From 1cc4a6e786b97d3cfa2899d4ddb3a3fabc2abd12 Mon Sep 17 00:00:00 2001 From: Charlie Li Date: Wed, 2 Mar 2022 06:48:49 -0500 Subject: [PATCH] Support LibreSSL 3.5.0 (#6919) * Add LibreSSL 3.5.0 to CI * Add LibreSSL 3.5.0 guard * Expose FIPS functions in LibreSSL 3.5.0+ * Expose DH API in LibreSSL 3.5.0+ * Expose SSL_get0_verified_chain and SSL_CTX_{set,get}_keylog_callback in LibreSSL 3.5.0+ * Fix SSL_CTX_{set,get}_keylog_callback guard * Add missing CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 symbol * Fix SSL_CTX_{set,get}_keylog_callback guard again * Condense LibreSSL 3.5.0 defines * Kick CircleCI --- .github/workflows/ci.yml | 1 + src/_cffi_src/openssl/cryptography.py | 4 ++++ src/_cffi_src/openssl/dh.py | 2 +- src/_cffi_src/openssl/fips.py | 2 +- src/_cffi_src/openssl/ssl.py | 5 +++-- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4e520c21b..49f0913f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,6 +39,7 @@ jobs: - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.2.7"}} - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.3.5"}} - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.4.2"}} + - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.5.0"}} - {VERSION: "3.10", TOXENV: "py310"} - {VERSION: "3.11-dev", TOXENV: "py311"} - {VERSION: "3.10", TOXENV: "py310-randomorder"} diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 96608945c..1ad7fb616 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -45,11 +45,14 @@ INCLUDES = """ (LIBRESSL_VERSION_NUMBER < 0x3030200f) #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 \ (LIBRESSL_VERSION_NUMBER < 0x3040000f) +#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 \ + (LIBRESSL_VERSION_NUMBER < 0x3050000f) #else #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_322 (0) #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0) #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0) +#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 (0) #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 @@ -84,6 +87,7 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B; static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE; static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340; +static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350; static const int CRYPTOGRAPHY_IS_LIBRESSL; static const int CRYPTOGRAPHY_IS_BORINGSSL; diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py index b369bf9ff..c378ad1b4 100644 --- a/src/_cffi_src/openssl/dh.py +++ b/src/_cffi_src/openssl/dh.py @@ -36,7 +36,7 @@ int Cryptography_i2d_DHxparams_bio(BIO *, DH *); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 #ifndef DH_CHECK_Q_NOT_PRIME #define DH_CHECK_Q_NOT_PRIME 0x10 #endif diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py index 23c10af92..dd81d06cf 100644 --- a/src/_cffi_src/openssl/fips.py +++ b/src/_cffi_src/openssl/fips.py @@ -17,7 +17,7 @@ int FIPS_mode(void); """ CUSTOMIZATIONS = """ -#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER static const long Cryptography_HAS_FIPS = 0; int (*FIPS_mode_set)(int) = NULL; int (*FIPS_mode)(void) = NULL; diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py index 38d72b9ce..ef4bce1c7 100644 --- a/src/_cffi_src/openssl/ssl.py +++ b/src/_cffi_src/openssl/ssl.py @@ -529,14 +529,15 @@ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1; int (*SSL_CTX_set_client_cert_engine)(SSL_CTX *, ENGINE *) = NULL; #endif -#if CRYPTOGRAPHY_IS_LIBRESSL || CRYPTOGRAPHY_IS_BORINGSSL +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || CRYPTOGRAPHY_IS_BORINGSSL static const long Cryptography_HAS_VERIFIED_CHAIN = 0; Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL; #else static const long Cryptography_HAS_VERIFIED_CHAIN = 1; #endif -#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 +#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || \ + (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 && !CRYPTOGRAPHY_IS_LIBRESSL) static const long Cryptography_HAS_KEYLOG = 0; void (*SSL_CTX_set_keylog_callback)(SSL_CTX *, void (*) (const SSL *, const char *)