aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/_cffi_src/openssl/cryptography.py5
-rw-r--r--src/_cffi_src/openssl/ec.py8
-rw-r--r--src/_cffi_src/openssl/ecdh.py7
-rw-r--r--src/_cffi_src/openssl/ssl.py63
-rw-r--r--src/_cffi_src/openssl/x509.py35
-rw-r--r--src/_cffi_src/openssl/x509_vfy.py72
-rw-r--r--src/cryptography/hazmat/backends/openssl/backend.py6
-rw-r--r--src/cryptography/hazmat/backends/openssl/ciphers.py17
-rw-r--r--src/cryptography/hazmat/backends/openssl/dh.py4
-rw-r--r--src/cryptography/hazmat/bindings/openssl/_conditional.py78
-rw-r--r--src/cryptography/hazmat/bindings/openssl/binding.py24
-rw-r--r--src/cryptography/hazmat/primitives/constant_time.py29
-rw-r--r--src/cryptography/utils.py1
13 files changed, 23 insertions, 326 deletions
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index ddcbf2bd..0da882c6 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -43,8 +43,6 @@ INCLUDES = """
#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0)
#endif
-#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
- (OPENSSL_VERSION_NUMBER >= 0x10002000 && !CRYPTOGRAPHY_IS_LIBRESSL)
#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
(OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
@@ -52,8 +50,6 @@ INCLUDES = """
#define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
(OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
- (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL)
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I \
(OPENSSL_VERSION_NUMBER < 0x1000209f || CRYPTOGRAPHY_IS_LIBRESSL)
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \
@@ -72,7 +68,6 @@ static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
static const int CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER;
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I;
-static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102;
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py
index 52f60014..6432fc22 100644
--- a/src/_cffi_src/openssl/ec.py
+++ b/src/_cffi_src/openssl/ec.py
@@ -11,7 +11,6 @@ INCLUDES = """
TYPES = """
static const int Cryptography_HAS_EC2M;
-static const int Cryptography_HAS_EC_1_0_2;
static const int OPENSSL_EC_NAMED_CURVE;
@@ -124,11 +123,4 @@ int (*EC_POINT_set_compressed_coordinates_GF2m)(const EC_GROUP *, EC_POINT *,
#else
static const long Cryptography_HAS_EC2M = 1;
#endif
-
-#if (!CRYPTOGRAPHY_IS_LIBRESSL && CRYPTOGRAPHY_OPENSSL_LESS_THAN_102)
-static const long Cryptography_HAS_EC_1_0_2 = 0;
-const char *(*EC_curve_nid2nist)(int) = NULL;
-#else
-static const long Cryptography_HAS_EC_1_0_2 = 1;
-#endif
"""
diff --git a/src/_cffi_src/openssl/ecdh.py b/src/_cffi_src/openssl/ecdh.py
index 5db12571..c73cc9f3 100644
--- a/src/_cffi_src/openssl/ecdh.py
+++ b/src/_cffi_src/openssl/ecdh.py
@@ -9,7 +9,6 @@ INCLUDES = """
"""
TYPES = """
-static const int Cryptography_HAS_SET_ECDH_AUTO;
"""
FUNCTIONS = """
@@ -19,10 +18,4 @@ long SSL_CTX_set_ecdh_auto(SSL_CTX *, int);
"""
CUSTOMIZATIONS = """
-#ifndef SSL_CTX_set_ecdh_auto
-static const long Cryptography_HAS_SET_ECDH_AUTO = 0;
-long (*SSL_CTX_set_ecdh_auto)(SSL_CTX *, int) = NULL;
-#else
-static const long Cryptography_HAS_SET_ECDH_AUTO = 1;
-#endif
"""
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 1b7d02f3..faad5605 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -23,7 +23,6 @@ static const long Cryptography_HAS_COMPRESSION;
static const long Cryptography_HAS_TLSEXT_STATUS_REQ_CB;
static const long Cryptography_HAS_STATUS_REQ_OCSP_RESP;
static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE;
-static const long Cryptography_HAS_GET_SERVER_TMP_KEY;
static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE;
static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
static const long Cryptography_HAS_DTLS;
@@ -556,10 +555,7 @@ int SSL_CTX_set_max_early_data(SSL_CTX *, uint32_t);
"""
CUSTOMIZATIONS = """
-/* Added in 1.0.2 but we need it in all versions now due to the great
- opaquing. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
-/* from ssl/ssl_lib.c */
+#if CRYPTOGRAPHY_IS_LIBRESSL
const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) {
return ctx->method;
}
@@ -653,38 +649,9 @@ static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING = 1;
static const long Cryptography_HAS_SSL_OP_NO_TICKET = 1;
static const long Cryptography_HAS_SSL_SET_SSL_CTX = 1;
static const long Cryptography_HAS_NEXTPROTONEG = 1;
-
-/* SSL_get0_param was added in OpenSSL 1.0.2. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL
-X509_VERIFY_PARAM *(*SSL_get0_param)(SSL *) = NULL;
-X509_VERIFY_PARAM *(*SSL_CTX_get0_param)(SSL_CTX *) = NULL;
-#else
-#endif
-
-/* ALPN was added in OpenSSL 1.0.2. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL
-int (*SSL_CTX_set_alpn_protos)(SSL_CTX *,
- const unsigned char *,
- unsigned) = NULL;
-int (*SSL_set_alpn_protos)(SSL *, const unsigned char *, unsigned) = NULL;
-void (*SSL_CTX_set_alpn_select_cb)(SSL_CTX *,
- int (*) (SSL *,
- const unsigned char **,
- unsigned char *,
- const unsigned char *,
- unsigned int,
- void *),
- void *) = NULL;
-void (*SSL_get0_alpn_selected)(const SSL *,
- const unsigned char **,
- unsigned *) = NULL;
-static const long Cryptography_HAS_ALPN = 0;
-#else
static const long Cryptography_HAS_ALPN = 1;
-#endif
-/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+#if CRYPTOGRAPHY_IS_LIBRESSL
void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL;
void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL;
static const long Cryptography_HAS_SET_CERT_CB = 0;
@@ -692,7 +659,6 @@ static const long Cryptography_HAS_SET_CERT_CB = 0;
static const long Cryptography_HAS_SET_CERT_CB = 1;
#endif
-
/* In OpenSSL 1.0.2i+ the handling of COMP_METHOD when OPENSSL_NO_COMP was
changed and we no longer need to typedef void */
#if (defined(OPENSSL_NO_COMP) && CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I) || \
@@ -703,13 +669,6 @@ typedef void COMP_METHOD;
static const long Cryptography_HAS_COMPRESSION = 1;
#endif
-#if defined(SSL_CTRL_GET_SERVER_TMP_KEY)
-static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 1;
-#else
-static const long Cryptography_HAS_GET_SERVER_TMP_KEY = 0;
-long (*SSL_get_server_tmp_key)(SSL *, EVP_PKEY **) = NULL;
-#endif
-
static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE = 1;
static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS = 1;
@@ -734,7 +693,7 @@ static const long TLS_ST_OK = 0;
#endif
/* LibreSSL 2.9.1 added only the DTLS_*_method functions */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
+#if CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
const SSL_METHOD *(*DTLS_method)(void) = NULL;
const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
@@ -742,7 +701,7 @@ const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
#else
static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
#endif
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+#if CRYPTOGRAPHY_IS_LIBRESSL
static const long SSL_OP_NO_DTLSv1 = 0;
static const long SSL_OP_NO_DTLSv1_2 = 0;
long (*DTLS_set_link_mtu)(SSL *, long) = NULL;
@@ -769,7 +728,7 @@ long Cryptography_DTLSv1_get_timeout(SSL *ssl, time_t *ptv_sec,
return r;
}
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
+#if CRYPTOGRAPHY_IS_LIBRESSL
static const long Cryptography_HAS_SIGALGS = 0;
const int (*SSL_get_sigalgs)(SSL *, int, int *, int *, int *, unsigned char *,
unsigned char *) = NULL;
@@ -801,41 +760,31 @@ void (*SSL_CTX_set_psk_client_callback)(SSL_CTX *,
static const long Cryptography_HAS_PSK = 1;
#endif
-/*
- * Custom extensions were added in 1.0.2. 1.1.1 is adding a more general
- * SSL_CTX_add_custom_ext function, but we're not binding that yet.
- */
-#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER
+#if !CRYPTOGRAPHY_IS_LIBRESSL
static const long Cryptography_HAS_CUSTOM_EXT = 1;
#else
static const long Cryptography_HAS_CUSTOM_EXT = 0;
-
typedef int (*custom_ext_add_cb)(SSL *, unsigned int,
const unsigned char **,
size_t *, int *,
void *);
-
typedef void (*custom_ext_free_cb)(SSL *, unsigned int,
const unsigned char *,
void *);
-
typedef int (*custom_ext_parse_cb)(SSL *, unsigned int,
const unsigned char *,
size_t, int *,
void *);
-
int (*SSL_CTX_add_client_custom_ext)(SSL_CTX *, unsigned int,
custom_ext_add_cb,
custom_ext_free_cb, void *,
custom_ext_parse_cb,
void *) = NULL;
-
int (*SSL_CTX_add_server_custom_ext)(SSL_CTX *, unsigned int,
custom_ext_add_cb,
custom_ext_free_cb, void *,
custom_ext_parse_cb,
void *) = NULL;
-
int (*SSL_extension_supported)(unsigned int) = NULL;
#endif
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 991e1f09..0135a89a 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -185,6 +185,7 @@ int X509_CRL_get_ext_count(X509_CRL *);
int X509_CRL_get0_by_serial(X509_CRL *, X509_REVOKED **, ASN1_INTEGER *);
+X509_REVOKED *X509_REVOKED_dup(X509_REVOKED *);
X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *);
/* new in 1.0.2 */
@@ -268,30 +269,7 @@ void X509_REQ_get0_signature(const X509_REQ *, const ASN1_BIT_STRING **,
"""
CUSTOMIZATIONS = """
-/* Added in 1.0.2 beta but we need it in all versions now due to the great
- opaquing. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !CRYPTOGRAPHY_IS_LIBRESSL
-/* from x509/x_x509.c version 1.0.2 */
-void X509_get0_signature(const ASN1_BIT_STRING **psig,
- const X509_ALGOR **palg, const X509 *x)
-{
- if (psig)
- *psig = x->signature;
- if (palg)
- *palg = x->sig_alg;
-}
-
-int X509_get_signature_nid(const X509 *x)
-{
- return OBJ_obj2nid(x->sig_alg->algorithm);
-}
-
-#endif
-
-/* Added in 1.0.2 but we need it in all versions now due to the great
- opaquing. */
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
-/* from x509/x_x509.c */
+#if CRYPTOGRAPHY_IS_LIBRESSL
int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
{
/* in 1.0.2+ this function also sets x->cert_info->enc.modified = 1
@@ -303,17 +281,10 @@ int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
}
#endif
-/* X509_REVOKED_dup only exists on 1.0.2+. It is implemented using
- IMPLEMENT_ASN1_DUP_FUNCTION. The below is the equivalent so we have
- it available on all OpenSSLs. */
+/* Being kept around for pyOpenSSL */
X509_REVOKED *Cryptography_X509_REVOKED_dup(X509_REVOKED *rev) {
-#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102
- return ASN1_item_dup(ASN1_ITEM_rptr(X509_REVOKED), rev);
-#else
return X509_REVOKED_dup(rev);
-#endif
}
-
/* Added in 1.1.0 but we need it in all versions now due to the great
opaquing. */
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py
index 675ce823..d2bc5f4e 100644
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -19,11 +19,8 @@ typedef STACK_OF(X509_OBJECT) Cryptography_STACK_OF_X509_OBJECT;
"""
TYPES = """
-static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES;
-static const long Cryptography_HAS_102_VERIFICATION_PARAMS;
+static const long Cryptography_HAS_102_VERIFICATION;
static const long Cryptography_HAS_110_VERIFICATION_PARAMS;
-static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST;
-static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN;
static const long Cryptography_HAS_X509_STORE_CTX_GET_ISSUER;
typedef ... Cryptography_STACK_OF_ASN1_OBJECT;
@@ -222,64 +219,19 @@ void X509_STORE_set_get_issuer(X509_STORE *, X509_STORE_CTX_get_issuer_fn);
"""
CUSTOMIZATIONS = """
-/* OpenSSL 1.0.2+ verification parameters and error codes */
-#if CRYPTOGRAPHY_OPENSSL_102_OR_GREATER
-static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1;
-static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+static const long Cryptography_HAS_102_VERIFICATION = 1;
#else
-static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
-static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;
-
+static const long Cryptography_HAS_102_VERIFICATION = 0;
static const long X509_V_ERR_SUITE_B_INVALID_VERSION = 0;
static const long X509_V_ERR_SUITE_B_INVALID_ALGORITHM = 0;
static const long X509_V_ERR_SUITE_B_INVALID_CURVE = 0;
static const long X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM = 0;
static const long X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED = 0;
static const long X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 = 0;
-/* These 3 defines are unavailable in LibreSSL 2.5.x, but may be added
- in the future... */
-#ifndef X509_V_ERR_HOSTNAME_MISMATCH
-static const long X509_V_ERR_HOSTNAME_MISMATCH = 0;
-#endif
-#ifndef X509_V_ERR_EMAIL_MISMATCH
-static const long X509_V_ERR_EMAIL_MISMATCH = 0;
-#endif
-#ifndef X509_V_ERR_IP_ADDRESS_MISMATCH
-static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
-#endif
-#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT
-static const long X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT = 0;
-#endif
-#ifndef X509_CHECK_FLAG_NO_WILDCARDS
-static const long X509_CHECK_FLAG_NO_WILDCARDS = 0;
-#endif
-#ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
-static const long X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS = 0;
-#endif
-#ifndef X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS
-static const long X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS = 0;
-#endif
-#ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
-static const long X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS = 0;
-#endif
-
-/* X509_V_FLAG_TRUSTED_FIRST is also new in 1.0.2+, but it is added separately
- below because it shows up in some earlier 3rd party OpenSSL packages. */
static const long X509_V_FLAG_SUITEB_128_LOS_ONLY = 0;
static const long X509_V_FLAG_SUITEB_192_LOS = 0;
static const long X509_V_FLAG_SUITEB_128_LOS = 0;
-
-#if !CRYPTOGRAPHY_IS_LIBRESSL
-int (*X509_VERIFY_PARAM_set1_host)(X509_VERIFY_PARAM *, const char *,
- size_t) = NULL;
-int (*X509_VERIFY_PARAM_set1_email)(X509_VERIFY_PARAM *, const char *,
- size_t) = NULL;
-int (*X509_VERIFY_PARAM_set1_ip)(X509_VERIFY_PARAM *, const unsigned char *,
- size_t) = NULL;
-int (*X509_VERIFY_PARAM_set1_ip_asc)(X509_VERIFY_PARAM *, const char *) = NULL;
-void (*X509_VERIFY_PARAM_set_hostflags)(X509_VERIFY_PARAM *,
- unsigned int) = NULL;
-#endif
#endif
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || CRYPTOGRAPHY_IS_LIBRESSL
@@ -291,22 +243,6 @@ static const long X509_CHECK_FLAG_NEVER_CHECK_SUBJECT = 0;
static const long Cryptography_HAS_110_VERIFICATION_PARAMS = 1;
#endif
-/* OpenSSL 1.0.2+ or Solaris's backport */
-#ifdef X509_V_FLAG_PARTIAL_CHAIN
-static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 1;
-#else
-static const long Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN = 0;
-static const long X509_V_FLAG_PARTIAL_CHAIN = 0;
-#endif
-
-/* OpenSSL 1.0.2+, *or* Fedora 20's flavor of OpenSSL 1.0.1e... */
-#ifdef X509_V_FLAG_TRUSTED_FIRST
-static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 1;
-#else
-static const long Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST = 0;
-static const long X509_V_FLAG_TRUSTED_FIRST = 0;
-#endif
-
#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 && !CRYPTOGRAPHY_IS_LIBRESSL
Cryptography_STACK_OF_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *ctx) {
return ctx->objs;
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 96fa9ff6..6fd191f0 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -194,7 +194,7 @@ class Backend(object):
Friendly string name of the loaded OpenSSL library. This is not
necessarily the same version as it was compiled against.
- Example: OpenSSL 1.0.1e 11 Feb 2013
+ Example: OpenSSL 1.1.1d 10 Sep 2019
"""
return self._ffi.string(
self._lib.OpenSSL_version(self._lib.OPENSSL_VERSION)
@@ -988,9 +988,7 @@ class Backend(object):
for revoked_cert in builder._revoked_certificates:
# Duplicating because the X509_CRL takes ownership and will free
# this memory when X509_CRL_free is called.
- revoked = self._lib.Cryptography_X509_REVOKED_dup(
- revoked_cert._x509_revoked
- )
+ revoked = self._lib.X509_REVOKED_dup(revoked_cert._x509_revoked)
self.openssl_assert(revoked != self._ffi.NULL)
res = self._lib.X509_CRL_add0_revoked(x509_crl, revoked)
self.openssl_assert(res == 1)
diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py
index 94b48f52..4568f71f 100644
--- a/src/cryptography/hazmat/backends/openssl/ciphers.py
+++ b/src/cryptography/hazmat/backends/openssl/ciphers.py
@@ -94,15 +94,6 @@ class _CipherContext(object):
)
self._backend.openssl_assert(res != 0)
self._tag = mode.tag
- elif (
- self._operation == self._DECRYPT and
- self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
- not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
- ):
- raise NotImplementedError(
- "delayed passing of GCM tag requires OpenSSL >= 1.0.2."
- " To use this feature please update OpenSSL"
- )
# pass key/iv
res = self._backend._lib.EVP_CipherInit_ex(
@@ -197,14 +188,6 @@ class _CipherContext(object):
return self._backend._ffi.buffer(buf)[:outlen[0]]
def finalize_with_tag(self, tag):
- if (
- self._backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
- not self._backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
- ):
- raise NotImplementedError(
- "finalize_with_tag requires OpenSSL >= 1.0.2. To use this "
- "method please update OpenSSL"
- )
if len(tag) < self._mode._min_tag_length:
raise ValueError(
"Authentication tag must be {} bytes or longer.".format(
diff --git a/src/cryptography/hazmat/backends/openssl/dh.py b/src/cryptography/hazmat/backends/openssl/dh.py
index 095f0623..961f1769 100644
--- a/src/cryptography/hazmat/backends/openssl/dh.py
+++ b/src/cryptography/hazmat/backends/openssl/dh.py
@@ -17,8 +17,8 @@ def _dh_params_dup(dh_cdata, backend):
param_cdata = lib.DHparams_dup(dh_cdata)
backend.openssl_assert(param_cdata != ffi.NULL)
param_cdata = ffi.gc(param_cdata, lib.DH_free)
- if lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102:
- # In OpenSSL versions < 1.0.2 or libressl DHparams_dup don't copy q
+ if lib.CRYPTOGRAPHY_IS_LIBRESSL:
+ # In libressl DHparams_dup don't copy q
q = ffi.new("BIGNUM **")
lib.DH_get0_pqg(dh_cdata, ffi.NULL, q, ffi.NULL)
q_dup = lib.BN_dup(q[0])
diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py
index a293fb09..ea4ae4c6 100644
--- a/src/cryptography/hazmat/bindings/openssl/_conditional.py
+++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py
@@ -13,18 +13,6 @@ def cryptography_has_ec2m():
]
-def cryptography_has_ec_1_0_2():
- return [
- "EC_curve_nid2nist",
- ]
-
-
-def cryptography_has_set_ecdh_auto():
- return [
- "SSL_CTX_set_ecdh_auto",
- ]
-
-
def cryptography_has_rsa_r_pkcs_decoding_error():
return [
"RSA_R_PKCS_DECODING_ERROR"
@@ -51,15 +39,6 @@ def cryptography_has_ssl3_method():
]
-def cryptography_has_alpn():
- return [
- "SSL_CTX_set_alpn_protos",
- "SSL_set_alpn_protos",
- "SSL_CTX_set_alpn_select_cb",
- "SSL_get0_alpn_selected",
- ]
-
-
def cryptography_has_compression():
return [
"SSL_get_current_compression",
@@ -68,13 +47,7 @@ def cryptography_has_compression():
]
-def cryptography_has_get_server_tmp_key():
- return [
- "SSL_get_server_tmp_key",
- ]
-
-
-def cryptography_has_102_verification_error_codes():
+def cryptography_has_102_verification():
return [
'X509_V_ERR_SUITE_B_INVALID_VERSION',
'X509_V_ERR_SUITE_B_INVALID_ALGORITHM',
@@ -82,29 +55,9 @@ def cryptography_has_102_verification_error_codes():
'X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM',
'X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED',
'X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256',
- 'X509_V_ERR_HOSTNAME_MISMATCH',
- 'X509_V_ERR_EMAIL_MISMATCH',
- 'X509_V_ERR_IP_ADDRESS_MISMATCH'
- ]
-
-
-def cryptography_has_102_verification_params():
- return [
"X509_V_FLAG_SUITEB_128_LOS_ONLY",
"X509_V_FLAG_SUITEB_192_LOS",
"X509_V_FLAG_SUITEB_128_LOS",
- "X509_VERIFY_PARAM_set1_host",
- "X509_VERIFY_PARAM_set1_email",
- "X509_VERIFY_PARAM_set1_ip",
- "X509_VERIFY_PARAM_set1_ip_asc",
- "X509_VERIFY_PARAM_set_hostflags",
- "SSL_get0_param",
- "SSL_CTX_get0_param",
- "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT",
- "X509_CHECK_FLAG_NO_WILDCARDS",
- "X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS",
- "X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS",
- "X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS"
]
@@ -114,18 +67,6 @@ def cryptography_has_110_verification_params():
]
-def cryptography_has_x509_v_flag_trusted_first():
- return [
- "X509_V_FLAG_TRUSTED_FIRST",
- ]
-
-
-def cryptography_has_x509_v_flag_partial_chain():
- return [
- "X509_V_FLAG_PARTIAL_CHAIN",
- ]
-
-
def cryptography_has_set_cert_cb():
return [
"SSL_CTX_set_cert_cb",
@@ -372,32 +313,17 @@ def cryptography_has_verified_chain():
# lists so we can use coverage to measure which are used.
CONDITIONAL_NAMES = {
"Cryptography_HAS_EC2M": cryptography_has_ec2m,
- "Cryptography_HAS_EC_1_0_2": cryptography_has_ec_1_0_2,
- "Cryptography_HAS_SET_ECDH_AUTO": cryptography_has_set_ecdh_auto,
"Cryptography_HAS_RSA_R_PKCS_DECODING_ERROR": (
cryptography_has_rsa_r_pkcs_decoding_error
),
"Cryptography_HAS_RSA_OAEP_MD": cryptography_has_rsa_oaep_md,
"Cryptography_HAS_RSA_OAEP_LABEL": cryptography_has_rsa_oaep_label,
"Cryptography_HAS_SSL3_METHOD": cryptography_has_ssl3_method,
- "Cryptography_HAS_ALPN": cryptography_has_alpn,
"Cryptography_HAS_COMPRESSION": cryptography_has_compression,
- "Cryptography_HAS_GET_SERVER_TMP_KEY": cryptography_has_get_server_tmp_key,
- "Cryptography_HAS_102_VERIFICATION_ERROR_CODES": (
- cryptography_has_102_verification_error_codes
- ),
- "Cryptography_HAS_102_VERIFICATION_PARAMS": (
- cryptography_has_102_verification_params
- ),
+ "Cryptography_HAS_102_VERIFICATION": cryptography_has_102_verification,
"Cryptography_HAS_110_VERIFICATION_PARAMS": (
cryptography_has_110_verification_params
),
- "Cryptography_HAS_X509_V_FLAG_TRUSTED_FIRST": (
- cryptography_has_x509_v_flag_trusted_first
- ),
- "Cryptography_HAS_X509_V_FLAG_PARTIAL_CHAIN": (
- cryptography_has_x509_v_flag_partial_chain
- ),
"Cryptography_HAS_SET_CERT_CB": cryptography_has_set_cert_cb,
"Cryptography_HAS_SSL_ST": cryptography_has_ssl_st,
"Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index 1e0f34c9..4e23cd53 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -5,10 +5,8 @@
from __future__ import absolute_import, division, print_function
import collections
-import os
import threading
import types
-import warnings
import cryptography
from cryptography import utils
@@ -152,26 +150,6 @@ class Binding(object):
_openssl_assert(cls.lib, res == 1)
-def _verify_openssl_version(lib):
- if (
- lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 and
- not lib.CRYPTOGRAPHY_IS_LIBRESSL
- ):
- if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_101"):
- warnings.warn(
- "OpenSSL version 1.0.1 is no longer supported by the OpenSSL "
- "project, please upgrade. The next version of cryptography "
- "will completely remove support for it.",
- utils.CryptographyDeprecationWarning
- )
- else:
- raise RuntimeError(
- "You are linking against OpenSSL 1.0.1, which is no longer "
- "supported by the OpenSSL project. You need to upgrade to a "
- "newer version of OpenSSL."
- )
-
-
def _verify_package_version(version):
# Occasionally we run into situations where the version of the Python
# package does not match the version of the shared object that is loaded.
@@ -201,5 +179,3 @@ _verify_package_version(cryptography.__version__)
# condition registering the OpenSSL locks. On Python 3.4+ the import lock
# is per module so this approach will not work.
Binding.init_static_locks()
-
-_verify_openssl_version(Binding.lib)
diff --git a/src/cryptography/hazmat/primitives/constant_time.py b/src/cryptography/hazmat/primitives/constant_time.py
index 35ceafe0..7f41b9ef 100644
--- a/src/cryptography/hazmat/primitives/constant_time.py
+++ b/src/cryptography/hazmat/primitives/constant_time.py
@@ -5,31 +5,10 @@
from __future__ import absolute_import, division, print_function
import hmac
-import warnings
-from cryptography import utils
-from cryptography.hazmat.bindings._constant_time import lib
+def bytes_eq(a, b):
+ if not isinstance(a, bytes) or not isinstance(b, bytes):
+ raise TypeError("a and b must be bytes.")
-if hasattr(hmac, "compare_digest"):
- def bytes_eq(a, b):
- if not isinstance(a, bytes) or not isinstance(b, bytes):
- raise TypeError("a and b must be bytes.")
-
- return hmac.compare_digest(a, b)
-
-else:
- warnings.warn(
- "Support for your Python version is deprecated. The next version of "
- "cryptography will remove support. Please upgrade to a release "
- "(2.7.7+) that supports hmac.compare_digest as soon as possible.",
- utils.PersistentlyDeprecated2018,
- )
-
- def bytes_eq(a, b):
- if not isinstance(a, bytes) or not isinstance(b, bytes):
- raise TypeError("a and b must be bytes.")
-
- return lib.Cryptography_constant_time_bytes_eq(
- a, len(a), b, len(b)
- ) == 1
+ return hmac.compare_digest(a, b)
diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
index e895aa05..698b492d 100644
--- a/src/cryptography/utils.py
+++ b/src/cryptography/utils.py
@@ -21,7 +21,6 @@ class CryptographyDeprecationWarning(UserWarning):
# ubiquity of their use. They should not be removed until we agree on when that
# cycle ends.
PersistentlyDeprecated2017 = CryptographyDeprecationWarning
-PersistentlyDeprecated2018 = CryptographyDeprecationWarning
PersistentlyDeprecated2019 = CryptographyDeprecationWarning
DeprecatedIn27 = CryptographyDeprecationWarning
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 03:31:59 +0000