Skip to content

Commit 01eb304

Browse files
authored
Dropped support for LibreSSL 2.7, 2.8, and 2.9.0 (2.9.1+ are still supported) (pyca#5231)
1 parent b87a238 commit 01eb304

8 files changed

Lines changed: 3 additions & 72 deletions

File tree

.travis.yml

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -43,10 +43,6 @@ matrix:
4343
env: TOXENV=py38 OPENSSL=1.1.1g
4444
- python: 3.8
4545
env: TOXENV=py38 OPENSSL=1.1.1g OPENSSL_CONFIG_FLAGS="no-engine no-rc2"
46-
- python: 3.8
47-
env: TOXENV=py38 LIBRESSL=2.7.5
48-
- python: 3.8
49-
env: TOXENV=py38 LIBRESSL=2.8.3
5046
- python: 3.8
5147
env: TOXENV=py38 LIBRESSL=2.9.2
5248
- python: 3.8

CHANGELOG.rst

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ Changelog
1212
:class:`~cryptography.x509.Extension` instance to
1313
:meth:`~cryptography.x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier`,
1414
as per our deprecation policy.
15+
* **BACKWARDS INCOMPATIBLE:** Support for LibreSSL 2.7.x, 2.8.x, and 2.9.0 has
16+
been removed (2.9.1+ is still supported).
1517

1618
.. _v2-9-2:
1719

src/_cffi_src/openssl/cryptography.py

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -33,16 +33,6 @@
3333
#include <Winsock2.h>
3434
#endif
3535
36-
#if CRYPTOGRAPHY_IS_LIBRESSL
37-
#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER \
38-
(LIBRESSL_VERSION_NUMBER >= 0x2080000f)
39-
#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER \
40-
(LIBRESSL_VERSION_NUMBER >= 0x2090100f)
41-
#else
42-
#define CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER (0)
43-
#define CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER (0)
44-
#endif
45-
4636
#define CRYPTOGRAPHY_OPENSSL_102L_OR_GREATER \
4737
(OPENSSL_VERSION_NUMBER >= 0x100020cf && !CRYPTOGRAPHY_IS_LIBRESSL)
4838
#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
@@ -72,8 +62,6 @@
7262
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
7363
7464
static const int CRYPTOGRAPHY_IS_LIBRESSL;
75-
76-
static const int CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER;
7765
"""
7866

7967
FUNCTIONS = """

src/_cffi_src/openssl/ssl.py

Lines changed: 0 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@
2626
static const long Cryptography_HAS_SSL_CTX_SET_CLIENT_CERT_ENGINE;
2727
static const long Cryptography_HAS_SSL_CTX_CLEAR_OPTIONS;
2828
static const long Cryptography_HAS_DTLS;
29-
static const long Cryptography_HAS_GENERIC_DTLS_METHOD;
3029
static const long Cryptography_HAS_SIGALGS;
3130
static const long Cryptography_HAS_PSK;
3231
static const long Cryptography_HAS_CIPHER_DETAILS;
@@ -710,15 +709,6 @@
710709
static const long TLS_ST_OK = 0;
711710
#endif
712711
713-
/* LibreSSL 2.9.1 added only the DTLS_*_method functions */
714-
#if CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_291_OR_GREATER
715-
static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 0;
716-
const SSL_METHOD *(*DTLS_method)(void) = NULL;
717-
const SSL_METHOD *(*DTLS_server_method)(void) = NULL;
718-
const SSL_METHOD *(*DTLS_client_method)(void) = NULL;
719-
#else
720-
static const long Cryptography_HAS_GENERIC_DTLS_METHOD = 1;
721-
#endif
722712
#if CRYPTOGRAPHY_IS_LIBRESSL
723713
static const long SSL_OP_NO_DTLSv1 = 0;
724714
static const long SSL_OP_NO_DTLSv1_2 = 0;

src/cryptography/hazmat/bindings/openssl/_conditional.py

Lines changed: 0 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -102,18 +102,6 @@ def cryptography_has_scrypt():
102102
]
103103

104104

105-
def cryptography_has_generic_dtls_method():
106-
return [
107-
"DTLS_method",
108-
"DTLS_server_method",
109-
"DTLS_client_method",
110-
"SSL_OP_NO_DTLSv1",
111-
"SSL_OP_NO_DTLSv1_2",
112-
"DTLS_set_link_mtu",
113-
"DTLS_get_link_min_mtu",
114-
]
115-
116-
117105
def cryptography_has_evp_pkey_dhx():
118106
return [
119107
"EVP_PKEY_DHX",
@@ -336,9 +324,6 @@ def cryptography_has_verified_chain():
336324
"Cryptography_HAS_TLS_ST": cryptography_has_tls_st,
337325
"Cryptography_HAS_LOCKING_CALLBACKS": cryptography_has_locking_callbacks,
338326
"Cryptography_HAS_SCRYPT": cryptography_has_scrypt,
339-
"Cryptography_HAS_GENERIC_DTLS_METHOD": (
340-
cryptography_has_generic_dtls_method
341-
),
342327
"Cryptography_HAS_EVP_PKEY_DHX": cryptography_has_evp_pkey_dhx,
343328
"Cryptography_HAS_MEM_FUNCTIONS": cryptography_has_mem_functions,
344329
"Cryptography_HAS_SCT": cryptography_has_sct,

src/cryptography/hazmat/primitives/ciphers/aead.py

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -80,12 +80,6 @@ def __init__(self, key, tag_length=16):
8080

8181
self._tag_length = tag_length
8282

83-
if not backend.aead_cipher_supported(self):
84-
raise exceptions.UnsupportedAlgorithm(
85-
"AESCCM is not supported by this version of OpenSSL",
86-
exceptions._Reasons.UNSUPPORTED_CIPHER
87-
)
88-
8983
@classmethod
9084
def generate_key(cls, bit_length):
9185
if not isinstance(bit_length, int):

tests/hazmat/primitives/test_aead.py

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -183,20 +183,6 @@ def test_buffer_protocol(self, backend):
183183
assert computed_pt2 == pt
184184

185185

186-
@pytest.mark.skipif(
187-
_aead_supported(AESCCM),
188-
reason="Requires OpenSSL without AES-CCM support"
189-
)
190-
@pytest.mark.requires_backend_interface(interface=CipherBackend)
191-
def test_aesccm_unsupported_on_older_openssl(backend):
192-
with raises_unsupported_algorithm(_Reasons.UNSUPPORTED_CIPHER):
193-
AESCCM(AESCCM.generate_key(128))
194-
195-
196-
@pytest.mark.skipif(
197-
not _aead_supported(AESCCM),
198-
reason="Does not support AESCCM"
199-
)
200186
@pytest.mark.requires_backend_interface(interface=CipherBackend)
201187
class TestAESCCM(object):
202188
def test_data_too_large(self):

tests/wycheproof/test_rsa.py

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ def should_verify(backend, wycheproof):
3838
if (
3939
(
4040
backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or
41-
backend._lib.CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER
41+
backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
4242
) and wycheproof.has_flag("MissingNull")
4343
):
4444
return False
@@ -48,16 +48,6 @@ def should_verify(backend, wycheproof):
4848

4949

5050
@pytest.mark.requires_backend_interface(interface=RSABackend)
51-
@pytest.mark.supported(
52-
only_if=lambda backend: (
53-
not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL or
54-
backend._lib.CRYPTOGRAPHY_LIBRESSL_28_OR_GREATER
55-
),
56-
skip_message=(
57-
"Many of these tests fail on OpenSSL < 1.0.2 and since upstream isn't"
58-
" maintaining it, they'll never be fixed."
59-
),
60-
)
6151
@pytest.mark.wycheproof_tests(
6252
"rsa_signature_test.json",
6353
"rsa_signature_2048_sha224_test.json",

0 commit comments

Comments
 (0)