diff options
| -rw-r--r-- | CHANGELOG.rst | 4 | ||||
| -rw-r--r-- | cryptography/hazmat/bindings/openssl/binding.py | 16 | ||||
| -rw-r--r-- | docs/installation.rst | 31 | ||||
| -rw-r--r-- | docs/security.rst | 10 | ||||
| -rw-r--r-- | tasks.py | 1 | ||||
| -rw-r--r-- | tests/hazmat/bindings/test_openssl.py | 14 |
6 files changed, 68 insertions, 8 deletions
diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a49f3f46..b7506b29 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,6 +11,10 @@ Changelog truncation of tags by default. Previous versions of ``cryptography`` allowed tags to be truncated by default, applications wishing to preserve this behavior (not recommended) can pass the ``min_tag_length`` argument. +* Windows builds now statically link OpenSSL by default. When installing a + wheel on Windows you no longer need to install OpenSSL separately. Windows + users can switch between static and dynamic linking with an environment + variable. See :doc:`/installation` for more details. * Added :class:`~cryptography.hazmat.primitives.kdf.hkdf.HKDFExpand`. * Added :class:`~cryptography.hazmat.primitives.ciphers.modes.CFB8` support for :class:`~cryptography.hazmat.primitives.ciphers.algorithms.AES` and diff --git a/cryptography/hazmat/bindings/openssl/binding.py b/cryptography/hazmat/bindings/openssl/binding.py index 554c3c3e..4cd1b89b 100644 --- a/cryptography/hazmat/bindings/openssl/binding.py +++ b/cryptography/hazmat/bindings/openssl/binding.py @@ -13,6 +13,7 @@ from __future__ import absolute_import, division, print_function +import os import sys import threading @@ -97,7 +98,8 @@ class Binding(object): if sys.platform != "win32": libraries = ["crypto", "ssl"] else: # pragma: no cover - libraries = ["libeay32", "ssleay32", "advapi32"] + link_type = os.environ.get("PYCA_WINDOWS_LINK_TYPE", "static") + libraries = _get_windows_libraries(link_type) cls.ffi, cls.lib = build_ffi( module_prefix=cls._module_prefix, @@ -154,3 +156,15 @@ class Binding(object): mode, n, file, line ) ) + + +def _get_windows_libraries(link_type): + if link_type == "dynamic": + return ["libeay32", "ssleay32", "advapi32"] + elif link_type == "static" or link_type == "": + return ["libeay32mt", "ssleay32mt", "advapi32", + "crypt32", "gdi32", "user32", "ws2_32"] + else: + raise ValueError( + "PYCA_WINDOWS_LINK_TYPE must be 'static' or 'dynamic'" + ) diff --git a/docs/installation.rst b/docs/installation.rst index 8fbbcb30..339d8b76 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -35,16 +35,35 @@ OpenSSL releases: On Windows ---------- -If you're on Windows you'll need to make sure you have OpenSSL installed. -There are `pre-compiled binaries`_ available. If your installation is in -an unusual location set the ``LIB`` and ``INCLUDE`` environment variables -to include the corresponding locations. For example: +The wheel package on Windows is a statically linked build (as of 0.5) so all +dependencies are included. Just run + +.. code-block:: console + + $ pip install cryptography + +If you prefer to compile it yourself you'll need to have OpenSSL installed. +There are `pre-compiled binaries`_ available. If your installation is in an +unusual location set the ``LIB`` and ``INCLUDE`` environment variables to +include the corresponding locations.For example: + +.. code-block:: console + + C:\> \path\to\vcvarsall.bat x86_amd64 + C:\> set LIB=C:\OpenSSL\lib\VC\static;C:\OpenSSL\lib;%LIB% + C:\> set INCLUDE=C:\OpenSSL\include;%INCLUDE% + C:\> pip install cryptography + +You can also choose to build statically or dynamically using the +``PYCA_WINDOWS_LINK_TYPE`` variable. Allowed values are ``static`` (default) +and ``dynamic``. .. code-block:: console C:\> \path\to\vcvarsall.bat x86_amd64 - C:\> set LIB=C:\OpenSSL-1.0.1g-64bit\lib;%LIB% - C:\> set INCLUDE=C:\OpenSSL-1.0.1g-64bit\include;%INCLUDE% + C:\> set LIB=C:\OpenSSL\lib\VC\static;C:\OpenSSL\lib;%LIB% + C:\> set INCLUDE=C:\OpenSSL\include;%INCLUDE% + C:\> set PYCA_WINDOWS_LINK_TYPE=dynamic C:\> pip install cryptography Building cryptography on Linux diff --git a/docs/security.rst b/docs/security.rst index 3d44cd3d..3bb10fa4 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -27,6 +27,16 @@ Supported Versions At any given time, we will provide security support for the `master`_ branch as well as the 2 most recent releases. +New releases for OpenSSL updates +-------------------------------- + +As of version 0.5, ``cryptography`` statically links OpenSSL on Windows to ease +installation. Due to this, ``cryptography`` will release a new version whenever +OpenSSL has a security or bug fix release to avoid shipping insecure software. + +Like all our other releases, this will be announced on the mailing list and we +strongly recommend that you upgrade as soon as possible. + Disclosure Process ------------------ @@ -10,6 +10,7 @@ # implied. # See the License for the specific language governing permissions and # limitations under the License. + from __future__ import absolute_import, division, print_function import getpass diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index 58d7602b..d22c4fd2 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -15,7 +15,9 @@ from __future__ import absolute_import, division, print_function import pytest -from cryptography.hazmat.bindings.openssl.binding import Binding +from cryptography.hazmat.bindings.openssl.binding import ( + Binding, _get_windows_libraries +) class TestOpenSSL(object): @@ -137,3 +139,13 @@ class TestOpenSSL(object): resp = b.lib.SSL_set_mode(ssl, b.lib.SSL_OP_ALL) assert resp == b.lib.SSL_OP_ALL assert b.lib.SSL_OP_ALL == b.lib.SSL_get_mode(ssl) + + def test_windows_static_dynamic_libraries(self): + assert "ssleay32mt" in _get_windows_libraries("static") + + assert "ssleay32mt" in _get_windows_libraries("") + + assert "ssleay32" in _get_windows_libraries("dynamic") + + with pytest.raises(ValueError): + _get_windows_libraries("notvalid") |