_x509.c */ +#if CRYPTOGRAPHY_IS_LIBRESSL int i2d_re_X509_tbs(X509 *x, unsigned char **pp) { /* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1 @@ -303,17 +281,10 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp) } #endif -/* X509_REVOKED_dup only exists on 1.0.2+. It is implemented using - IMPLEMENT_ASN1_DUP_FUNCTION. The below is the equivalent so we have - it available on all OpenSSLs. */ +/* Being kept around for pyOpenSSL */ X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) { -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 - return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev); -#else return X509_REVOKED_dup(rev); -#endif } - /* Added in 1.1.0 but we need it in all versions now due to the great opaquing. */ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py index 675ce823..d2bc5f4e 100644 --- a/src/_cffi_src/openssl/x509_vfy.py +++ b/src/_cffi_src/openssl/x509_vfy.py @@ -19,11 +19,8 @@ typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT; """ TYPES = """ -static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES; -static const long Cryptography_HAS_102_VERIFICATION_PARAMS; +static const long Cryptography_HAS_102_VERIFICATION; static const long Cryptography_HAS_110_VERIFICATION_PARAMS; -static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST; -static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN; static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER; typedef ... Cryptography_STACK_OF_ASN1_OBJECT; @@ -222,64 +219,19 @@ void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn); """ CUSTOMIZATIONS = """ -/* OpenSSL 1.0.2+ verification parameters and error codes */ -#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER -static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1; -static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1; +#if !CRYPTOGRAPHY_IS_LIBRESSL +static const long Cryptography_HAS_102_VERIFICATION = 1; #else -static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0; -static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0; - +static const long Cryptography_HAS_102_VERIFICATION = 0; static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0; static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0; static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0; static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0; static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0; static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0; -/* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added - in the future... */ -#ifndef X509_V_ERR_HOSTNAME_MISMATCH -static const long X509_V_ERR_HOSTNAME_MISMATCH = 0; -#endif -#ifndef X509_V_ERR_EMAIL_MISMATCH -static const long X509_V_ERR_EMAIL_MISMATCH = 0; -#endif -#ifndef X509_V_ERR_IP_ADDRESS_MISMATCH -static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0; -#endif -#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT -static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 0; -#endif -#ifndef X509_CHECK_FLAG_NO_WILDCARDS -static const long X509_CHECK_FLAG_NO_WILDCARDS = 0; -#endif -#ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS -static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0; -#endif -#ifndef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS -static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = 0; -#endif -#ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS -static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = 0; -#endif - -/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately - below because it shows up in some earlier 3rd party OpenSSL packages. */ static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0; static const long X509_V_FLAG_SUITEB_192_LOS = 0; static const long X509_V_FLAG_SUITEB_128_LOS = 0; - -#if !CRYPTOGRAPHY_IS_LIBRESSL -int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *, - size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *, - size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *, - size_t) = NULL; -int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL; -void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *, - unsigned int) = NULL; -#endif #endif #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL @@ -291,22 +243,6 @@ static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0; static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1; #endif -/* OpenSSL 1.0.2+ or Solaris's backport */ -#ifdef X509_V_FLAG_PARTIAL_CHAIN -static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1; -#else -static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 0; -static const long X509_V_FLAG_PARTIAL_CHAIN = 0; -#endif - -/* OpenSSL 1.0.2+, *or* Fedora 20's flavor of OpenSSL 1.0.1e... */ -#ifdef X509_V_FLAG_TRUSTED_FIRST -static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 1; -#else -static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 0; -static const long X509_V_FLAG_TRUSTED_FIRST = 0; -#endif - #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *ctx) { return ctx->objs; diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 96fa9ff6..6fd191f0 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -194,7 +194,7 @@ class Backend(object): Friendly string name of the loaded OpenSSL library. This is not necessarily the same version as it was compiled against. - Example: OpenSSL 1.0.1e 11 Feb 2013 + Example: OpenSSL 1.1.1d 10 Sep 2019 """ return self._ffi.string( self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION) @@ -988,9 +988,7 @@ class Backend(object): for revoked_cert in builder._revoked_certificates: # Duplicating because the X509_CRL takes ownership and will free # this memory when X509_CRL_free is called. - revoked = self._lib.Cryptography_X509_REVOKED_dup( - revoked_cert._x509_revoked - ) + revoked = self._lib.X509_REVOKED_dup(revoked_cert._x509_revoked) self.openssl_assert(revoked != self._ffi.NULL) res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked) self.openssl_assert(res == 1) diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index 94b48f52..4568f71f 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -94,15 +94,6 @@ class _CipherContext(object): ) self._backend.openssl_assert(res != 0) self._tag = mode.tag - elif ( - self._operation == self._DECRYPT and - self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and - not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ): - raise NotImplementedError( - "delayed passing of GCM tag requires OpenSSL >= 1.0.2." - " To use this feature please update OpenSSL" - ) # pass key/iv res = self._backend._lib.EVP_CipherInit_ex( @@ -197,14 +188,6 @@ class _CipherContext(object): return self._backend._ffi.buffer(buf)[:outlen[0]] def finalize_with_tag(self, tag): - if ( - self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and - not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - ): - raise NotImplementedError( - "finalize_with_tag requires OpenSSL >= 1.0.2. To use this " - "method please update OpenSSL" - ) if len(tag) < self._mode._min_tag_length: raise ValueError( "Authentication tag must be {} bytes or longer.".format( diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py index 095f0623..961f1769 100644 --- a/src/cryptography/hazmat/backends/openssl/dh.py +++ b/src/cryptography/hazmat/backends/openssl/dh.py @@ -17,8 +17,8 @@ def _dh_params_dup(dh_cdata, backend): param_cdata = lib.DHparams_dup(dh_cdata) backend.openssl_assert(param_cdata != ffi.NULL) param_cdata = ffi.gc(param_cdata, lib.DH_free) - if lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102: - # In OpenSSL versions < 1.0.2 or libressl DHparams_dup don't copy q + if lib.CRYPTOGRAPHY_IS_LIBRESSL: + # In libressl DHparams_dup don't copy q q = ffi.new("BIGNUM **") lib.DH_get0_pqg(dh_cdata, ffi.NULL, q, ffi.NULL) q_dup = lib.BN_dup(q[0]) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index a293fb09..ea4ae4c6 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -13,18 +13,6 @@ def cryptography_has_ec2m(): ] -def cryptography_has_ec_1_0_2(): - return [ - "EC_curve_nid2nist", - ] - - -def cryptography_has_set_ecdh_auto(): - return [ - "SSL_CTX_set_ecdh_auto", - ] - - def cryptography_has_rsa_r_pkcs_decoding_error(): return [ "RSA_R_PKCS_DECODING_ERROR" @@ -51,15 +39,6 @@ def cryptography_has_ssl3_method(): ] -def cryptography_has_alpn(): - return [ - "SSL_CTX_set_alpn_protos", - "SSL_set_alpn_protos", - "SSL_CTX_set_alpn_select_cb", - "SSL_get0_alpn_selected", - ] - - def cryptography_has_compression(): return [ "SSL_get_current_compression", @@ -68,13 +47,7 @@ def cryptography_has_compression(): ] -def cryptography_has_get_server_tmp_key(): - return [ - "SSL_get_server_tmp_key", - ] - - -def cryptography_has_102_verification_error_codes(): +def cryptography_has_102_verification(): return [ 'X509_V_ERR_SUITE_B_INVALID_VERSION', 'X509_V_ERR_SUITE_B_INVALID_ALGORITHM', @@ -82,29 +55,9 @@ def cryptography_has_102_verification_error_codes(): 'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM', 'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED', 'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256', - 'X509_V_ERR_HOSTNAME_MISMATCH', - 'X509_V_ERR_EMAIL_MISMATCH', - 'X509_V_ERR_IP_ADDRESS_MISMATCH' - ] - - -def cryptography_has_102_verification_params(): - return [ "X509_V_FLAG_SUITEB_128_LOS_ONLY", "X509_V_FLAG_SUITEB_192_LOS", "X509_V_FLAG_SUITEB_128_LOS", - "X509_VERIFY_PARAM_set1_host", - "X509_VERIFY_PARAM_set1_email", - "X509_VERIFY_PARAM_set1_ip", - "X509_VERIFY_PARAM_set1_ip_asc", - "X509_VERIFY_PARAM_set_hostflags", - "SSL_get0_param", - "SSL_CTX_get0_param", - "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT", - "X509_CHECK_FLAG_NO_WILDCARDS", - "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS", - "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS", - "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS" ] @@ -114,18 +67,6 @@ def cryptography_has_110_verification_params(): ] -def cryptography_has_x509_v_flag_trusted_first(): - return [ - "X509_V_FLAG_TRUSTED_FIRST", - ] - - -def cryptography_has_x509_v_flag_partial_chain(): - return [ - "X509_V_FLAG_PARTIAL_CHAIN", - ] - - def cryptography_has_set_cert_cb(): return [ "SSL_CTX_set_cert_cb", @@ -372,32 +313,17 @@ def cryptography_has_verified_chain(): # lists so we can use coverage to measure which are used. CONDITIONAL_NAMES = { "Cryptography_HAS_EC2M": cryptography_has_ec2m, - "Cryptography_HAS_EC_1_0_2": cryptography_has_ec_1_0_2, - "Cryptography_HAS_SET_ECDH_AUTO": cryptography_has_set_ecdh_auto, "Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": ( cryptography_has_rsa_r_pkcs_decoding_error ), "Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md, "Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label, "Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method, - "Cryptography_HAS_ALPN": cryptography_has_alpn, "Cryptography_HAS_COMPRESSION": cryptography_has_compression, - "Cryptography_HAS_GET_SERVER_TMP_KEY": cryptography_has_get_server_tmp_key, - "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": ( - cryptography_has_102_verification_error_codes - ), - "Cryptography_HAS_102_VERIFICATION_PARAMS": ( - cryptography_has_102_verification_params - ), + "Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification, "Cryptography_HAS_110_VERIFICATION_PARAMS": ( cryptography_has_110_verification_params ), - "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": ( - cryptography_has_x509_v_flag_trusted_first - ), - "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": ( - cryptography_has_x509_v_flag_partial_chain - ), "Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb, "Cryptography_HAS_SSL_ST": cryptography_has_ssl_st, "Cryptography_HAS_TLS_ST": cryptography_has_tls_st, diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 1e0f34c9..4e23cd53 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -5,10 +5,8 @@ from __future__ import absolute_import, division, print_function import collections -import os import threading import types -import warnings import cryptography from cryptography import utils @@ -152,26 +150,6 @@ class Binding(object): _openssl_assert(cls.lib, res == 1) -def _verify_openssl_version(lib): - if ( - lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and - not lib.CRYPTOGRAPHY_IS_LIBRESSL - ): - if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_101"): - warnings.warn( - "OpenSSL version 1.0.1 is no longer supported by the OpenSSL " - "project, please upgrade. The next version of cryptography " - "will completely remove support for it.", - utils.CryptographyDeprecationWarning - ) - else: - raise RuntimeError( - "You are linking against OpenSSL 1.0.1, which is no longer " - "supported by the OpenSSL project. You need to upgrade to a " - "newer version of OpenSSL." - ) - - def _verify_package_version(version): # Occasionally we run into situations where the version of the Python # package does not match the version of the shared object that is loaded. @@ -201,5 +179,3 @@ _verify_package_version(cryptography.__version__) # condition registering the OpenSSL locks. On Python 3.4+ the import lock # is per module so this approach will not work. Binding.init_static_locks() - -_verify_openssl_version(Binding.lib) diff --git a/src/cryptography/hazmat/primitives/constant_time.py b/src/cryptography/hazmat/primitives/constant_time.py index 35ceafe0..7f41b9ef 100644 --- a/src/cryptography/hazmat/primitives/constant_time.py +++ b/src/cryptography/hazmat/primitives/constant_time.py @@ -5,31 +5,10 @@ from __future__ import absolute_import, division, print_function import hmac -import warnings -from cryptography import utils -from cryptography.hazmat.bindings._constant_time import lib +def bytes_eq(a, b): + if not isinstance(a, bytes) or not isinstance(b, bytes): + raise TypeError("a and b must be bytes.") -if hasattr(hmac, "compare_digest"): - def bytes_eq(a, b): - if not isinstance(a, bytes) or not isinstance(b, bytes): - raise TypeError("a and b must be bytes.") - - return hmac.compare_digest(a, b) - -else: - warnings.warn( - "Support for your Python version is deprecated. The next version of " - "cryptography will remove support. Please upgrade to a release " - "(2.7.7+) that supports hmac.compare_digest as soon as possible.", - utils.PersistentlyDeprecated2018, - ) - - def bytes_eq(a, b): - if not isinstance(a, bytes) or not isinstance(b, bytes): - raise TypeError("a and b must be bytes.") - - return lib.Cryptography_constant_time_bytes_eq( - a, len(a), b, len(b) - ) == 1 + return hmac.compare_digest(a, b) diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py index e895aa05..698b492d 100644 --- a/src/cryptography/utils.py +++ b/src/cryptography/utils.py @@ -21,7 +21,6 @@ class CryptographyDeprecationWarning(UserWarning): # ubiquity of their use. They should not be removed until we agree on when that # cycle ends. PersistentlyDeprecated2017 = CryptographyDeprecationWarning -PersistentlyDeprecated2018 = CryptographyDeprecationWarning PersistentlyDeprecated2019 = CryptographyDeprecationWarning DeprecatedIn27 = CryptographyDeprecationWarning -- cgit v1.2.3