OpenSSL 1.1.0 support (#2826)

* make pre5 work * add a blank line to make the diff happier * 1.1.0-pre6 working * support the changes since 1.1.0-pre6 * fixes * add 1.1.0 to travis * expose the symbol * better testing for numericstring * handle libre... * actually use the 1.1.0 we compile * cache the ossl-110 dir on travis * add some newlines * changelog entry for 1.1.0 support * note that we test on 1.1.0 * proper skip on this test * reorder
2026-05-14 20:37:55 +00:00 · 2016-08-26 21:48:24 +08:00 · 2016-08-26 21:48:24 +08:00 · 07ea3cd3ea
commit 07ea3cd3ea
parent 9736716017
9 changed files with 49 additions and 8 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -6,6 +6,7 @@ cache:
    directories:
        - $HOME/.cache/pip
        - $HOME/ossl-100t
+        - $HOME/ossl-110

 matrix:
    include:
@ -29,6 +30,10 @@ matrix:
          env: TOXENV=py27 OPENSSL=1.0.0
        - python: 3.5
          env: TOXENV=py35 OPENSSL=1.0.0
+        - python: 2.7
+          env: TOXENV=py27 OPENSSL=1.1.0
+        - python: 3.5
+          env: TOXENV=py35 OPENSSL=1.1.0
        - python: 2.7
          env: TOXENV=docs
          addons:
--- a/.travis/install.sh
+++ b/.travis/install.sh
@ -63,6 +63,10 @@ else
        OPENSSL_VERSION_NUMBER="1.0.0t"
        OPENSSL_DIR="ossl-100t"
    fi
+    if [[ "${OPENSSL}" == "1.1.0" ]]; then
+        OPENSSL_VERSION_NUMBER="1.1.0"
+        OPENSSL_DIR="ossl-110"
+    fi
    # download, compile, and install if it's not already present via travis
    # cache
    if [ -n "$OPENSSL_DIR" ]; then
@ -72,7 +76,8 @@ else
            cd openssl-$OPENSSL_VERSION_NUMBER
            ./config shared no-asm no-ssl2 -fPIC --prefix="$HOME/$OPENSSL_DIR"
            # modify the shlib version to a unique one to make sure the dynamic
-            # linker doesn't load the system one.
+            # linker doesn't load the system one. This isn't required for 1.1.0 at the
+            # moment since our Travis builders have a diff shlib version, but it doesn't hurt
            sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile
            sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile
            sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile
--- a/.travis/run.sh
+++ b/.travis/run.sh
@ -29,6 +29,9 @@ else
    if [[ "${OPENSSL}" == "1.0.0" ]]; then
        OPENSSL_DIR="ossl-100t"
    fi
+    if [[ "${OPENSSL}" == "1.1.0" ]]; then
+        OPENSSL_DIR="ossl-110"
+    fi

    if [ -n "$OPENSSL_DIR" ]; then
        export PATH="$HOME/$OPENSSL_DIR/bin:$PATH"
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -24,6 +24,7 @@ Changelog
  :class:`~cryptography.x509.CertificateRevocationListBuilder`, and
  :class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
  aware ``datetime`` objects as method arguments
+* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target.


 1.4 - 2016-06-04
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -34,6 +34,7 @@ OpenSSL releases:
 * ``OpenSSL 1.0.1j-freebsd``
 * ``OpenSSL 1.0.1f``
 * ``OpenSSL 1.0.2-latest``
+* ``OpenSSL 1.1.0``

 .. warning::
    OpenSSL 1.0.0 is no longer supported by the OpenSSL project. Cryptography
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@ -36,12 +36,22 @@ INCLUDES = """
    (OPENSSL_VERSION_NUMBER < 0x10100000)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \
    (OPENSSL_VERSION_NUMBER < 0x10100005)
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define CRYPTOGRAPHY_IS_LIBRESSL 1
+#else
+#define CRYPTOGRAPHY_IS_LIBRESSL 0
+#endif
 """

 TYPES = """
 static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER;

+static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101;
+
+static const int CRYPTOGRAPHY_IS_LIBRESSL;
 """

 FUNCTIONS = """
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@ -1475,7 +1475,9 @@ class Backend(object):
            check_y = self._lib.BN_CTX_get(bn_ctx)

            res = set_func(group, point, bn_x, bn_y, bn_ctx)
-            self.openssl_assert(res == 1)
+            if res != 1:
+                self._consume_errors()
+                raise ValueError("EC point not on curve")

            res = get_func(group, point, check_x, check_y, bn_ctx)
            self.openssl_assert(res == 1)
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@ -728,10 +728,18 @@ class TestGOSTCertificate(object):
            x509.load_der_x509_certificate,
            backend
        )
-        with pytest.raises(ValueError) as exc:
-            cert.subject
+        if (
+            not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or
+            backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ):
+            with pytest.raises(ValueError) as exc:
+                cert.subject

-        # We assert on the message in this case because if the certificate
-        # fails to load it will also raise a ValueError and this test could
-        # erroneously pass.
-        assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
+            # We assert on the message in this case because if the certificate
+            # fails to load it will also raise a ValueError and this test could
+            # erroneously pass.
+            assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
+        else:
+            assert cert.subject.get_attributes_for_oid(
+                x509.ObjectIdentifier("1.2.643.3.131.1.1")
+            )[0].value == "007710474375"
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@ -21,6 +21,12 @@ class TestOpenSSL(object):

    def test_crypto_lock_init(self):
        b = Binding()
+        if (
+            b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
+            not b.lib.CRYPTOGRAPHY_IS_LIBRESSL
+        ):
+            pytest.skip("Requires an older OpenSSL. Must be < 1.1.0")
+
        b.init_static_locks()
        lock_cb = b.lib.CRYPTO_get_locking_callback()
        assert lock_cb != b.ffi.NULL