From 83446ec373f9ae11a13404260ca2053308872a71 Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 6 Sep 2022 22:11:13 -0400 Subject: [PATCH] Drop OpenSSL 1.1.0 There's still a few TODOs for cleanup. Refs #7109 --- .github/workflows/ci.yml | 1 - CHANGELOG.rst | 2 ++ docs/faq.rst | 16 +++++------ docs/installation.rst | 5 ---- src/_cffi_src/openssl/cryptography.py | 7 ++--- src/_cffi_src/openssl/evp.py | 5 ++-- src/_cffi_src/openssl/ssl.py | 27 ++++--------------- .../hazmat/backends/openssl/backend.py | 2 +- .../hazmat/bindings/openssl/_conditional.py | 10 ------- .../hazmat/bindings/openssl/binding.py | 18 ------------- 10 files changed, 20 insertions(+), 73 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58893772c9a7..c178435a6fa6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,7 +32,6 @@ jobs: - {VERSION: "pypy-3.7", TOXENV: "pypy3-nocoverage"} - {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage"} - {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage"} - - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}} - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}} - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index bfca9438cd50..9c5bc83538bc 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -8,6 +8,8 @@ Changelog .. note:: This version is not yet released and is under active development. +* Support for OpenSSL 1.1.0 has been removed. Users on older version of + OpenSSL will need to upgrade. .. _v38-0-0: diff --git a/docs/faq.rst b/docs/faq.rst index f9f35c149dd3..640ec9e3aeb5 100644 --- a/docs/faq.rst +++ b/docs/faq.rst @@ -111,14 +111,14 @@ earlier the default compiler is extremely old. Use ``pkg_add`` to install a newer ``gcc`` and then install ``cryptography`` using ``CC=/path/to/newer/gcc pip install cryptography``. -Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2 fails ---------------------------------------------------------------------- - -The OpenSSL project has dropped support for the 0.9.8, 1.0.0, 1.0.1, and 1.0.2 -release series. Since they are no longer receiving security patches from -upstream, ``cryptography`` is also dropping support for them. To fix this issue -you should upgrade to a newer version of OpenSSL (1.1.0 or later). This may -require you to upgrade to a newer operating system. +Installing cryptography with OpenSSL 0.9.8, 1.0.0, 1.0.1, 1.0.2, 1.1.0 fails +---------------------------------------------------------------------------- + +The OpenSSL project has dropped support for the 0.9.8, 1.0.0, 1.0.1, 1.0.2, +and 1.1.0 release series. Since they are no longer receiving security patches +from upstream, ``cryptography`` is also dropping support for them. To fix this +issue you should upgrade to a newer version of OpenSSL (1.1.1 or later). This +may require you to upgrade to a newer operating system. Installing ``cryptography`` fails with ``error: Can not find Rust compiler`` ---------------------------------------------------------------------------- diff --git a/docs/installation.rst b/docs/installation.rst index 361ed5a07d15..44dc9519bf12 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -31,17 +31,12 @@ operating systems. We test compiling with ``clang`` as well as ``gcc`` and use the following OpenSSL releases: -* ``OpenSSL 1.1.0-latest`` * ``OpenSSL 1.1.1-latest`` * ``OpenSSL 3.0-latest`` In addition we test against several versions of LibreSSL and the latest commit in BoringSSL. -.. warning:: - - Cryptography 37.0.0 has deprecated support for OpenSSL 1.1.0. - Building cryptography on Windows -------------------------------- diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index f92dd2a0a2d9..b5d4eb3cbd2f 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -55,8 +55,8 @@ #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 (0) #endif -#if OPENSSL_VERSION_NUMBER < 0x10100000 - #error "pyca/cryptography MUST be linked with Openssl 1.1.0 or later" +#if OPENSSL_VERSION_NUMBER < 0x10101000 + #error "pyca/cryptography MUST be linked with Openssl 1.1.1 or later" #endif #define CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER \ @@ -64,8 +64,6 @@ #define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \ (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL) -#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 \ - (OPENSSL_VERSION_NUMBER < 0x10101000 || CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \ (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL) #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \ @@ -84,7 +82,6 @@ static const int CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER; static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E; static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE; diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py index f4d9fb953cd5..91f61a77e2e9 100644 --- a/src/_cffi_src/openssl/evp.py +++ b/src/_cffi_src/openssl/evp.py @@ -203,8 +203,7 @@ size_t) = NULL; #endif -#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ - (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 0; int (*EVP_DigestSign)(EVP_MD_CTX *, unsigned char *, size_t *, const unsigned char *tbs, size_t) = NULL; @@ -214,7 +213,7 @@ static const long Cryptography_HAS_ONESHOT_EVP_DIGEST_SIGN_VERIFY = 1; #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 +#if CRYPTOGRAPHY_IS_LIBRESSL static const long Cryptography_HAS_RAW_KEY = 0; static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 0; int (*EVP_DigestFinalXOF)(EVP_MD_CTX *, unsigned char *, size_t) = NULL; diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 61f83ef8ad99..cd1a789521c3 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -25,7 +25,6 @@ static const long Cryptography_HAS_PSK_TLSv1_3; static const long Cryptography_HAS_VERIFIED_CHAIN; static const long Cryptography_HAS_KEYLOG; -static const long Cryptography_HAS_GET_PROTO_VERSION; static const long Cryptography_HAS_TLSEXT_HOSTNAME; static const long Cryptography_HAS_SSL_COOKIE; @@ -566,8 +565,7 @@ static const long Cryptography_HAS_VERIFIED_CHAIN = 1; #endif -#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || \ - (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 static const long Cryptography_HAS_KEYLOG = 0; void (*SSL_CTX_set_keylog_callback)(SSL_CTX *, void (*) (const SSL *, const char *) @@ -653,7 +651,7 @@ long (*DTLS_get_link_min_mtu)(SSL *) = NULL; #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 || CRYPTOGRAPHY_IS_BORINGSSL +#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL static const long Cryptography_HAS_DTLS_GET_DATA_MTU = 0; size_t (*DTLS_get_data_mtu)(SSL *) = NULL; #else @@ -747,8 +745,7 @@ SRTP_PROTECTION_PROFILE * (*SSL_get_selected_srtp_profile)(SSL *) = NULL; #endif -#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ - (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 static const long Cryptography_HAS_TLSv1_3 = 0; static const long TLS1_3_VERSION = 0; static const long SSL_OP_NO_TLSv1_3 = 0; @@ -756,9 +753,7 @@ static const long Cryptography_HAS_TLSv1_3 = 1; #endif -#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || \ - (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) || \ - CRYPTOGRAPHY_IS_BORINGSSL +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 || CRYPTOGRAPHY_IS_BORINGSSL static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 0; static const long SSL_VERIFY_POST_HANDSHAKE = 0; @@ -774,17 +769,6 @@ static const long Cryptography_HAS_TLSv1_3_FUNCTIONS = 1; #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL -static const long Cryptography_HAS_GET_PROTO_VERSION = 0; - -long (*SSL_CTX_get_min_proto_version)(SSL_CTX *) = NULL; -long (*SSL_CTX_get_max_proto_version)(SSL_CTX *) = NULL; -long (*SSL_get_min_proto_version)(SSL *) = NULL; -long (*SSL_get_max_proto_version)(SSL *) = NULL; -#else -static const long Cryptography_HAS_GET_PROTO_VERSION = 1; -#endif - #if CRYPTOGRAPHY_IS_BORINGSSL static const long Cryptography_HAS_SSL_COOKIE = 0; @@ -805,8 +789,7 @@ #else static const long Cryptography_HAS_SSL_COOKIE = 1; #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 || \ - CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL +#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL static const long Cryptography_HAS_PSK_TLSv1_3 = 0; void (*SSL_CTX_set_psk_find_session_callback)(SSL_CTX *, int (*)( diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7cc7f97bb52b..e1bcb398b8c0 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -1980,7 +1980,7 @@ def x448_supported(self) -> bool: if self._fips_enabled: return False return ( - not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 + not self._lib.CRYPTOGRAPHY_IS_LIBRESSL and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL ) diff --git a/src/cryptography/hazmat/bindings/openssl/_conditional.py b/src/cryptography/hazmat/bindings/openssl/_conditional.py index 10f307af7960..24a8871f0c1c 100644 --- a/src/cryptography/hazmat/bindings/openssl/_conditional.py +++ b/src/cryptography/hazmat/bindings/openssl/_conditional.py @@ -230,15 +230,6 @@ def cryptography_has_srtp() -> typing.List[str]: ] -def cryptography_has_get_proto_version() -> typing.List[str]: - return [ - "SSL_CTX_get_min_proto_version", - "SSL_CTX_get_max_proto_version", - "SSL_get_min_proto_version", - "SSL_get_max_proto_version", - ] - - def cryptography_has_providers() -> typing.List[str]: return [ "OSSL_PROVIDER_load", @@ -366,7 +357,6 @@ def cryptography_has_ssl_op_ignore_unexpected_eof() -> typing.List[str]: "Cryptography_HAS_ENGINE": cryptography_has_engine, "Cryptography_HAS_VERIFIED_CHAIN": cryptography_has_verified_chain, "Cryptography_HAS_SRTP": cryptography_has_srtp, - "Cryptography_HAS_GET_PROTO_VERSION": cryptography_has_get_proto_version, "Cryptography_HAS_PROVIDERS": cryptography_has_providers, "Cryptography_HAS_OP_NO_RENEGOTIATION": ( cryptography_has_op_no_renegotiation diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 2b4c574b4c34..9949ce33ac23 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -6,10 +6,8 @@ import threading import types import typing -import warnings import cryptography -from cryptography import utils from cryptography.exceptions import InternalError from cryptography.hazmat.bindings._openssl import ffi, lib from cryptography.hazmat.bindings.openssl._conditional import CONDITIONAL_NAMES @@ -188,20 +186,6 @@ def init_static_locks(cls): cls._ensure_ffi_initialized() -def _verify_openssl_version(lib): - if ( - lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 - and not lib.CRYPTOGRAPHY_IS_LIBRESSL - and not lib.CRYPTOGRAPHY_IS_BORINGSSL - ): - warnings.warn( - "OpenSSL version 1.1.0 is no longer supported by the OpenSSL " - "project, please upgrade. The next release of cryptography will " - "drop support for OpenSSL 1.1.0.", - utils.DeprecatedIn37, - ) - - def _verify_package_version(version): # Occasionally we run into situations where the version of the Python # package does not match the version of the shared object that is loaded. @@ -226,5 +210,3 @@ def _verify_package_version(version): _verify_package_version(cryptography.__version__) Binding.init_static_locks() - -_verify_openssl_version(Binding.lib)