From 124a0134fdb7decb0136b4b6f7892b87b919e74e Mon Sep 17 00:00:00 2001 From: Alex Gaynor Date: Tue, 27 Oct 2020 00:15:17 -0400 Subject: Drop CI for OpenSSL 1.0.2 (#953) * Drop CI for OpenSSL 1.0.2 * Delete code for coverage reasons * Bump minimum cryptography version --- .travis.yml | 10 +--------- .travis/install_urllib3.sh | 8 -------- CHANGELOG.rst | 3 ++- setup.py | 2 +- src/OpenSSL/SSL.py | 45 ++++++--------------------------------------- src/OpenSSL/crypto.py | 12 ++---------- tests/test_ssl.py | 13 ++----------- tox.ini | 17 +---------------- 8 files changed, 15 insertions(+), 95 deletions(-) delete mode 100755 .travis/install_urllib3.sh diff --git a/.travis.yml b/.travis.yml index d6d566c..911ccef 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,10 +16,6 @@ jobs: os: osx osx_image: xcode11.6 env: TOXENV=py27 - - python: "2.7" - env: TOXENV=py27 - # we should still test against OpenSSL 1.0.2. Xenial gives us that for now. - dist: xenial - python: "3.5" env: TOXENV=py35 - python: "3.6" @@ -71,13 +67,9 @@ jobs: - python: "3.7" env: TOXENV=py37-randomorder - # Make sure we don't break Twisted or urllib3 + # Make sure we don't break Twisted - python: "3.7" env: TOXENV=py37-twistedMaster - - python: "3.5" - env: TOXENV=py35-urllib3Master - # Somehow urllib3 has trouble with newer distributions - dist: xenial # Meta diff --git a/.travis/install_urllib3.sh b/.travis/install_urllib3.sh deleted file mode 100755 index 1324ded..0000000 --- a/.travis/install_urllib3.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -set -e -set -x - -git clone --depth 1 https://github.com/shazow/urllib3.git -pip install -r ./urllib3/dev-requirements.txt -pip install ./urllib3[socks] diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5df0a05..9f58d78 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -11,10 +11,11 @@ The third digit is only for regressions. Backward-incompatible changes: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +- The minimum ``cryptography`` version is now 3.2. - Remove deprecated ``OpenSSL.tsafe`` module. - Removed deprecated ``OpenSSL.SSL.Context.set_npn_advertise_callback``, ``OpenSSL.SSL.Context.set_npn_select_callback``, and ``OpenSSL.SSL.Connection.get_next_proto_negotiated``. - Drop support for Python 3.4 -- Drop support for OpenSSL 1.0.1 +- Drop support for OpenSSL 1.0.1 and 1.0.2 Deprecations: ^^^^^^^^^^^^^ diff --git a/setup.py b/setup.py index 6f3afd7..08769d2 100755 --- a/setup.py +++ b/setup.py @@ -94,7 +94,7 @@ if __name__ == "__main__": package_dir={"": "src"}, install_requires=[ # Fix cryptographyMinimum in tox.ini when changing this! - "cryptography>=2.8", + "cryptography>=3.2", "six>=1.5.2", ], extras_require={ diff --git a/src/OpenSSL/SSL.py b/src/OpenSSL/SSL.py index bbb721c..9b9f638 100644 --- a/src/OpenSSL/SSL.py +++ b/src/OpenSSL/SSL.py @@ -28,7 +28,6 @@ from OpenSSL.crypto import ( X509Name, X509, X509Store, - X509StoreContext, ) __all__ = [ @@ -147,10 +146,7 @@ OP_NO_SSLv3 = _lib.SSL_OP_NO_SSLv3 OP_NO_TLSv1 = _lib.SSL_OP_NO_TLSv1 OP_NO_TLSv1_1 = _lib.SSL_OP_NO_TLSv1_1 OP_NO_TLSv1_2 = _lib.SSL_OP_NO_TLSv1_2 -try: - OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3 -except AttributeError: - pass +OP_NO_TLSv1_3 = _lib.SSL_OP_NO_TLSv1_3 MODE_RELEASE_BUFFERS = _lib.SSL_MODE_RELEASE_BUFFERS @@ -202,14 +198,6 @@ SESS_CACHE_NO_INTERNAL = _lib.SSL_SESS_CACHE_NO_INTERNAL SSL_ST_CONNECT = _lib.SSL_ST_CONNECT SSL_ST_ACCEPT = _lib.SSL_ST_ACCEPT SSL_ST_MASK = _lib.SSL_ST_MASK -if _lib.Cryptography_HAS_SSL_ST: - SSL_ST_INIT = _lib.SSL_ST_INIT - SSL_ST_BEFORE = _lib.SSL_ST_BEFORE - SSL_ST_OK = _lib.SSL_ST_OK - SSL_ST_RENEGOTIATE = _lib.SSL_ST_RENEGOTIATE - __all__.extend( - ["SSL_ST_INIT", "SSL_ST_BEFORE", "SSL_ST_OK", "SSL_ST_RENEGOTIATE"] - ) SSL_CB_LOOP = _lib.SSL_CB_LOOP SSL_CB_EXIT = _lib.SSL_CB_EXIT @@ -972,11 +960,7 @@ class Context(object): """ buf = _text_to_bytes_and_warn("buf", buf) _openssl_assert( - _lib.SSL_CTX_set_session_id_context( - self._context, - buf, - len(buf), - ) + _lib.SSL_CTX_set_session_id_context(self._context, buf, len(buf)) == 1 ) @@ -2175,29 +2159,12 @@ class Connection(object): .. versionadded:: 20.0 """ - if hasattr(_lib, "SSL_get0_verified_chain"): - # OpenSSL 1.1+ - cert_stack = _lib.SSL_get0_verified_chain(self._ssl) - if cert_stack == _ffi.NULL: - return None - - return self._cert_stack_to_list(cert_stack) - - pycert = self.get_peer_certificate() - if pycert is None: - return None - - # Should never be NULL because the peer presented a certificate. - cert_stack = _lib.SSL_get_peer_cert_chain(self._ssl) - _openssl_assert(cert_stack != _ffi.NULL) - - pystore = self._context.get_cert_store() - if pystore is None: + # OpenSSL 1.1+ + cert_stack = _lib.SSL_get0_verified_chain(self._ssl) + if cert_stack == _ffi.NULL: return None - pystorectx = X509StoreContext(pystore, pycert) - pystorectx._chain = cert_stack - return pystorectx.get_verified_chain() + return self._cert_stack_to_list(cert_stack) def want_read(self): """ diff --git a/src/OpenSSL/crypto.py b/src/OpenSSL/crypto.py index 11be813..84f92b1 100644 --- a/src/OpenSSL/crypto.py +++ b/src/OpenSSL/crypto.py @@ -1603,16 +1603,8 @@ class X509Store(object): if not isinstance(cert, X509): raise TypeError() - # As of OpenSSL 1.1.0i adding the same cert to the store more than - # once doesn't cause an error. Accordingly, this code now silences - # the error for OpenSSL < 1.1.0i as well. - if _lib.X509_STORE_add_cert(self._store, cert._x509) == 0: - code = _lib.ERR_peek_error() - err_reason = _lib.ERR_GET_REASON(code) - _openssl_assert( - err_reason == _lib.X509_R_CERT_ALREADY_IN_HASH_TABLE - ) - _lib.ERR_clear_error() + res = _lib.X509_STORE_add_cert(self._store, cert._x509) + _openssl_assert(res == 1) def add_crl(self, crl): """ diff --git a/tests/test_ssl.py b/tests/test_ssl.py index e405b1a..aed2367 100644 --- a/tests/test_ssl.py +++ b/tests/test_ssl.py @@ -2621,17 +2621,8 @@ class TestConnection(object): with a context using a different SSL method than the `Connection` is using, a `OpenSSL.SSL.Error` is raised. """ - # Make this work on both OpenSSL 1.0.0, which doesn't support TLSv1.2 - # and also on OpenSSL 1.1.0 which doesn't support SSLv3. (SSL_ST_INIT - # is a way to check for 1.1.0) - if SSL_ST_INIT is None: - v1 = TLSv1_2_METHOD - v2 = TLSv1_METHOD - elif hasattr(_lib, "SSLv3_method"): - v1 = TLSv1_METHOD - v2 = SSLv3_METHOD - else: - pytest.skip("Test requires either OpenSSL 1.1.0 or SSLv3") + v1 = TLSv1_2_METHOD + v2 = TLSv1_METHOD key = load_privatekey(FILETYPE_PEM, server_key_pem) cert = load_certificate(FILETYPE_PEM, server_cert_pem) diff --git a/tox.ini b/tox.ini index 4217abb..a338c94 100644 --- a/tox.ini +++ b/tox.ini @@ -10,7 +10,7 @@ extras = deps = coverage>=4.2 cryptographyMaster: git+https://github.com/pyca/cryptography.git - cryptographyMinimum: cryptography==2.8 + cryptographyMinimum: cryptography==3.2 randomorder: pytest-randomly setenv = # Do not allow the executing environment to pollute the test environment @@ -32,21 +32,6 @@ commands = python -c "import cryptography; print(cryptography.__version__)" python -m twisted.trial --reporter=text twisted -[testenv:py35-urllib3Master] -basepython=python3.5 -deps = - pyasn1 - ndg-httpsclient -passenv = ARCHFLAGS CFLAGS LC_ALL LDFLAGS PATH LD_LIBRARY_PATH TERM TRAVIS_INFRA -whitelist_externals = - rm -commands = - python -c "import OpenSSL.SSL; print(OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION))" - python -c "import cryptography; print(cryptography.__version__)" - {toxinidir}/.travis/install_urllib3.sh - pytest urllib3/test - rm -rf ./urllib3 - [testenv:flake8] basepython = python3 deps = -- cgit v1.2.1