diff options
| author | Alex Gaynor <alex.gaynor@gmail.com> | 2016-12-13 21:05:35 -0500 |
|---|---|---|
| committer | Paul Kehrer <paul.l.kehrer@gmail.com> | 2016-12-13 20:05:35 -0600 |
| commit | 0e8cdf1023f6e2045de444b1c7e09f40cccf019e (patch) | |
| tree | eb6241baa5c66447c988a5c45fed7f0cb77b8022 | |
| parent | 874445aea9e2d07a94444855ccfeaa3082de26a9 (diff) | |
| download | cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.tar.gz cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.tar.bz2 cryptography-0e8cdf1023f6e2045de444b1c7e09f40cccf019e.zip | |
Drop 1.0.0 (#3312)
* delete the 1.0.0 support
* drop the version check
* drop the AES-CTR stuff
* Update the example
* openssl truncates for us now
* delete unused test
* unused imports
* Remove a bunch of conditional bindings for NPN
* no more 1.0.0 builders
* libressl fix
* update the docs
* remove dead branches
* oops
* this is a word, damnit
* spelling
* try removing this
* this test is not needed
* unused import
24 files changed, 49 insertions, 574 deletions
diff --git a/.travis.yml b/.travis.yml index d4c39b67..0cd74610 100644 --- a/.travis.yml +++ b/.travis.yml @@ -26,10 +26,6 @@ matrix: - python: pypy env: TOXENV=pypy PYPY_VERSION=5.4.1 - python: 2.7 - env: TOXENV=py27 OPENSSL=1.0.0t - - python: 3.5 - env: TOXENV=py35 OPENSSL=1.0.0t - - python: 2.7 env: TOXENV=py27 OPENSSL=1.1.0c - python: 3.5 env: TOXENV=py35 OPENSSL=1.1.0c diff --git a/docs/development/c-bindings.rst b/docs/development/c-bindings.rst index cbd8fab0..d76154d5 100644 --- a/docs/development/c-bindings.rst +++ b/docs/development/c-bindings.rst @@ -183,9 +183,9 @@ Caveats Sometimes, a set of loosely related features are added in the same version, and it's impractical to create ``#ifdef`` statements for each one. In that case, it may make sense to either check for a particular -version. For example, to check for OpenSSL 1.0.0 or newer:: +version. For example, to check for OpenSSL 1.1.0 or newer:: - #if OPENSSL_VERSION_NUMBER >= 0x10000000L + #if OPENSSL_VERSION_NUMBER >= 0x10100000L Sometimes, the version of a library on a particular platform will have features that you thought it wouldn't, based on its version. diff --git a/docs/faq.rst b/docs/faq.rst index 76117a91..bbcf302e 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -40,27 +40,14 @@ If you have no other libraries using OpenSSL in your process, or they do not appear to be at fault, it's possible that this is a bug in ``cryptography``. Please file an `issue`_ with instructions on how to reproduce it. -Importing cryptography causes a ``RuntimeError`` about OpenSSL 1.0.0 --------------------------------------------------------------------- - -The OpenSSL project has dropped support for the 1.0.0 release series. Since it -is no longer receiving security patches from upstream, ``cryptography`` is also -dropping support for it. To fix this issue you should upgrade to a newer -version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer -operating system. - -For the 1.7 release, you can set the ``CRYPTOGRAPHY_ALLOW_OPENSSL_100`` -environment variable. Please note that this is *temporary* and will be removed -in ``cryptography`` 1.8. - -Installing cryptography with OpenSSL 0.9.8 fails ------------------------------------------------- - -The OpenSSL project has dropped support for the 0.9.8 release series. Since it -is no longer receiving security patches from upstream, ``cryptography`` is also -dropping support for it. To fix this issue you should upgrade to a newer -version of OpenSSL (1.0.1 or later). This may require you to upgrade to a newer -operating system. +Installing cryptography with OpenSSL 0.9.8 or 1.0.0 fails +--------------------------------------------------------- + +The OpenSSL project has dropped support for the 0.9.8 and 1.0.0 release series. +Since they are no longer receiving security patches from upstream, +``cryptography`` is also dropping support for them. To fix this issue you +should upgrade to a newer version of OpenSSL (1.0.1 or later). This may require +you to upgrade to a newer operating system. .. _`NaCl`: https://nacl.cr.yp.to/ .. _`PyNaCl`: https://pynacl.readthedocs.io diff --git a/docs/hazmat/backends/openssl.rst b/docs/hazmat/backends/openssl.rst index f97ec571..e293c064 100644 --- a/docs/hazmat/backends/openssl.rst +++ b/docs/hazmat/backends/openssl.rst @@ -3,7 +3,7 @@ OpenSSL backend =============== -The `OpenSSL`_ C library. Cryptography supports OpenSSL version ``1.0.0`` and +The `OpenSSL`_ C library. Cryptography supports OpenSSL version 1.0.1 and greater. .. data:: cryptography.hazmat.backends.openssl.backend diff --git a/docs/hazmat/bindings/openssl.rst b/docs/hazmat/bindings/openssl.rst index 482cfaf8..ac65aa97 100644 --- a/docs/hazmat/bindings/openssl.rst +++ b/docs/hazmat/bindings/openssl.rst @@ -6,7 +6,7 @@ OpenSSL binding .. currentmodule:: cryptography.hazmat.bindings.openssl.binding These are `CFFI`_ bindings to the `OpenSSL`_ C library. Cryptography supports -OpenSSL version ``1.0.0`` and greater. +OpenSSL version 1.0.1 and greater. .. class:: cryptography.hazmat.bindings.openssl.binding.Binding() diff --git a/docs/installation.rst b/docs/installation.rst index 9ad9a3cc..31116ff7 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -28,7 +28,6 @@ Currently we test ``cryptography`` on Python 2.6, 2.7, 3.3, 3.4, 3.5, and PyPy We test compiling with ``clang`` as well as ``gcc`` and use the following OpenSSL releases: -* ``OpenSSL 1.0.0-fips`` (``RHEL/CentOS 6.4``) * ``OpenSSL 1.0.1`` * ``OpenSSL 1.0.1e-fips`` (``RHEL/CentOS 7``) * ``OpenSSL 1.0.1j-freebsd`` @@ -36,10 +35,6 @@ OpenSSL releases: * ``OpenSSL 1.0.2-latest`` * ``OpenSSL 1.1.0`` -.. warning:: - Cryptography 1.7 has dropped support for OpenSSL 1.0.0, see the - :doc:`FAQ </faq>` for more details - Building cryptography on Windows -------------------------------- diff --git a/src/_cffi_src/openssl/aes.py b/src/_cffi_src/openssl/aes.py index c54b636a..d035fa8e 100644 --- a/src/_cffi_src/openssl/aes.py +++ b/src/_cffi_src/openssl/aes.py @@ -10,7 +10,6 @@ INCLUDES = """ TYPES = """ static const int Cryptography_HAS_AES_WRAP; -static const int Cryptography_HAS_AES_CTR128_ENCRYPT; struct aes_key_st { ...; @@ -29,22 +28,8 @@ int AES_unwrap_key(AES_KEY *, const unsigned char *, unsigned char *, """ MACROS = """ -/* The ctr128_encrypt function is only useful in 1.0.0. We can use EVP for - this in 1.0.1+. */ -void AES_ctr128_encrypt(const unsigned char *, unsigned char *, - size_t, const AES_KEY *, unsigned char[], - unsigned char[], unsigned int *); """ CUSTOMIZATIONS = """ static const long Cryptography_HAS_AES_WRAP = 1; -#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER) -static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 0; -void (*AES_ctr128_encrypt)(const unsigned char *, unsigned char *, - size_t, const AES_KEY *, - unsigned char[], unsigned char[], - unsigned int *) = NULL; -#else -static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 1; -#endif """ diff --git a/src/_cffi_src/openssl/cmac.py b/src/_cffi_src/openssl/cmac.py index 67abc858..09987455 100644 --- a/src/_cffi_src/openssl/cmac.py +++ b/src/_cffi_src/openssl/cmac.py @@ -5,7 +5,7 @@ from __future__ import absolute_import, division, print_function INCLUDES = """ -#if !defined(OPENSSL_NO_CMAC) && CRYPTOGRAPHY_OPENSSL_101_OR_GREATER +#if !defined(OPENSSL_NO_CMAC) #include <openssl/cmac.h> #endif """ @@ -28,7 +28,7 @@ void CMAC_CTX_free(CMAC_CTX *); """ CUSTOMIZATIONS = """ -#if !defined(OPENSSL_NO_CMAC) && CRYPTOGRAPHY_OPENSSL_101_OR_GREATER +#if !defined(OPENSSL_NO_CMAC) static const long Cryptography_HAS_CMAC = 1; #else static const long Cryptography_HAS_CMAC = 0; diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 373f830e..1ce9d0f4 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -17,8 +17,6 @@ INCLUDES = """ #include <windows.h> #endif -#define CRYPTOGRAPHY_OPENSSL_101_OR_GREATER \ - (OPENSSL_VERSION_NUMBER >= 0x10001000) #define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10002000) #define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \ @@ -26,8 +24,6 @@ INCLUDES = """ #define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x10100000) -#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 \ - (OPENSSL_VERSION_NUMBER < 0x10001000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \ (OPENSSL_VERSION_NUMBER < 0x10002000) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102BETA3 \ @@ -51,12 +47,8 @@ INCLUDES = """ """ TYPES = """ -static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER; - static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101; - static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_102I; static const int CRYPTOGRAPHY_IS_LIBRESSL; diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py index 0853a723..d1745054 100644 --- a/src/_cffi_src/openssl/ec.py +++ b/src/_cffi_src/openssl/ec.py @@ -14,7 +14,6 @@ INCLUDES = """ TYPES = """ static const int Cryptography_HAS_EC; -static const int Cryptography_HAS_EC_1_0_1; static const int Cryptography_HAS_EC2M; static const int Cryptography_HAS_EC_1_0_2; @@ -327,13 +326,6 @@ const EC_METHOD *(*EC_GFp_nist_method)() = NULL; int (*EC_METHOD_get_field_type)(const EC_METHOD *) = NULL; -#else -static const long Cryptography_HAS_EC = 1; -#endif - -#if defined(OPENSSL_NO_EC) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 -static const long Cryptography_HAS_EC_1_0_1 = 0; - int (*EC_KEY_get_flags)(const EC_KEY *) = NULL; void (*EC_KEY_set_flags)(EC_KEY *, int) = NULL; void (*EC_KEY_clear_flags)(EC_KEY *, int) = NULL; @@ -341,10 +333,9 @@ void (*EC_KEY_clear_flags)(EC_KEY *, int) = NULL; int (*EC_KEY_set_public_key_affine_coordinates)( EC_KEY *, BIGNUM *, BIGNUM *) = NULL; #else -static const long Cryptography_HAS_EC_1_0_1 = 1; +static const long Cryptography_HAS_EC = 1; #endif - #if defined(OPENSSL_NO_EC) || defined(OPENSSL_NO_EC2M) static const long Cryptography_HAS_EC2M = 0; diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py index e920cf2d..e9074905 100644 --- a/src/_cffi_src/openssl/rsa.py +++ b/src/_cffi_src/openssl/rsa.py @@ -20,7 +20,6 @@ static const int RSA_PKCS1_PSS_PADDING; static const int RSA_F4; static const int Cryptography_HAS_PSS_PADDING; -static const int Cryptography_HAS_MGF1_MD; static const int Cryptography_HAS_RSA_OAEP_MD; """ @@ -73,12 +72,6 @@ int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *, EVP_MD *); CUSTOMIZATIONS = """ static const long Cryptography_HAS_PSS_PADDING = 1; -#if CRYPTOGRAPHY_OPENSSL_101_OR_GREATER -static const long Cryptography_HAS_MGF1_MD = 1; -#else -static const long Cryptography_HAS_MGF1_MD = 0; -int (*EVP_PKEY_CTX_set_rsa_mgf1_md)(EVP_PKEY_CTX *, EVP_MD *) = NULL; -#endif #if defined(EVP_PKEY_CTX_set_rsa_oaep_md) static const long Cryptography_HAS_RSA_OAEP_MD = 1; #else diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 28c14ca9..12af346c 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -25,7 +25,6 @@ static const long Cryptography_HAS_TLSEXT_STATUS_REQ_TYPE; static const long Cryptography_HAS_GET_SERVER_TMP_KEY; static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE; static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS; -static const long Cryptography_HAS_NPN_NEGOTIATED; /* Internally invented symbol to tell us if SNI is supported */ static const long Cryptography_HAS_TLSEXT_HOSTNAME; @@ -44,7 +43,6 @@ static const long Cryptography_HAS_SSL_OP_MSIE_SSLV2_RSA_PADDING; static const long Cryptography_HAS_SSL_SET_SSL_CTX; static const long Cryptography_HAS_SSL_OP_NO_TICKET; static const long Cryptography_HAS_NETBSD_D1_METH; -static const long Cryptography_HAS_NEXTPROTONEG; static const long Cryptography_HAS_ALPN; static const long Cryptography_HAS_SET_CERT_CB; @@ -363,9 +361,6 @@ long SSL_CTX_set_tlsext_status_arg(SSL_CTX *, void *); long SSL_session_reused(SSL *); -/* NPN APIs were introduced in OpenSSL 1.0.1. To continue to support earlier - * versions some special handling of these is necessary. - */ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *, int (*)(SSL *, const unsigned char **, @@ -414,7 +409,7 @@ void SSL_set_cert_cb(SSL *, int (*)(SSL *, void *), void *); /* Added in 1.0.2 */ const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *); -/* Added in 1.0.1 */ + int SSL_SESSION_set1_id_context(SSL_SESSION *, const unsigned char *, unsigned int); /* Added in 1.1.0 for the great opaquing of structs */ @@ -438,28 +433,6 @@ long SSL_CTX_sess_cache_full(SSL_CTX *); """ CUSTOMIZATIONS = """ -/* Added in 1.0.1 but we need it in all versions now due to the great - opaquing. */ -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 -/* from ssl.h */ -#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 -#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273 -/* from ssl/ssl_sess.c */ -int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, - unsigned int sid_ctx_len) -{ - if (sid_ctx_len > SSL_MAX_SID_CTX_LENGTH) { - SSLerr(SSL_F_SSL_SESSION_SET1_ID_CONTEXT, - SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG); - return 0; - } - s->sid_ctx_length = sid_ctx_len; - memcpy(s->sid_ctx, sid_ctx, sid_ctx_len); - - return 1; -} -#endif - /* Added in 1.0.2 but we need it in all versions now due to the great opaquing. */ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || defined(LIBRESSL_VERSION_NUMBER) @@ -605,37 +578,6 @@ static const long Cryptography_HAS_NETBSD_D1_METH = 1; static const long Cryptography_HAS_NETBSD_D1_METH = 1; #endif -/* Because OPENSSL defines macros that claim lack of support for things, rather - * than macros that claim support for things, we need to do a version check in - * addition to a definition check. NPN was added in 1.0.1: for any version - * before that, there is no compatibility. - */ -#if defined(OPENSSL_NO_NEXTPROTONEG) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 -static const long Cryptography_HAS_NEXTPROTONEG = 0; -void (*SSL_CTX_set_next_protos_advertised_cb)(SSL_CTX *, - int (*)(SSL *, - const unsigned char **, - unsigned int *, - void *), - void *) = NULL; -void (*SSL_CTX_set_next_proto_select_cb)(SSL_CTX *, - int (*)(SSL *, - unsigned char **, - unsigned char *, - const unsigned char *, - unsigned int, - void *), - void *) = NULL; -int (*SSL_select_next_proto)(unsigned char **, unsigned char *, - const unsigned char *, unsigned int, - const unsigned char *, unsigned int) = NULL; -void (*SSL_get0_next_proto_negotiated)(const SSL *, - const unsigned char **, - unsigned *) = NULL; -#else -static const long Cryptography_HAS_NEXTPROTONEG = 1; -#endif - /* ALPN was added in OpenSSL 1.0.2. */ #if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !defined(LIBRESSL_VERSION_NUMBER) int (*SSL_CTX_set_alpn_protos)(SSL_CTX *, @@ -707,13 +649,4 @@ static const long Cryptography_HAS_TLS_ST = 0; static const long TLS_ST_BEFORE = 0; static const long TLS_ST_OK = 0; #endif - -/* This define is available in 1.0.1+ so we can remove this when we drop - support for 1.0.0 */ -#ifdef OPENSSL_NPN_NEGOTIATED -static const long Cryptography_HAS_NPN_NEGOTIATED = 1; -#else -static const long OPENSSL_NPN_NEGOTIATED = -1; -static const long Cryptography_HAS_NPN_NEGOTIATED = 0; -#endif """ diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 71063c19..d2a9e6c9 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -21,9 +21,7 @@ from cryptography.hazmat.backends.interfaces import ( EllipticCurveBackend, HMACBackend, HashBackend, PBKDF2HMACBackend, PEMSerializationBackend, RSABackend, ScryptBackend, X509Backend ) -from cryptography.hazmat.backends.openssl.ciphers import ( - _AESCTRCipherContext, _CipherContext -) +from cryptography.hazmat.backends.openssl.ciphers import _CipherContext from cryptography.hazmat.backends.openssl.cmac import _CMACContext from cryptography.hazmat.backends.openssl.dh import ( _DHParameters, _DHPrivateKey, _DHPublicKey @@ -233,12 +231,7 @@ class Backend(object): return _HashContext(self, algorithm) def cipher_supported(self, cipher, mode): - if self._evp_cipher_supported(cipher, mode): - return True - elif isinstance(mode, CTR) and isinstance(cipher, AES): - return True - else: - return False + return self._evp_cipher_supported(cipher, mode) def _evp_cipher_supported(self, cipher, mode): try: @@ -307,22 +300,10 @@ class Backend(object): ) def create_symmetric_encryption_ctx(self, cipher, mode): - if (isinstance(mode, CTR) and isinstance(cipher, AES) and - not self._evp_cipher_supported(cipher, mode)): - # This is needed to provide support for AES CTR mode in OpenSSL - # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4). - return _AESCTRCipherContext(self, cipher, mode) - else: - return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) + return _CipherContext(self, cipher, mode, _CipherContext._ENCRYPT) def create_symmetric_decryption_ctx(self, cipher, mode): - if (isinstance(mode, CTR) and isinstance(cipher, AES) and - not self._evp_cipher_supported(cipher, mode)): - # This is needed to provide support for AES CTR mode in OpenSSL - # 1.0.0. It can be removed when we drop 1.0.0 support (RHEL 6.4). - return _AESCTRCipherContext(self, cipher, mode) - else: - return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) + return _CipherContext(self, cipher, mode, _CipherContext._DECRYPT) def pbkdf2_hmac_supported(self, algorithm): return self.hmac_supported(algorithm) @@ -606,10 +587,7 @@ class Backend(object): return isinstance(algorithm, hashes.SHA1) def _pss_mgf1_hash_supported(self, algorithm): - if self._lib.Cryptography_HAS_MGF1_MD: - return self.hash_supported(algorithm) - else: - return isinstance(algorithm, hashes.SHA1) + return self.hash_supported(algorithm) def rsa_padding_supported(self, padding): if isinstance(padding, PKCS1v15): @@ -737,18 +715,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "Certificate signing requests aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "Certificate signing requests aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - # Resolve the signature algorithm. evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') @@ -815,18 +781,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "Certificate signatures aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "Certificate signatures aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - # Resolve the signature algorithm. evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') @@ -920,18 +874,6 @@ class Backend(object): if not isinstance(algorithm, hashes.HashAlgorithm): raise TypeError('Algorithm must be a registered hash algorithm.') - if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - if isinstance(private_key, _DSAPrivateKey): - raise NotImplementedError( - "CRL signatures aren't implemented for DSA" - " keys on OpenSSL versions less than 1.0.1." - ) - if isinstance(private_key, _EllipticCurvePrivateKey): - raise NotImplementedError( - "CRL signatures aren't implemented for EC" - " keys on OpenSSL versions less than 1.0.1." - ) - evp_md = self._lib.EVP_get_digestbyname( algorithm.name.encode('ascii') ) diff --git a/src/cryptography/hazmat/backends/openssl/ciphers.py b/src/cryptography/hazmat/backends/openssl/ciphers.py index bd5dfb31..898b3497 100644 --- a/src/cryptography/hazmat/backends/openssl/ciphers.py +++ b/src/cryptography/hazmat/backends/openssl/ciphers.py @@ -167,38 +167,3 @@ class _CipherContext(object): self._backend.openssl_assert(res != 0) tag = utils.read_only_property("_tag") - - -@utils.register_interface(ciphers.CipherContext) -class _AESCTRCipherContext(object): - """ - This is needed to provide support for AES CTR mode in OpenSSL 1.0.0. It can - be removed when we drop 1.0.0 support (RHEL 6.4 is the only thing that - ships it). - """ - def __init__(self, backend, cipher, mode): - self._backend = backend - - self._key = self._backend._ffi.new("AES_KEY *") - res = self._backend._lib.AES_set_encrypt_key( - cipher.key, len(cipher.key) * 8, self._key - ) - self._backend.openssl_assert(res == 0) - self._ecount = self._backend._ffi.new("unsigned char[]", 16) - self._nonce = self._backend._ffi.new("unsigned char[16]", mode.nonce) - self._num = self._backend._ffi.new("unsigned int *", 0) - - def update(self, data): - buf = self._backend._ffi.new("unsigned char[]", len(data)) - self._backend._lib.AES_ctr128_encrypt( - data, buf, len(data), self._key, self._nonce, - self._ecount, self._num - ) - return self._backend._ffi.buffer(buf)[:] - - def finalize(self): - self._key = None - self._ecount = None - self._nonce = None - self._num = None - return b"" diff --git a/src/cryptography/hazmat/backends/openssl/dsa.py b/src/cryptography/hazmat/backends/openssl/dsa.py index e82c043d..e2ed3dfd 100644 --- a/src/cryptography/hazmat/backends/openssl/dsa.py +++ b/src/cryptography/hazmat/backends/openssl/dsa.py @@ -7,7 +7,7 @@ from __future__ import absolute_import, division, print_function from cryptography import utils from cryptography.exceptions import InvalidSignature from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _truncate_digest + _calculate_digest_and_algorithm ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -15,24 +15,6 @@ from cryptography.hazmat.primitives.asymmetric import ( ) -def _truncate_digest_for_dsa(dsa_cdata, digest, backend): - """ - This function truncates digests that are longer than a given DS - key's length so they can be signed. OpenSSL does this for us in - 1.0.0c+, leaving us with three releases (1.0.0, 1.0.0a, and 1.0.0b) where - this is a problem. - """ - - q = backend._ffi.new("BIGNUM **") - backend._lib.DSA_get0_pqg( - dsa_cdata, backend._ffi.NULL, q, backend._ffi.NULL - ) - backend.openssl_assert(q[0] != backend._ffi.NULL) - - order_bits = backend._lib.BN_num_bits(q[0]) - return _truncate_digest(digest, order_bits) - - def _dsa_sig_sign(backend, private_key, data): sig_buf_len = backend._lib.DSA_size(private_key._dsa_cdata) sig_buf = backend._ffi.new("unsigned char[]", sig_buf_len) @@ -77,9 +59,6 @@ class _DSAVerificationContext(object): def verify(self): data_to_verify = self._hash_ctx.finalize() - data_to_verify = _truncate_digest_for_dsa( - self._public_key._dsa_cdata, data_to_verify, self._backend - ) _dsa_sig_verify( self._backend, self._public_key, self._signature, data_to_verify ) @@ -98,9 +77,6 @@ class _DSASignatureContext(object): def finalize(self): data_to_sign = self._hash_ctx.finalize() - data_to_sign = _truncate_digest_for_dsa( - self._private_key._dsa_cdata, data_to_sign, self._backend - ) return _dsa_sig_sign(self._backend, self._private_key, data_to_sign) @@ -212,7 +188,6 @@ class _DSAPrivateKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, algorithm ) - data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend) return _dsa_sig_sign(self._backend, self, data) @@ -286,5 +261,4 @@ class _DSAPublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, algorithm ) - data = _truncate_digest_for_dsa(self._dsa_cdata, data, self._backend) return _dsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/ec.py b/src/cryptography/hazmat/backends/openssl/ec.py index 5969f2a3..f2b52492 100644 --- a/src/cryptography/hazmat/backends/openssl/ec.py +++ b/src/cryptography/hazmat/backends/openssl/ec.py @@ -9,7 +9,7 @@ from cryptography.exceptions import ( InvalidSignature, UnsupportedAlgorithm, _Reasons ) from cryptography.hazmat.backends.openssl.utils import ( - _calculate_digest_and_algorithm, _truncate_digest + _calculate_digest_and_algorithm ) from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -17,31 +17,6 @@ from cryptography.hazmat.primitives.asymmetric import ( ) -def _truncate_digest_for_ecdsa(ec_key_cdata, digest, backend): - """ - This function truncates digests that are longer than a given elliptic - curve key's length so they can be signed. Since elliptic curve keys are - much shorter than RSA keys many digests (e.g. SHA-512) may require - truncation. - """ - - _lib = backend._lib - _ffi = backend._ffi - - group = _lib.EC_KEY_get0_group(ec_key_cdata) - - with backend._tmp_bn_ctx() as bn_ctx: - order = _lib.BN_CTX_get(bn_ctx) - backend.openssl_assert(order != _ffi.NULL) - - res = _lib.EC_GROUP_get_order(group, order, bn_ctx) - backend.openssl_assert(res == 1) - - order_bits = _lib.BN_num_bits(order) - - return _truncate_digest(digest, order_bits) - - def _check_signature_algorithm(signature_algorithm): if not isinstance(signature_algorithm, ec.ECDSA): raise UnsupportedAlgorithm( @@ -127,9 +102,6 @@ class _ECDSASignatureContext(object): def finalize(self): digest = self._digest.finalize() - digest = _truncate_digest_for_ecdsa( - self._private_key._ec_key, digest, self._backend - ) return _ecdsa_sig_sign(self._backend, self._private_key, digest) @@ -146,9 +118,6 @@ class _ECDSAVerificationContext(object): def verify(self): digest = self._digest.finalize() - digest = _truncate_digest_for_ecdsa( - self._public_key._ec_key, digest, self._backend - ) return _ecdsa_sig_verify( self._backend, self._public_key, self._signature, digest ) @@ -247,9 +216,6 @@ class _EllipticCurvePrivateKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - data = _truncate_digest_for_ecdsa( - self._ec_key, data, self._backend - ) return _ecdsa_sig_sign(self._backend, self, data) @@ -317,7 +283,4 @@ class _EllipticCurvePublicKey(object): data, algorithm = _calculate_digest_and_algorithm( self._backend, data, signature_algorithm._algorithm ) - data = _truncate_digest_for_ecdsa( - self._ec_key, data, self._backend - ) return _ecdsa_sig_verify(self._backend, self, signature, data) diff --git a/src/cryptography/hazmat/backends/openssl/rsa.py b/src/cryptography/hazmat/backends/openssl/rsa.py index 8996d884..0a375721 100644 --- a/src/cryptography/hazmat/backends/openssl/rsa.py +++ b/src/cryptography/hazmat/backends/openssl/rsa.py @@ -164,13 +164,6 @@ def _rsa_sig_determine_padding(backend, key, padding, algorithm): raise ValueError("Digest too large for key size. Use a larger " "key or different digest.") - if not backend._pss_mgf1_hash_supported(padding._mgf._algorithm): - raise UnsupportedAlgorithm( - "When OpenSSL is older than 1.0.1 then only SHA1 is " - "supported with MGF1.", - _Reasons.UNSUPPORTED_HASH - ) - padding_enum = backend._lib.RSA_PKCS1_PSS_PADDING else: raise UnsupportedAlgorithm( @@ -212,17 +205,15 @@ def _rsa_sig_sign(backend, padding, padding_enum, algorithm, private_key, ) backend.openssl_assert(res > 0) - if backend._lib.Cryptography_HAS_MGF1_MD: - # MGF1 MD is configurable in OpenSSL 1.0.1+ - mgf1_md = backend._lib.EVP_get_digestbyname( - padding._mgf._algorithm.name.encode("ascii")) - backend.openssl_assert( - mgf1_md != backend._ffi.NULL - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( - pkey_ctx, mgf1_md - ) - backend.openssl_assert(res > 0) + mgf1_md = backend._lib.EVP_get_digestbyname( + padding._mgf._algorithm.name.encode("ascii")) + backend.openssl_assert( + mgf1_md != backend._ffi.NULL + ) + res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + backend.openssl_assert(res > 0) buflen = backend._ffi.new("size_t *") res = backend._lib.EVP_PKEY_sign( @@ -284,17 +275,15 @@ def _rsa_sig_verify(backend, padding, padding_enum, algorithm, public_key, ) ) backend.openssl_assert(res > 0) - if backend._lib.Cryptography_HAS_MGF1_MD: - # MGF1 MD is configurable in OpenSSL 1.0.1+ - mgf1_md = backend._lib.EVP_get_digestbyname( - padding._mgf._algorithm.name.encode("ascii")) - backend.openssl_assert( - mgf1_md != backend._ffi.NULL - ) - res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( - pkey_ctx, mgf1_md - ) - backend.openssl_assert(res > 0) + mgf1_md = backend._lib.EVP_get_digestbyname( + padding._mgf._algorithm.name.encode("ascii")) + backend.openssl_assert( + mgf1_md != backend._ffi.NULL + ) + res = backend._lib.EVP_PKEY_CTX_set_rsa_mgf1_md( + pkey_ctx, mgf1_md + ) + backend.openssl_assert(res > 0) res = backend._lib.EVP_PKEY_verify( pkey_ctx, diff --git a/src/cryptography/hazmat/backends/openssl/utils.py b/src/cryptography/hazmat/backends/openssl/utils.py index c88e3189..e8b4a307 100644 --- a/src/cryptography/hazmat/backends/openssl/utils.py +++ b/src/cryptography/hazmat/backends/openssl/utils.py @@ -4,31 +4,10 @@ from __future__ import absolute_import, division, print_function -import six - from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives.asymmetric.utils import Prehashed -def _truncate_digest(digest, order_bits): - digest_len = len(digest) - - if 8 * digest_len > order_bits: - digest_len = (order_bits + 7) // 8 - digest = digest[:digest_len] - - if 8 * digest_len > order_bits: - rshift = 8 - (order_bits & 0x7) - assert 0 < rshift < 8 - - mask = 0xFF >> rshift << rshift - - # Set the bottom rshift bits to 0 - digest = digest[:-1] + six.int2byte(six.indexbytes(digest, -1) & mask) - - return digest - - def _calculate_digest_and_algorithm(backend, data, algorithm): if not isinstance(algorithm, Prehashed): hash_ctx = hashes.Hash(algorithm, backend) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index d1cebd8e..46c32d14 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -133,9 +133,6 @@ CONDITIONAL_NAMES = { "POINT_CONVERSION_COMPRESSED", "POINT_CONVERSION_UNCOMPRESSED", "POINT_CONVERSION_HYBRID", - ], - - "Cryptography_HAS_EC_1_0_1": [ "EC_KEY_get_flags", "EC_KEY_set_flags", "EC_KEY_clear_flags", @@ -195,9 +192,6 @@ CONDITIONAL_NAMES = { "RAND_egd_bytes", "RAND_query_egd_bytes", ], - "Cryptography_HAS_MGF1_MD": [ - "EVP_PKEY_CTX_set_rsa_mgf1_md", - ], "Cryptography_HAS_RSA_OAEP_MD": [ "EVP_PKEY_CTX_set_rsa_oaep_md", ], @@ -241,13 +235,6 @@ CONDITIONAL_NAMES = { "DTLSv1_method", ], - "Cryptography_HAS_NEXTPROTONEG": [ - "SSL_CTX_set_next_protos_advertised_cb", - "SSL_CTX_set_next_proto_select_cb", - "SSL_select_next_proto", - "SSL_get0_next_proto_negotiated", - ], - "Cryptography_HAS_ALPN": [ "SSL_CTX_set_alpn_protos", "SSL_set_alpn_protos", @@ -296,9 +283,6 @@ CONDITIONAL_NAMES = { "SSL_CTX_set_cert_cb", "SSL_set_cert_cb", ], - "Cryptography_HAS_AES_CTR128_ENCRYPT": [ - "AES_ctr128_encrypt", - ], "Cryptography_HAS_SSL_ST": [ "SSL_ST_BEFORE", "SSL_ST_OK", @@ -319,7 +303,4 @@ CONDITIONAL_NAMES = { "Cryptography_HAS_SCRYPT": [ "EVP_PBE_scrypt", ], - "Cryptography_HAS_NPN_NEGOTIATED": [ - "OPENSSL_NPN_NEGOTIATED", - ], } diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 39750abc..b6617543 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -5,10 +5,8 @@ from __future__ import absolute_import, division, print_function import collections -import os import threading import types -import warnings from cryptography.exceptions import InternalError from cryptography.hazmat.bindings._openssl import ffi, lib @@ -148,28 +146,9 @@ class Binding(object): _openssl_assert(cls.lib, res == 1) -def _verify_openssl_version(version): - if version < 0x10001000: - if os.environ.get("CRYPTOGRAPHY_ALLOW_OPENSSL_100"): - warnings.warn( - "OpenSSL version 1.0.0 is no longer supported by the OpenSSL " - "project, please upgrade. The next version of cryptography " - "will completely remove support for it.", - DeprecationWarning - ) - else: - raise RuntimeError( - "You are linking against OpenSSL 1.0.0, which is no longer " - "support by the OpenSSL project. You need to upgrade to a " - "newer version of OpenSSL." - ) - - # OpenSSL is not thread safe until the locks are initialized. We call this # method in module scope so that it executes with the import lock. On # Pythons < 3.4 this import lock is a global lock, which can prevent a race # condition registering the OpenSSL locks. On Python 3.4+ the import lock # is per module so this approach will not work. Binding.init_static_locks() - -_verify_openssl_version(Binding.lib.SSLeay()) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 47c46065..6d6f3452 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -4,7 +4,6 @@ from __future__ import absolute_import, division, print_function -import datetime import itertools import os import subprocess @@ -26,11 +25,9 @@ from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import dsa, ec, padding from cryptography.hazmat.primitives.ciphers import Cipher from cryptography.hazmat.primitives.ciphers.algorithms import AES -from cryptography.hazmat.primitives.ciphers.modes import CBC, CTR +from cryptography.hazmat.primitives.ciphers.modes import CBC -from ..primitives.fixtures_dsa import DSA_KEY_2048 from ..primitives.fixtures_rsa import RSA_KEY_2048, RSA_KEY_512 -from ..primitives.test_ec import _skip_curve_unsupported from ...doubles import ( DummyAsymmetricPadding, DummyCipherAlgorithm, DummyHashAlgorithm, DummyMode ) @@ -77,11 +74,6 @@ class TestOpenSSL(object): def test_supports_cipher(self): assert backend.cipher_supported(None, None) is False - def test_aes_ctr_always_available(self): - # AES CTR should always be available, even in 1.0.0. - assert backend.cipher_supported(AES(b"\x00" * 16), - CTR(b"\x00" * 16)) is True - def test_register_duplicate_cipher_adapter(self): with pytest.raises(ValueError): backend.register_cipher_adapter(AES, CBC, None) @@ -325,35 +317,6 @@ class TestOpenSSLRSA(object): backend.generate_rsa_private_key(public_exponent=65537, key_size=256) - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_non_sha1_pss_mgf1_hash_algorithm_on_old_openssl(self): - private_key = RSA_KEY_512.private_key(backend) - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - private_key.signer( - padding.PSS( - mgf=padding.MGF1( - algorithm=hashes.SHA256(), - ), - salt_length=padding.PSS.MAX_LENGTH - ), - hashes.SHA1() - ) - public_key = private_key.public_key() - with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_HASH): - public_key.verifier( - b"sig", - padding.PSS( - mgf=padding.MGF1( - algorithm=hashes.SHA256(), - ), - salt_length=padding.PSS.MAX_LENGTH - ), - hashes.SHA1() - ) - def test_rsa_padding_unsupported_pss_mgf1_hash(self): assert backend.rsa_padding_supported( padding.PSS(mgf=padding.MGF1(DummyHashAlgorithm()), salt_length=0) @@ -500,39 +463,12 @@ class TestOpenSSLRSA(object): ) -@pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101, - reason="Requires an OpenSSL version >= 1.0.1" -) class TestOpenSSLCMAC(object): def test_unsupported_cipher(self): with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER): backend.create_cmac_ctx(DummyCipherAlgorithm()) -class TestOpenSSLCreateX509CSR(object): - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_unsupported_dsa_keys(self): - private_key = DSA_KEY_2048.private_key(backend) - - with pytest.raises(NotImplementedError): - backend.create_x509_csr(object(), private_key, hashes.SHA1()) - - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_unsupported_ec_keys(self): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - - with pytest.raises(NotImplementedError): - backend.create_x509_csr(object(), private_key, hashes.SHA1()) - - class TestOpenSSLSignX509Certificate(object): def test_requires_certificate_builder(self): private_key = RSA_KEY_2048.private_key(backend) @@ -542,55 +478,6 @@ class TestOpenSSLSignX509Certificate(object): object(), private_key, DummyHashAlgorithm() ) - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_dsa_private_key_is_unsupported(self): - private_key = DSA_KEY_2048.private_key(backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA512(), backend) - - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_ec_private_key_is_unsupported(self): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - builder = x509.CertificateBuilder() - builder = builder.subject_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).serial_number( - 1 - ).public_key( - private_key.public_key() - ).not_valid_before( - datetime.datetime(2002, 1, 1, 12, 1) - ).not_valid_after( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA512(), backend) - class TestOpenSSLSignX509CertificateRevocationList(object): def test_invalid_builder(self): @@ -599,43 +486,6 @@ class TestOpenSSLSignX509CertificateRevocationList(object): with pytest.raises(TypeError): backend.create_x509_crl(object(), private_key, hashes.SHA256()) - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_dsa_private_key_is_unsupported(self): - private_key = DSA_KEY_2048.private_key(backend) - builder = x509.CertificateRevocationListBuilder() - builder = builder.issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ).next_update( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA1(), backend) - - @pytest.mark.skipif( - backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER, - reason="Requires an older OpenSSL. Must be < 1.0.1" - ) - def test_sign_with_ec_private_key_is_unsupported(self): - _skip_curve_unsupported(backend, ec.SECP256R1()) - private_key = ec.generate_private_key(ec.SECP256R1(), backend) - builder = x509.CertificateRevocationListBuilder() - builder = builder.issuer_name( - x509.Name([x509.NameAttribute(x509.NameOID.COUNTRY_NAME, u'US')]) - ).last_update( - datetime.datetime(2002, 1, 1, 12, 1) - ).next_update( - datetime.datetime(2032, 1, 1, 12, 1) - ) - - with pytest.raises(NotImplementedError): - builder.sign(private_key, hashes.SHA512(), backend) - class TestOpenSSLCreateRevokedCertificate(object): def test_invalid_builder(self): diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 3e01717c..85b51725 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -8,7 +8,7 @@ import pytest from cryptography.exceptions import InternalError from cryptography.hazmat.bindings.openssl.binding import ( - Binding, _OpenSSLErrorWithText, _openssl_assert, _verify_openssl_version + Binding, _OpenSSLErrorWithText, _openssl_assert ) @@ -79,11 +79,14 @@ class TestOpenSSL(object): def test_conditional_removal(self): b = Binding() - if b.lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER: - assert b.lib.CMAC_Init + if ( + b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and + not b.lib.CRYPTOGRAPHY_IS_LIBRESSL + ): + assert b.lib.TLS_ST_OK else: with pytest.raises(AttributeError): - b.lib.CMAC_Init + b.lib.TLS_ST_OK def test_openssl_assert_error_on_stack(self): b = Binding() @@ -107,9 +110,3 @@ class TestOpenSSL(object): b'ex:data not multiple of block length' ) )] - - def test_verify_openssl_version(self, monkeypatch): - monkeypatch.delenv("CRYPTOGRAPHY_ALLOW_OPENSSL_100", raising=False) - with pytest.raises(RuntimeError): - # OpenSSL 1.0.0 - _verify_openssl_version(0x100000F) diff --git a/tests/test_x509.py b/tests/test_x509.py index 966cba6f..1ecf6b6a 100644 --- a/tests/test_x509.py +++ b/tests/test_x509.py @@ -2082,9 +2082,6 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_dsa_private_key(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - issuer_private_key = DSA_KEY_2048.private_key(backend) subject_private_key = DSA_KEY_2048.private_key(backend) @@ -2130,9 +2127,6 @@ class TestCertificateBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_build_cert_with_ec_private_key(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - _skip_curve_unsupported(backend, ec.SECP256R1()) issuer_private_key = ec.generate_private_key(ec.SECP256R1(), backend) subject_private_key = ec.generate_private_key(ec.SECP256R1(), backend) @@ -2734,9 +2728,6 @@ class TestCertificateSigningRequestBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) def test_build_ca_request_with_ec(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - _skip_curve_unsupported(backend, ec.SECP256R1()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) @@ -2764,9 +2755,6 @@ class TestCertificateSigningRequestBuilder(object): @pytest.mark.requires_backend_interface(interface=DSABackend) def test_build_ca_request_with_dsa(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") - private_key = DSA_KEY_2048.private_key(backend) request = x509.CertificateSigningRequestBuilder().subject_name( diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py index 0d29a3ea..f0306ef0 100644 --- a/tests/test_x509_crlbuilder.py +++ b/tests/test_x509_crlbuilder.py @@ -347,8 +347,6 @@ class TestCertificateRevocationListBuilder(object): @pytest.mark.requires_backend_interface(interface=DSABackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_sign_dsa_key(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") private_key = DSA_KEY_2048.private_key(backend) invalidity_date = x509.InvalidityDate( datetime.datetime(2002, 1, 1, 0, 0) @@ -393,8 +391,6 @@ class TestCertificateRevocationListBuilder(object): @pytest.mark.requires_backend_interface(interface=EllipticCurveBackend) @pytest.mark.requires_backend_interface(interface=X509Backend) def test_sign_ec_key_unsupported(self, backend): - if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101: - pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1") _skip_curve_unsupported(backend, ec.SECP256R1()) private_key = ec.generate_private_key(ec.SECP256R1(), backend) invalidity_date = x509.InvalidityDate( |