From aeabfd04669a300ecdabec9310764e5957085383 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 10:59:57 -0400 Subject: Fixed #2836 -- error out on OpenSSL 0.9.8 by default --- CHANGELOG.rst | 2 ++ .../hazmat/bindings/openssl/binding.py | 40 ++++++++++++++-------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 00ca808b..6b7126c7 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Support for OpenSSL 0.9.8 has been removed. Users on older version of OpenSSL + will need to upgrade. 1.3 - 2016-03-18 ~~~~~~~~~~~~~~~~ diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 5d7466f9..73457092 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -217,6 +217,31 @@ class Binding(object): ) +def _verify_openssl_version(version): + if version < 0x10000000: + if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_098"): + warnings.warn( + "OpenSSL version 0.9.8 is no longer supported by the OpenSSL " + "project, please upgrade. The next version of cryptography " + "will completely remove support for it.", + utils.DeprecatedIn12 + ) + else: + # TODO: what exception type? + raise Exception( + "You are linking against OpenSSL 0.9.8, which is no longer " + "support by the OpenSSL project. You need to upgrade to a " + "newer version of OpenSSL." + ) + elif version < 0x10001000: + warnings.warn( + "OpenSSL versions less than 1.0.1 are no longer supported by the " + "OpenSSL project, please upgrade. A future version of " + "cryptography will drop support for these versions of OpenSSL.", + DeprecationWarning + ) + + # OpenSSL is not thread safe until the locks are initialized. We call this # method in module scope so that it executes with the import lock. On # Pythons < 3.4 this import lock is a global lock, which can prevent a race @@ -224,17 +249,4 @@ class Binding(object): # is per module so this approach will not work. Binding.init_static_locks() -if Binding.lib.SSLeay() < 0x10000000: - warnings.warn( - "OpenSSL version 0.9.8 is no longer supported by the OpenSSL project, " - "please upgrade. The next version of cryptography will drop support " - "for it.", - utils.DeprecatedIn12 - ) -elif Binding.lib.SSLeay() < 0x10001000: - warnings.warn( - "OpenSSL versions less than 1.0.1 are no longer supported by the " - "OpenSSL project, please upgrade. A future version of cryptography " - "will drop support for these versions.", - DeprecationWarning - ) +_verify_openssl_version(Binding.lib.SSLeay()) -- cgit v1.2.3 From 9912033a145c45a75c7fe9d7a27132f33370ee67 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 11:11:27 -0400 Subject: Get CI working again --- tox.ini | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tox.ini b/tox.ini index 424dc5bb..a700d4dc 100644 --- a/tox.ini +++ b/tox.ini @@ -7,6 +7,8 @@ deps = .[test] ./vectors passenv = ARCHFLAGS LDFLAGS CFLAGS INCLUDE LIB LD_LIBRARY_PATH USERNAME +setenv = + CRYPTOGRAPHY_ALLOW_OPENSSL_098=1 commands = pip list python -c "from cryptography.hazmat.backends.openssl.backend import backend; print(backend.openssl_version_text())" -- cgit v1.2.3 From 3ee4fc78271a73468ec4d2f7aaf3d712a4828d6d Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 11:17:24 -0400 Subject: test for verify_openssl_version --- tests/hazmat/bindings/test_openssl.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 457799d3..6b6b7474 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,7 @@ import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _OpenSSLErrorWithText, _openssl_assert + Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version ) @@ -175,3 +175,10 @@ class TestOpenSSL(object): b'ex:data not multiple of block length' ) )] + + def test_verify_openssl_version(self, monkeypatch): + monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_098", raising=False) + # TODO: what exception type? + with pytest.raises(Exception): + # OpenSSL 0.9.8zg + _verify_openssl_version(0x9081DF) -- cgit v1.2.3 From 57eec7fda04034b70681adda53b2d564eed33ef7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 11:58:32 -0400 Subject: Use runtimeerror for this --- src/cryptography/hazmat/bindings/openssl/binding.py | 3 +-- tests/hazmat/bindings/test_openssl.py | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 73457092..0f7a9d95 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -227,8 +227,7 @@ def _verify_openssl_version(version): utils.DeprecatedIn12 ) else: - # TODO: what exception type? - raise Exception( + raise RuntimeError( "You are linking against OpenSSL 0.9.8, which is no longer " "support by the OpenSSL project. You need to upgrade to a " "newer version of OpenSSL." diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 6b6b7474..34c23ab2 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -178,7 +178,6 @@ class TestOpenSSL(object): def test_verify_openssl_version(self, monkeypatch): monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_098", raising=False) - # TODO: what exception type? - with pytest.raises(Exception): + with pytest.raises(RuntimeError): # OpenSSL 0.9.8zg _verify_openssl_version(0x9081DF) -- cgit v1.2.3 From 5d38206c787a675304452a007b50d3a6a65edcb8 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 12:02:14 -0400 Subject: Mention CRYPTOGRAPHY_ALLOW_OPENSSL_098 in the FAQ --- docs/faq.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/faq.rst b/docs/faq.rst index 3456ba97..2c17e285 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -40,6 +40,19 @@ If you have no other libraries using OpenSSL in your process, or they do not appear to be at fault, it's possible that this is a bug in ``cryptography``. Please file an `issue`_ with instructions on how to reproduce it. +Importing cryptography causes a ``RuntimeError`` about OpenSSL 0.9.8 +-------------------------------------------------------------------- + +The OpenSSL project has dropped support for the 0.9.8 release series. Since it +is no longer receiving security patches from upstream, ``cryptography`` is also +dropping support for it. To fix this issue you should upgrade to a newer +version of OpenSSL (1.0.1 or later), this may require you to upgrade to a newer +operating system. + +For the 1.4 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_098`` +environment variable. Please note that this is *temporary* and will be removed +in ``cryptography`` 1.5. + .. _`NaCl`: https://nacl.cr.yp.to/ .. _`PyNaCl`: https://pynacl.readthedocs.org .. _`WSGIApplicationGroup`: https://modwsgi.readthedocs.org/en/develop/configuration-directives/WSGIApplicationGroup.html -- cgit v1.2.3 From fd36f9df811d8a75121f75131c23c19d53ea02a5 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 12:15:12 -0400 Subject: update installation.rst --- docs/installation.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index 8c3c436b..38dc4863 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -39,8 +39,8 @@ OpenSSL releases: .. warning:: OpenSSL versions 0.9.8 and 1.0.0 are no longer supported by the OpenSSL - project. Support for OpenSSL 0.9.8 will be removed in the next - ``cryptography`` release. + project. Cryptography 1.4 has dropped support for OpenSSL 0.9.8, see the + :doc:`FAQ ` for more details. On Windows ---------- -- cgit v1.2.3 From 62f6195896ecb84411313b9b932b21c9aa6381c7 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 17:47:56 -0400 Subject: two seperate sentences --- docs/faq.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/faq.rst b/docs/faq.rst index 2c17e285..f00974b4 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -46,7 +46,7 @@ Importing cryptography causes a ``RuntimeError`` about OpenSSL 0.9.8 The OpenSSL project has dropped support for the 0.9.8 release series. Since it is no longer receiving security patches from upstream, ``cryptography`` is also dropping support for it. To fix this issue you should upgrade to a newer -version of OpenSSL (1.0.1 or later), this may require you to upgrade to a newer +version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer operating system. For the 1.4 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_098`` -- cgit v1.2.3 From bb2b86557ee5c5f8a9916c0a5a0a9dc5f56410d6 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Sat, 19 Mar 2016 17:52:06 -0400 Subject: DeprecationWarning --- src/cryptography/hazmat/bindings/openssl/binding.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 0f7a9d95..7727ad8d 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -10,7 +10,6 @@ import threading import types import warnings -from cryptography import utils from cryptography.exceptions import InternalError from cryptography.hazmat.bindings._openssl import ffi, lib from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES @@ -224,7 +223,7 @@ def _verify_openssl_version(version): "OpenSSL version 0.9.8 is no longer supported by the OpenSSL " "project, please upgrade. The next version of cryptography " "will completely remove support for it.", - utils.DeprecatedIn12 + DeprecationWarning ) else: raise RuntimeError( -- cgit v1.2.3