Move to a libressl policy (#7605)

This policy is to support things that are in supported versions of openbsd. the current oldest supported openbsd is 7.0, which included libressl 3.4

.github/workflows/ci.yml

@@ -37,7 +37,6 @@ jobs:
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}}
           - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.5"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.3.6"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.4.3"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.5.3"}}
           - {VERSION: "3.11-dev", TOXENV: "py311"}

CHANGELOG.rst

@@ -10,8 +10,10 @@ Changelog
 
 * **BACKWARDS INCOMPATIBLE:** Support for OpenSSL 1.1.0 has been removed.
   Users on older version of OpenSSL will need to upgrade.
-* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL 3.1.x, 3.2.x,
-  3.3.0, and 3.3.1. The new minimum LibreSSL version is 3.3.2+.
+* **BACKWARDS INCOMPATIBLE:** Dropped support for LibreSSL < 3.4. The new
+  minimum LibreSSL version is 3.4.0. Going forward our policy is to support
+  versions of LibreSSL that are available in versions of OpenBSD that are
+  still receiving security support.
 * **BACKWARDS INCOMPATIBLE:** Removed the ``encode_point`` and
   ``from_encoded_point`` methods on
   :class:`~cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers`,

docs/installation.rst

@@ -34,8 +34,9 @@ OpenSSL releases:
 * ``OpenSSL 1.1.1-latest``
 * ``OpenSSL 3.0-latest``
 
-In addition we test against several versions of LibreSSL and the latest commit
-in BoringSSL.
+In addition we test against versions of LibreSSL that are available in
+versions of OpenBSD that are receiving security support at the time of a given
+``cryptography`` release, and the latest commit in BoringSSL.
 
 
 Building cryptography on Windows

src/_cffi_src/openssl/cryptography.py

@@ -32,13 +32,10 @@
 #endif
 
 #if CRYPTOGRAPHY_IS_LIBRESSL
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \
-    (LIBRESSL_VERSION_NUMBER < 0x3040000f)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 \
     (LIBRESSL_VERSION_NUMBER < 0x3050000f)
 
 #else
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 (0)
 #endif
 
@@ -73,7 +70,6 @@
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
 static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE;
 
-static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340;
 static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350;
 
 static const int CRYPTOGRAPHY_IS_LIBRESSL;

src/_cffi_src/openssl/evp.py

@@ -34,7 +34,6 @@
 static const int Cryptography_HAS_SCRYPT;
 static const int Cryptography_HAS_EVP_PKEY_DHX;
 static const int Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint;
-static const int Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY;
 static const long Cryptography_HAS_RAW_KEY;
 static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF;
 static const long Cryptography_HAS_300_FIPS;
@@ -203,16 +202,6 @@
                                       size_t) = NULL;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340
-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0;
-int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *,
-                      const unsigned char *tbs, size_t) = NULL;
-int (*EVP_DigestVerify)(EVP_MD_CTX *, const unsigned char *, size_t,
-                        const unsigned char *, size_t) = NULL;
-#else
-static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1;
-#endif
-
 #if CRYPTOGRAPHY_IS_LIBRESSL
 static const long Cryptography_HAS_RAW_KEY = 0;
 static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0;

src/_cffi_src/openssl/ssl.py

@@ -15,7 +15,6 @@
 static const long Cryptography_HAS_SSL3_METHOD;
 static const long Cryptography_HAS_TLSv1_1;
 static const long Cryptography_HAS_TLSv1_2;
-static const long Cryptography_HAS_TLSv1_3;
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS;
 static const long Cryptography_HAS_SECURE_RENEGOTIATION;
 static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
@@ -741,15 +740,7 @@
 SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340
-static const long Cryptography_HAS_TLSv1_3 = 0;
-static const long TLS1_3_VERSION = 0;
-static const long SSL_OP_NO_TLSv1_3 = 0;
-#else
-static const long Cryptography_HAS_TLSv1_3 = 1;
-#endif
-
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 0;
 
 static const long SSL_VERIFY_POST_HANDSHAKE = 0;
@@ -802,7 +793,7 @@
                                               size_t *,
                                               SSL_SESSION **
                                           )) = NULL;
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL
 const SSL_CIPHER *(*SSL_CIPHER_find)(SSL *, const unsigned char *) = NULL;
 #endif
 int (*SSL_SESSION_set1_master_key)(SSL_SESSION *, const unsigned char *,

src/cryptography/hazmat/backends/openssl/backend.py

@@ -2173,11 +2173,6 @@ def load_pkcs12(
                 p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr
             )
 
-        # Workaround for
-        # https://github.com/libressl-portable/portable/issues/659
-        if self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340:
-            self._consume_errors()
-
         if res == 0:
             self._consume_errors()
             raise ValueError("Invalid password or PKCS12 data")

src/cryptography/hazmat/bindings/openssl/_conditional.py

@@ -88,13 +88,6 @@ def cryptography_has_poly1305() -> typing.List[str]:
     ]
 
 
-def cryptography_has_oneshot_evp_digest_sign_verify() -> typing.List[str]:
-    return [
-        "EVP_DigestSign",
-        "EVP_DigestVerify",
-    ]
-
-
 def cryptography_has_evp_digestfinal_xof() -> typing.List[str]:
     return [
         "EVP_DigestFinalXOF",
@@ -155,13 +148,6 @@ def cryptography_has_openssl_cleanup() -> typing.List[str]:
     ]
 
 
-def cryptography_has_tlsv13() -> typing.List[str]:
-    return [
-        "TLS1_3_VERSION",
-        "SSL_OP_NO_TLSv1_3",
-    ]
-
-
 def cryptography_has_tlsv13_functions() -> typing.List[str]:
     return [
         "SSL_VERIFY_POST_HANDSHAKE",
@@ -328,9 +314,6 @@ def cryptography_has_ssl_op_ignore_unexpected_eof() -> typing.List[str]:
     "Cryptography_HAS_ED448": cryptography_has_ed448,
     "Cryptography_HAS_ED25519": cryptography_has_ed25519,
     "Cryptography_HAS_POLY1305": cryptography_has_poly1305,
-    "Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY": (
-        cryptography_has_oneshot_evp_digest_sign_verify
-    ),
     "Cryptography_HAS_EVP_PKEY_get_set_tls_encodedpoint": (
         cryptography_has_evp_pkey_get_set_tls_encodedpoint
     ),
@@ -340,7 +323,6 @@ def cryptography_has_ssl_op_ignore_unexpected_eof() -> typing.List[str]:
     "Cryptography_HAS_PSK_TLSv1_3": cryptography_has_psk_tlsv13,
     "Cryptography_HAS_CUSTOM_EXT": cryptography_has_custom_ext,
     "Cryptography_HAS_OPENSSL_CLEANUP": cryptography_has_openssl_cleanup,
-    "Cryptography_HAS_TLSv1_3": cryptography_has_tlsv13,
     "Cryptography_HAS_TLSv1_3_FUNCTIONS": cryptography_has_tlsv13_functions,
     "Cryptography_HAS_KEYLOG": cryptography_has_keylog,
     "Cryptography_HAS_RAW_KEY": cryptography_has_raw_key,