Skip to content

Commit

Permalink
Backport LibreSSL 3.8.2 support for a 41.0.7 release (#9931)
Browse files Browse the repository at this point in the history
* Backport LibreSSL 3.8.2 support for a 41.0.7 release

* ci fixes

* LibreSSL 3.8.1 and later is OPENSSL_NO_ENGINE (#9456)

Unfortunately, some projects are not prepared to build without
ENGINE symbols, so just like BoringSSL we needed to keep some stubs.

* Don't build dh code on BoringSSL (#9103)

It doesn't support DH via EVP

* Update ci.yml (#9527)

---------

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
  • Loading branch information
alex and botovq authored Nov 28, 2023
1 parent f09c261 commit 4054596
Show file tree
Hide file tree
Showing 10 changed files with 42 additions and 19 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,11 @@ jobs:
- {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}}
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}}
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}}
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}}
- {VERSION: "3.11", NOXSESSION: "tests-randomorder"}
- {VERSION: "3.12-dev", NOXSESSION: "tests"}
# Latest commit on the BoringSSL master branch, as of May 27, 2023.
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0a026f8541c551854efd617021bb276f1fe5c23"}}
# Latest commit on the BoringSSL master branch, as of Nov 24, 2023.
- {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}}
# Latest commit on the OpenSSL master branch, as of May 30, 2023.
- {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36424806d699233b9a90a3a97fff3011828e2548"}}
# Builds with various Rust versions. Includes MSRV and potential
Expand Down
7 changes: 7 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
Changelog
=========

.. _v41-0-7:

41.0.7 - 2023-11-27
~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.8.2.

.. _v41-0-6:

41.0.6 - 2023-11-27
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "cryptography"
version = "41.0.6"
version = "41.0.7"
authors = [
{name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
]
Expand Down
13 changes: 8 additions & 5 deletions src/_cffi_src/openssl/engine.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,18 +42,20 @@
typedef void UI_METHOD;
#endif
/* Despite being OPENSSL_NO_ENGINE, BoringSSL defines these symbols. */
#if !CRYPTOGRAPHY_IS_BORINGSSL
/* Despite being OPENSSL_NO_ENGINE, BoringSSL/LibreSSL define these symbols. */
#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL
int (*ENGINE_free)(ENGINE *) = NULL;
void (*ENGINE_load_builtin_engines)(void) = NULL;
#endif
ENGINE *(*ENGINE_by_id)(const char *) = NULL;
int (*ENGINE_init)(ENGINE *) = NULL;
int (*ENGINE_finish)(ENGINE *) = NULL;
ENGINE *(*ENGINE_get_default_RAND)(void) = NULL;
int (*ENGINE_set_default_RAND)(ENGINE *) = NULL;
void (*ENGINE_unregister_RAND)(ENGINE *) = NULL;
#if !CRYPTOGRAPHY_IS_LIBRESSL
ENGINE *(*ENGINE_by_id)(const char *) = NULL;
int (*ENGINE_init)(ENGINE *) = NULL;
int (*ENGINE_finish)(ENGINE *) = NULL;
int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *,
void (*)(void), int) = NULL;
Expand All @@ -66,6 +68,7 @@
void *) = NULL;
EVP_PKEY *(*ENGINE_load_public_key)(ENGINE *, const char *,
UI_METHOD *, void *) = NULL;
#endif
#else
static const long Cryptography_HAS_ENGINE = 1;
Expand Down
2 changes: 1 addition & 1 deletion src/cryptography/__about__.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"__copyright__",
]

__version__ = "41.0.6"
__version__ = "41.0.7"


__author__ = "The Python Cryptographic Authority and individual contributors"
Expand Down
18 changes: 12 additions & 6 deletions src/rust/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions src/rust/src/backend/dh.rs
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ fn dh_parameters_from_numbers(
Ok(openssl::dh::Dh::from_pqg(p, q, g)?)
}

#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
#[pyo3::prelude::pyfunction]
fn from_private_numbers(
py: pyo3::Python<'_>,
Expand All @@ -131,6 +132,7 @@ fn from_private_numbers(
Ok(DHPrivateKey { pkey })
}

#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
#[pyo3::prelude::pyfunction]
fn from_public_numbers(
py: pyo3::Python<'_>,
Expand Down Expand Up @@ -226,6 +228,7 @@ impl DHPrivateKey {
)?)
}

#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
fn public_key(&self) -> CryptographyResult<DHPublicKey> {
let orig_dh = self.pkey.dh().unwrap();
let dh = clone_dh(&orig_dh)?;
Expand Down Expand Up @@ -353,6 +356,7 @@ impl DHPublicKey {

#[pyo3::prelude::pymethods]
impl DHParameters {
#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
fn generate_private_key(&self) -> CryptographyResult<DHPrivateKey> {
let dh = clone_dh(&self.dh)?.generate_key()?;
Ok(DHPrivateKey {
Expand Down Expand Up @@ -424,7 +428,9 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu
m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?;
m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?;
m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?;
#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?;
#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?;
m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?;

Expand Down
3 changes: 2 additions & 1 deletion src/rust/src/backend/ed25519.rs
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,8 @@ impl Ed25519PrivateKey {
impl Ed25519PublicKey {
fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> {
let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)?
.verify_oneshot(signature, data)?;
.verify_oneshot(signature, data)
.unwrap_or(false);

if !valid {
return Err(CryptographyError::from(
Expand Down
2 changes: 1 addition & 1 deletion vectors/cryptography_vectors/__about__.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@
"__version__",
]

__version__ = "41.0.6"
__version__ = "41.0.7"
2 changes: 1 addition & 1 deletion vectors/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "cryptography_vectors"
version = "41.0.6"
version = "41.0.7"
authors = [
{name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
]
Expand Down

0 comments on commit 4054596

Please sign in to comment.