Backport LibreSSL 3.8.2 support for a 41.0.7 release (#9931)

* Backport LibreSSL 3.8.2 support for a 41.0.7 release

* ci fixes

* LibreSSL 3.8.1 and later is OPENSSL_NO_ENGINE (#9456)

Unfortunately, some projects are not prepared to build without
ENGINE symbols, so just like BoringSSL we needed to keep some stubs.

* Don't build dh code on BoringSSL (#9103)

It doesn't support DH via EVP

* Update ci.yml (#9527)

---------

Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>

.github/workflows/ci.yml

@@ -40,11 +40,11 @@ jobs:
           - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}}
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}}
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
-          - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}}
+          - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}}
           - {VERSION: "3.11", NOXSESSION: "tests-randomorder"}
           - {VERSION: "3.12-dev", NOXSESSION: "tests"}
-          # Latest commit on the BoringSSL master branch, as of May 27, 2023.
-          - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0a026f8541c551854efd617021bb276f1fe5c23"}}
+          # Latest commit on the BoringSSL master branch, as of Nov 24, 2023.
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}}
           # Latest commit on the OpenSSL master branch, as of May 30, 2023.
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36424806d699233b9a90a3a97fff3011828e2548"}}
           # Builds with various Rust versions. Includes MSRV and potential

CHANGELOG.rst

@@ -1,6 +1,13 @@
 Changelog
 =========
 
+.. _v41-0-7:
+
+41.0.7 - 2023-11-27
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 3.8.2.
+
 .. _v41-0-6:
 
 41.0.6 - 2023-11-27

pyproject.toml

@@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cryptography"
-version = "41.0.6"
+version = "41.0.7"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
 ]

src/_cffi_src/openssl/engine.py

@@ -42,18 +42,20 @@ static const long Cryptography_HAS_ENGINE = 0;
 typedef void UI_METHOD;
 #endif
 
-/* Despite being OPENSSL_NO_ENGINE, BoringSSL defines these symbols. */
-#if !CRYPTOGRAPHY_IS_BORINGSSL
+/* Despite being OPENSSL_NO_ENGINE, BoringSSL/LibreSSL define these symbols. */
+#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL
 int (*ENGINE_free)(ENGINE *) = NULL;
 void (*ENGINE_load_builtin_engines)(void) = NULL;
 #endif
 
-ENGINE *(*ENGINE_by_id)(const char *) = NULL;
-int (*ENGINE_init)(ENGINE *) = NULL;
-int (*ENGINE_finish)(ENGINE *) = NULL;
 ENGINE *(*ENGINE_get_default_RAND)(void) = NULL;
 int (*ENGINE_set_default_RAND)(ENGINE *) = NULL;
 void (*ENGINE_unregister_RAND)(ENGINE *) = NULL;
+
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+ENGINE *(*ENGINE_by_id)(const char *) = NULL;
+int (*ENGINE_init)(ENGINE *) = NULL;
+int (*ENGINE_finish)(ENGINE *) = NULL;
 int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *,
                        void (*)(void), int) = NULL;
 
@@ -66,6 +68,7 @@ EVP_PKEY *(*ENGINE_load_private_key)(ENGINE *, const char *, UI_METHOD *,
                                      void *) = NULL;
 EVP_PKEY *(*ENGINE_load_public_key)(ENGINE *, const char *,
                                     UI_METHOD *, void *) = NULL;
+#endif
 
 #else
 static const long Cryptography_HAS_ENGINE = 1;

src/cryptography/__about__.py

@@ -10,7 +10,7 @@ __all__ = [
     "__copyright__",
 ]
 
-__version__ = "41.0.6"
+__version__ = "41.0.7"
 
 
 __author__ = "The Python Cryptographic Authority and individual contributors"

src/rust/Cargo.lock

@@ -52,6 +52,12 @@ version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
+[[package]]
+name = "bitflags"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07"
+
 [[package]]
 name = "cc"
 version = "1.0.79"
@@ -162,11 +168,11 @@ checksum = "9670a07f94779e00908f3e686eab508878ebb390ba6e604d3a284c00e8d0487b"
 
 [[package]]
 name = "openssl"
-version = "0.10.54"
+version = "0.10.60"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "69b3f656a17a6cbc115b5c7a40c616947d213ba182135b014d6051b73ab6f019"
+checksum = "79a4c6c3a2b158f7f8f2a2fc5a969fa3a068df6fc9dbb4a43845436e3af7c800"
 dependencies = [
- "bitflags",
+ "bitflags 2.4.1",
  "cfg-if",
  "foreign-types",
  "libc",
@@ -188,9 +194,9 @@ dependencies = [
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.88"
+version = "0.9.96"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2ce0f250f34a308dcfdbb351f511359857d4ed2134ba715a4eadd46e1ffd617"
+checksum = "3812c071ba60da8b5677cc12bcb1d42989a65553772897a7e0355545a819838f"
 dependencies = [
  "cc",
  "libc",
@@ -367,7 +373,7 @@ version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fb5a58c1855b4b6819d59012155603f0b22ad30cad752600aadfcb695265519a"
 dependencies = [
- "bitflags",
+ "bitflags 1.3.2",
 ]
 
 [[package]]

src/rust/src/backend/dh.rs

@@ -105,6 +105,7 @@ fn dh_parameters_from_numbers(
     Ok(openssl::dh::Dh::from_pqg(p, q, g)?)
 }
 
+#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 #[pyo3::prelude::pyfunction]
 fn from_private_numbers(
     py: pyo3::Python<'_>,
@@ -131,6 +132,7 @@ fn from_private_numbers(
     Ok(DHPrivateKey { pkey })
 }
 
+#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 #[pyo3::prelude::pyfunction]
 fn from_public_numbers(
     py: pyo3::Python<'_>,
@@ -226,6 +228,7 @@ impl DHPrivateKey {
         )?)
     }
 
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     fn public_key(&self) -> CryptographyResult<DHPublicKey> {
         let orig_dh = self.pkey.dh().unwrap();
         let dh = clone_dh(&orig_dh)?;
@@ -353,6 +356,7 @@ impl DHPublicKey {
 
 #[pyo3::prelude::pymethods]
 impl DHParameters {
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     fn generate_private_key(&self) -> CryptographyResult<DHPrivateKey> {
         let dh = clone_dh(&self.dh)?.generate_key()?;
         Ok(DHPrivateKey {
@@ -424,7 +428,9 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu
     m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?;
     m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?;
     m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?;
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?;
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?;
     m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?;
 

src/rust/src/backend/ed25519.rs

@@ -121,7 +121,8 @@ impl Ed25519PrivateKey {
 impl Ed25519PublicKey {
     fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> {
         let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)?
-            .verify_oneshot(signature, data)?;
+            .verify_oneshot(signature, data)
+            .unwrap_or(false);
 
         if !valid {
             return Err(CryptographyError::from(

vectors/cryptography_vectors/__about__.py

@@ -6,4 +6,4 @@ __all__ = [
     "__version__",
 ]
 
-__version__ = "41.0.6"
+__version__ = "41.0.7"

vectors/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cryptography_vectors"
-version = "41.0.6"
+version = "41.0.7"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
 ]