diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0a0c645b151f..691ba1b0593f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -157,9 +157,6 @@ jobs: fail-fast: false matrix: IMAGE: - - {IMAGE: "rhel8", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - - {IMAGE: "rhel8-fips", NOXSESSION: "tests", RUNNER: "ubuntu-latest", FIPS: true} - - {IMAGE: "bullseye", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "bookworm", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "trixie", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} - {IMAGE: "sid", NOXSESSION: "tests", RUNNER: "ubuntu-latest"} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 37e63a646601..229a4ce1dadb 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -9,6 +9,9 @@ Changelog .. note:: This version is not yet released and is under active development. * **BACKWARDS INCOMPATIBLE:** Support for Python 3.7 has been removed. +* **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.x has been removed. + OpenSSL 3.0.0 or later is now required. LibreSSL, BoringSSL, and AWS-LC + continue to be supported. * Removed the deprecated ``get_attribute_for_oid`` method on :class:`~cryptography.x509.CertificateSigningRequest`. Users should use :meth:`~cryptography.x509.Attributes.get_attribute_for_oid` instead. diff --git a/docs/development/c-bindings.rst b/docs/development/c-bindings.rst index e53e0bae7f65..d6e9a06b0ed8 100644 --- a/docs/development/c-bindings.rst +++ b/docs/development/c-bindings.rst @@ -189,9 +189,9 @@ Caveats Sometimes, a set of loosely related features are added in the same version, and it's impractical to create ``#ifdef`` statements for each one. In that case, it may make sense to either check for a particular -version. For example, to check for OpenSSL 1.1.1 or newer:: +version. For example, to check for OpenSSL 3.2.0 or newer:: - #if CRYPTOGRAPHY_OPENSSL_111_OR_GREATER + #if CRYPTOGRAPHY_OPENSSL_320_OR_GREATER Sometimes, the version of a library on a particular platform will have features that you thought it wouldn't, based on its version. diff --git a/docs/faq.rst b/docs/faq.rst index f66cfba867d0..532c5915b26b 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -107,14 +107,14 @@ If you have no other libraries using OpenSSL in your process, or they do not appear to be at fault, it's possible that this is a bug in ``cryptography``. Please file an `issue`_ with instructions on how to reproduce it. -Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 fails ----------------------------------------------------------------------------- +Installing cryptography with OpenSSL older than 3.0.0 fails +------------------------------------------------------------ The OpenSSL project has dropped support for the 0.9.8, 1.0.0, 1.0.1, 1.0.2, -and 1.1.0 release series. Since they are no longer receiving security patches +1.1.0, and 1.1.1 release series. Since they are no longer receiving security patches from upstream, ``cryptography`` is also dropping support for them. To fix this -issue you should upgrade to a newer version of OpenSSL (1.1.1 or later). This -may require you to upgrade to a newer operating system. +issue you should upgrade to OpenSSL 3.0.0 or later. This may require you to +upgrade to a newer operating system. Installing ``cryptography`` fails with ``error: Can not find Rust compiler`` ---------------------------------------------------------------------------- diff --git a/docs/installation.rst b/docs/installation.rst index e33cc67e1c96..4cb314eef594 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -24,15 +24,13 @@ Supported platforms Currently we test ``cryptography`` on Python 3.8+ and PyPy3 7.3.11+ on these operating systems. -* x86-64 RHEL 8.x * x86-64 CentOS Stream 9, 10 * x86-64 Fedora (latest) * x86-64 macOS 13 Ventura * ARM64 macOS 14 Sonoma * x86-64 Ubuntu 22.04, 24.04, and rolling * ARM64, ARMv7l, and ``ppc64le`` Ubuntu rolling -* x86-64 Debian Bullseye (11.x), Bookworm (12.x), Trixie (13.x), and - Sid (unstable) +* x86-64 Debian Bookworm (12.x), Trixie (13.x), and Sid (unstable) * x86-64 and ARM64 Alpine (latest) * 32-bit and 64-bit Python on 64-bit Windows Server 2022 @@ -206,7 +204,7 @@ available from your system package manager. Then, paste the following into a shell script. You'll need to populate the ``OPENSSL_VERSION`` variable. To do that, visit `openssl.org`_ and find the latest non-FIPS release version number, then set the string appropriately. For -example, for OpenSSL 1.1.1k, use ``OPENSSL_VERSION="1.1.1k"``. +example, for OpenSSL 3.0.9, use ``OPENSSL_VERSION="3.0.9"``. When this shell script is complete, you'll find a collection of wheel files in a directory called ``wheelhouse``. These wheels can be installed by a diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index ada4a883b66d..a4d013fc42de 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -5,9 +5,9 @@ from __future__ import annotations INCLUDES = r""" -/* define our OpenSSL API compatibility level to 1.1.0. Any symbols older than +/* define our OpenSSL API compatibility level to 3.0.0. Any symbols older than that will raise an error during compilation. */ -#define OPENSSL_API_COMPAT 0x10100000L +#define OPENSSL_API_COMPAT 0x30000000L #if defined(_WIN32) #ifndef WIN32_LEAN_AND_MEAN @@ -49,8 +49,11 @@ #endif -#if OPENSSL_VERSION_NUMBER < 0x10101050 - #error "pyca/cryptography MUST be linked with Openssl 1.1.1e or later" +#if !CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_IS_BORINGSSL && \ + !CRYPTOGRAPHY_IS_AWSLC + #if OPENSSL_VERSION_NUMBER < 0x30000000 + #error "pyca/cryptography MUST be linked with OpenSSL 3.0.0 or later" + #endif #endif """ diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index a72db401efd5..6481d07fdb4d 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -476,8 +476,8 @@ static const long Cryptography_HAS_GET_EXTMS_SUPPORT = 1; #endif -/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were - removed */ +/* The SSL_ST values were renamed to TLS_ST in OpenSSL and several were + removed, but are still available in LibreSSL, BoringSSL, and AWS-LC */ #if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL \ || CRYPTOGRAPHY_IS_AWSLC static const long Cryptography_HAS_SSL_ST = 1; diff --git a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi index 5fb3cb2403c0..74024d501454 100644 --- a/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi +++ b/src/cryptography/hazmat/bindings/_rust/openssl/__init__.pyi @@ -48,7 +48,6 @@ __all__ = [ CRYPTOGRAPHY_IS_LIBRESSL: bool CRYPTOGRAPHY_IS_BORINGSSL: bool CRYPTOGRAPHY_IS_AWSLC: bool -CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool CRYPTOGRAPHY_OPENSSL_320_OR_GREATER: bool CRYPTOGRAPHY_OPENSSL_330_OR_GREATER: bool diff --git a/src/rust/Cargo.toml b/src/rust/Cargo.toml index c18583075509..20e4d62a28ea 100644 --- a/src/rust/Cargo.toml +++ b/src/rust/Cargo.toml @@ -38,4 +38,4 @@ name = "cryptography_rust" crate-type = ["cdylib"] [lints.rust] -unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4", "OPENSSL_NO_RC4"))'] } +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_330_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_350_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)', 'cfg(CRYPTOGRAPHY_BUILD_OPENSSL_NO_LEGACY)', 'cfg(CRYPTOGRAPHY_OSSLCONF, values("OPENSSL_NO_IDEA", "OPENSSL_NO_CAST", "OPENSSL_NO_BF", "OPENSSL_NO_CAMELLIA", "OPENSSL_NO_SEED", "OPENSSL_NO_SM4", "OPENSSL_NO_RC4"))'] } diff --git a/src/rust/build.rs b/src/rust/build.rs index c8c4be98d720..3c7ba043b1c5 100644 --- a/src/rust/build.rs +++ b/src/rust/build.rs @@ -11,9 +11,6 @@ fn main() { if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); - if version >= 0x3_00_00_00_0 { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); - } if version >= 0x3_00_09_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_309_OR_GREATER"); } diff --git a/src/rust/cryptography-openssl/Cargo.toml b/src/rust/cryptography-openssl/Cargo.toml index 5c7cd79d32eb..3c85ccc48c47 100644 --- a/src/rust/cryptography-openssl/Cargo.toml +++ b/src/rust/cryptography-openssl/Cargo.toml @@ -15,4 +15,4 @@ foreign-types = "0.3" foreign-types-shared = "0.1" [lints.rust] -unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)', 'cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)'] } +unexpected_cfgs = { level = "warn", check-cfg = ['cfg(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER)', 'cfg(CRYPTOGRAPHY_IS_LIBRESSL)', 'cfg(CRYPTOGRAPHY_IS_BORINGSSL)', 'cfg(CRYPTOGRAPHY_IS_AWSLC)'] } diff --git a/src/rust/cryptography-openssl/build.rs b/src/rust/cryptography-openssl/build.rs index 9cad2b41e810..a62fc7ff68b4 100644 --- a/src/rust/cryptography-openssl/build.rs +++ b/src/rust/cryptography-openssl/build.rs @@ -9,9 +9,6 @@ fn main() { if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") { let version = u64::from_str_radix(&version, 16).unwrap(); - if version >= 0x3_00_00_00_0 { - println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_300_OR_GREATER"); - } if version >= 0x3_02_00_00_0 { println!("cargo:rustc-cfg=CRYPTOGRAPHY_OPENSSL_320_OR_GREATER"); } diff --git a/src/rust/cryptography-openssl/src/fips.rs b/src/rust/cryptography-openssl/src/fips.rs index 83ab169c1952..e66cd4b88c2a 100644 --- a/src/rust/cryptography-openssl/src/fips.rs +++ b/src/rust/cryptography-openssl/src/fips.rs @@ -2,14 +2,11 @@ // 2.0, and the BSD License. See the LICENSE file in the root of this repository // for complete details. -#[cfg(all( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, - not(any( - CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_IS_BORINGSSL, - CRYPTOGRAPHY_IS_AWSLC - )) -))] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] use std::ptr; #[cfg(not(any( @@ -19,25 +16,34 @@ use std::ptr; )))] use openssl_sys as ffi; -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] use crate::{cvt, OpenSSLResult}; pub fn is_enabled() -> bool { cfg_if::cfg_if! { if #[cfg(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL))] { false - } else if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + } else if #[cfg(CRYPTOGRAPHY_IS_AWSLC)] { + openssl::fips::enabled() + } else { + // OpenSSL case // SAFETY: No pre-conditions unsafe { ffi::EVP_default_properties_is_fips_enabled(ptr::null_mut()) == 1 } - } else { - openssl::fips::enabled() } } } -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] pub fn enable() -> OpenSSLResult<()> { // SAFETY: No pre-conditions unsafe { diff --git a/src/rust/src/backend/aead.rs b/src/rust/src/backend/aead.rs index 929bdd07f3c0..1fb2c4e239a1 100644 --- a/src/rust/src/backend/aead.rs +++ b/src/rust/src/backend/aead.rs @@ -446,21 +446,12 @@ impl EvpAead { struct ChaCha20Poly1305 { #[cfg(any(CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC))] ctx: EvpAead, - #[cfg(any( - CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, - CRYPTOGRAPHY_IS_LIBRESSL, - not(any( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, - CRYPTOGRAPHY_IS_BORINGSSL, - CRYPTOGRAPHY_IS_AWSLC - )) - ))] + #[cfg(any(CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, CRYPTOGRAPHY_IS_LIBRESSL))] ctx: EvpCipherAead, #[cfg(not(any( CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), CRYPTOGRAPHY_OPENSSL_320_OR_GREATER )))] ctx: LazyEvpCipherAead, @@ -496,8 +487,7 @@ impl ChaCha20Poly1305 { }) } else if #[cfg(any( CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_OPENSSL_320_OR_GREATER ))] { Ok(ChaCha20Poly1305 { ctx: EvpCipherAead::new( @@ -581,8 +571,7 @@ struct AesGcm { CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL, - CRYPTOGRAPHY_IS_AWSLC, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_IS_AWSLC ))] ctx: EvpCipherAead, @@ -590,8 +579,7 @@ struct AesGcm { CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL, - CRYPTOGRAPHY_IS_AWSLC, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_IS_AWSLC )))] ctx: LazyEvpCipherAead, } @@ -619,8 +607,7 @@ impl AesGcm { CRYPTOGRAPHY_OPENSSL_320_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_LIBRESSL, - CRYPTOGRAPHY_IS_AWSLC, - not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER), + CRYPTOGRAPHY_IS_AWSLC ))] { Ok(AesGcm { ctx: EvpCipherAead::new(cipher, key_buf.as_bytes(), 16, false)?, @@ -858,7 +845,7 @@ impl AesSiv { }; cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + if #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))] { if cryptography_openssl::fips::is_enabled() { return Err(CryptographyError::from( exceptions::UnsupportedAlgorithm::new_err(( diff --git a/src/rust/src/backend/cipher_registry.rs b/src/rust/src/backend/cipher_registry.rs index 92b9c600aea1..8ddfa9c6e12d 100644 --- a/src/rust/src/backend/cipher_registry.rs +++ b/src/rust/src/backend/cipher_registry.rs @@ -258,7 +258,11 @@ fn get_cipher_registry( m.add(&sm4, &ofb, Some(128), Cipher::sm4_ofb())?; m.add(&sm4, &ecb, Some(128), Cipher::sm4_ecb())?; - #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + #[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC + )))] if let Ok(c) = Cipher::fetch(None, "sm4-gcm", None) { m.add(&sm4, &gcm, Some(128), c)?; } @@ -270,8 +274,11 @@ fn get_cipher_registry( // Don't register legacy ciphers if they're unavailable. In theory // this shouldn't be necessary but OpenSSL 3 will return an EVP_CIPHER // even when the cipher is unavailable. - if cfg!(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)) - || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? + if cfg!(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC + )) || types::LEGACY_PROVIDER_LOADED.get(py)?.is_truthy()? { #[cfg(not(CRYPTOGRAPHY_OSSLCONF = "OPENSSL_NO_BF"))] { diff --git a/src/rust/src/backend/ec.rs b/src/rust/src/backend/ec.rs index ff51a3f85c8c..129b7662dc23 100644 --- a/src/rust/src/backend/ec.rs +++ b/src/rust/src/backend/ec.rs @@ -233,12 +233,20 @@ impl ECPrivateKey { // If `set_peer_ex` is available, we don't validate the key. This is // because we already validated it sufficiently when we created the // ECPublicKey object. - #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + #[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC + )))] deriver .set_peer_ex(&peer_public_key.pkey, false) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; - #[cfg(not(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER))] + #[cfg(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC + ))] deriver .set_peer(&peer_public_key.pkey) .map_err(|_| pyo3::exceptions::PyValueError::new_err("Error computing shared key."))?; diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index c9c9685c6574..708adc4794c4 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -5,15 +5,31 @@ #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] #![allow(unknown_lints, non_local_definitions, clippy::result_large_err)] -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] use std::env; -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] use openssl::provider; -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] use pyo3::PyTypeInfo; -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] use crate::error::CryptographyResult; mod asn1; mod backend; @@ -29,7 +45,11 @@ pub(crate) mod types; pub(crate) mod utils; mod x509; -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] #[pyo3::pyclass(module = "cryptography.hazmat.bindings._rust")] struct LoadedProviders { legacy: Option, @@ -53,7 +73,11 @@ fn is_fips_enabled() -> bool { cryptography_openssl::fips::is_enabled() } -#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] +#[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC +)))] fn _initialize_providers(py: pyo3::Python<'_>) -> CryptographyResult { // As of OpenSSL 3.0.0 we must register a legacy cipher provider // to get RC2 (needed for junk asymmetric private key @@ -86,7 +110,11 @@ fn _initialize_providers(py: pyo3::Python<'_>) -> CryptographyResult CryptographyResult<()> { providers.fips = Some(provider::Provider::load(None, "fips")?); @@ -157,7 +185,11 @@ mod _rust { mod openssl { use pyo3::prelude::PyModuleMethods; - #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] + #[cfg(not(any( + CRYPTOGRAPHY_IS_LIBRESSL, + CRYPTOGRAPHY_IS_BORINGSSL, + CRYPTOGRAPHY_IS_AWSLC + )))] #[pymodule_export] use super::super::enable_fips; #[pymodule_export] @@ -207,8 +239,6 @@ mod _rust { #[pymodule_export] use crate::error::{capture_error_stack, raise_openssl_error, OpenSSLError}; - #[pymodule_export] - const CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: bool = cfg!(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER); #[pymodule_export] const CRYPTOGRAPHY_OPENSSL_309_OR_GREATER: bool = cfg!(CRYPTOGRAPHY_OPENSSL_309_OR_GREATER); #[pymodule_export] @@ -228,7 +258,7 @@ mod _rust { #[pymodule_init] fn init(openssl_mod: &pyo3::Bound<'_, pyo3::types::PyModule>) -> pyo3::PyResult<()> { cfg_if::cfg_if! { - if #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] { + if #[cfg(not(any(CRYPTOGRAPHY_IS_LIBRESSL, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC)))] { let providers = super::super::_initialize_providers(openssl_mod.py())?; if providers.legacy.is_some() { openssl_mod.add("_legacy_provider_loaded", true)?; @@ -237,7 +267,7 @@ mod _rust { } openssl_mod.add("_providers", providers)?; } else { - // default value for non-openssl 3+ + // default value for non-OpenSSL implementations openssl_mod.add("_legacy_provider_loaded", false)?; } } diff --git a/src/rust/src/pkcs12.rs b/src/rust/src/pkcs12.rs index 8e3a47124016..18de32a491c6 100644 --- a/src/rust/src/pkcs12.rs +++ b/src/rust/src/pkcs12.rs @@ -739,9 +739,7 @@ fn load_key_and_certificates<'p>( let additional_certs = pyo3::types::PyList::empty(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { - if #[cfg(any( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC - ))] { + if #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] { let it = ossl_certs.iter(); } else { let it = ossl_certs.iter().rev(); @@ -793,9 +791,7 @@ fn load_pkcs12<'p>( let additional_certs = pyo3::types::PyList::empty(py); if let Some(ossl_certs) = p12.ca { cfg_if::cfg_if! { - if #[cfg(any( - CRYPTOGRAPHY_OPENSSL_300_OR_GREATER, CRYPTOGRAPHY_IS_BORINGSSL, CRYPTOGRAPHY_IS_AWSLC - ))] { + if #[cfg(not(CRYPTOGRAPHY_IS_LIBRESSL))] { let it = ossl_certs.iter(); } else { let it = ossl_certs.iter().rev(); diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index a09f77863532..befe16bf97aa 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -11,7 +11,6 @@ import pytest -from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import dh @@ -385,23 +384,6 @@ def test_bad_exchange(self, backend, vector): with pytest.raises(ValueError): key2.exchange(pub_key1) - @pytest.mark.skip_fips(reason="key_size too small for FIPS") - @pytest.mark.supported( - only_if=lambda backend: ( - not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER - ), - skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", - ) - def test_load_256bit_key_from_pkcs8(self, backend): - data = load_vectors_from_file( - os.path.join("asymmetric", "DH", "dh_key_256.pem"), - lambda pemfile: pemfile.read(), - mode="rb", - ) - key = serialization.load_pem_private_key(data, None, backend) - assert isinstance(key, dh.DHPrivateKey) - assert key.key_size == 256 - @pytest.mark.parametrize( "vector", load_vectors_from_file( diff --git a/tests/wycheproof/test_ecdsa.py b/tests/wycheproof/test_ecdsa.py index c0e9b6a44a71..1b9510d0bef9 100644 --- a/tests/wycheproof/test_ecdsa.py +++ b/tests/wycheproof/test_ecdsa.py @@ -67,10 +67,7 @@ def test_ecdsa_signature(backend, wycheproof): ), ) assert isinstance(key, ec.EllipticCurvePublicKey) - except (UnsupportedAlgorithm, ValueError): - # In some OpenSSL 1.1.1 versions (RHEL and Fedora), some keys fail to - # load with ValueError, instead of Unsupported Algorithm. We can - # remove handling for that exception when we drop support. + except UnsupportedAlgorithm: pytest.skip( "unable to load key (curve {})".format( wycheproof.testgroup["key"]["curve"] diff --git a/tests/wycheproof/test_rsa.py b/tests/wycheproof/test_rsa.py index 7084171bfacf..20976181330e 100644 --- a/tests/wycheproof/test_rsa.py +++ b/tests/wycheproof/test_rsa.py @@ -18,8 +18,7 @@ "SHA-256": hashes.SHA256(), "SHA-384": hashes.SHA384(), "SHA-512": hashes.SHA512(), - # Not supported by OpenSSL<3 for RSA signing. - # Enable these when we require CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + # Not supported on BoringSSL. "SHA-512/224": None, "SHA-512/256": None, "SHA3-224": hashes.SHA3_224(),