Backport LibreSSL 3.8.2 support for a 41.0.7 release (#9931)

alex · botovq · web-flow · commit 4054596afc6f · 2023-11-27T18:26:51.000-06:00
* Backport LibreSSL 3.8.2 support for a 41.0.7 release * ci fixes * LibreSSL 3.8.1 and later is OPENSSL_NO_ENGINE (#9456) Unfortunately, some projects are not prepared to build without ENGINE symbols, so just like BoringSSL we needed to keep some stubs. * Don't build dh code on BoringSSL (#9103) It doesn't support DH via EVP * Update ci.yml (#9527) --------- Co-authored-by: Theo Buehler <botovq@users.noreply.github.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -40,11 +40,11 @@ jobs:
           - {VERSION: "3.11", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.1.3"}}
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.6.3"}}
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
-          - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.0"}}
+          - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}}
           - {VERSION: "3.11", NOXSESSION: "tests-randomorder"}
           - {VERSION: "3.12-dev", NOXSESSION: "tests"}
-          # Latest commit on the BoringSSL master branch, as of May 27, 2023.
-          - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b0a026f8541c551854efd617021bb276f1fe5c23"}}
+          # Latest commit on the BoringSSL master branch, as of Nov 24, 2023.
+          - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "b3d1666b989c39c6e2f78d9c37de79b308c57a92"}}
           # Latest commit on the OpenSSL master branch, as of May 30, 2023.
           - {VERSION: "3.11", NOXSESSION: "tests", OPENSSL: {TYPE: "openssl", VERSION: "36424806d699233b9a90a3a97fff3011828e2548"}}
           # Builds with various Rust versions. Includes MSRV and potential
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,13 @@
 Changelog
 =========
 
+.. _v41-0-7:
+
+41.0.7 - 2023-11-27
+~~~~~~~~~~~~~~~~~~~
+
+* Fixed compilation when using LibreSSL 3.8.2.
+
 .. _v41-0-6:
 
 41.0.6 - 2023-11-27
diff --git a/pyproject.toml b/pyproject.toml
@@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cryptography"
-version = "41.0.6"
+version = "41.0.7"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
 ]
diff --git a/src/_cffi_src/openssl/engine.py b/src/_cffi_src/openssl/engine.py
@@ -42,18 +42,20 @@
 typedef void UI_METHOD;
 #endif
 
-/* Despite being OPENSSL_NO_ENGINE, BoringSSL defines these symbols. */
-#if !CRYPTOGRAPHY_IS_BORINGSSL
+/* Despite being OPENSSL_NO_ENGINE, BoringSSL/LibreSSL define these symbols. */
+#if !CRYPTOGRAPHY_IS_BORINGSSL && !CRYPTOGRAPHY_IS_LIBRESSL
 int (*ENGINE_free)(ENGINE *) = NULL;
 void (*ENGINE_load_builtin_engines)(void) = NULL;
 #endif
 
-ENGINE *(*ENGINE_by_id)(const char *) = NULL;
-int (*ENGINE_init)(ENGINE *) = NULL;
-int (*ENGINE_finish)(ENGINE *) = NULL;
 ENGINE *(*ENGINE_get_default_RAND)(void) = NULL;
 int (*ENGINE_set_default_RAND)(ENGINE *) = NULL;
 void (*ENGINE_unregister_RAND)(ENGINE *) = NULL;
+
+#if !CRYPTOGRAPHY_IS_LIBRESSL
+ENGINE *(*ENGINE_by_id)(const char *) = NULL;
+int (*ENGINE_init)(ENGINE *) = NULL;
+int (*ENGINE_finish)(ENGINE *) = NULL;
 int (*ENGINE_ctrl_cmd)(ENGINE *, const char *, long, void *,
                        void (*)(void), int) = NULL;
 
@@ -66,6 +68,7 @@
                                      void *) = NULL;
 EVP_PKEY *(*ENGINE_load_public_key)(ENGINE *, const char *,
                                     UI_METHOD *, void *) = NULL;
+#endif
 
 #else
 static const long Cryptography_HAS_ENGINE = 1;
diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
@@ -10,7 +10,7 @@
     "__copyright__",
 ]
 
-__version__ = "41.0.6"
+__version__ = "41.0.7"
 
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock
diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs
@@ -105,6 +105,7 @@ fn dh_parameters_from_numbers(
     Ok(openssl::dh::Dh::from_pqg(p, q, g)?)
 }
 
+#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 #[pyo3::prelude::pyfunction]
 fn from_private_numbers(
     py: pyo3::Python<'_>,
@@ -131,6 +132,7 @@ fn from_private_numbers(
     Ok(DHPrivateKey { pkey })
 }
 
+#[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
 #[pyo3::prelude::pyfunction]
 fn from_public_numbers(
     py: pyo3::Python<'_>,
@@ -226,6 +228,7 @@ impl DHPrivateKey {
         )?)
     }
 
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     fn public_key(&self) -> CryptographyResult<DHPublicKey> {
         let orig_dh = self.pkey.dh().unwrap();
         let dh = clone_dh(&orig_dh)?;
@@ -353,6 +356,7 @@ impl DHPublicKey {
 
 #[pyo3::prelude::pymethods]
 impl DHParameters {
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     fn generate_private_key(&self) -> CryptographyResult<DHPrivateKey> {
         let dh = clone_dh(&self.dh)?.generate_key()?;
         Ok(DHPrivateKey {
@@ -424,7 +428,9 @@ pub(crate) fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelu
     m.add_function(pyo3::wrap_pyfunction!(public_key_from_ptr, m)?)?;
     m.add_function(pyo3::wrap_pyfunction!(from_der_parameters, m)?)?;
     m.add_function(pyo3::wrap_pyfunction!(from_pem_parameters, m)?)?;
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     m.add_function(pyo3::wrap_pyfunction!(from_private_numbers, m)?)?;
+    #[cfg(not(CRYPTOGRAPHY_IS_BORINGSSL))]
     m.add_function(pyo3::wrap_pyfunction!(from_public_numbers, m)?)?;
     m.add_function(pyo3::wrap_pyfunction!(from_parameter_numbers, m)?)?;
 
diff --git a/src/rust/src/backend/ed25519.rs b/src/rust/src/backend/ed25519.rs
@@ -121,7 +121,8 @@ impl Ed25519PrivateKey {
 impl Ed25519PublicKey {
     fn verify(&self, signature: &[u8], data: &[u8]) -> CryptographyResult<()> {
         let valid = openssl::sign::Verifier::new_without_digest(&self.pkey)?
-            .verify_oneshot(signature, data)?;
+            .verify_oneshot(signature, data)
+            .unwrap_or(false);
 
         if !valid {
             return Err(CryptographyError::from(
diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "41.0.6"
+__version__ = "41.0.7"
diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cryptography_vectors"
-version = "41.0.6"
+version = "41.0.7"
 authors = [
     {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"}
 ]

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ build-backend = "setuptools.build_meta"`
`11`	`11`
`12`	`12`	`[project]`
`13`	`13`	`name = "cryptography"`
`14`		`-version = "41.0.6"`
	`14`	`+version = "41.0.7"`
`15`	`15`	`authors = [`
`16`	`16`	`{name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}`
`17`	`17`	`]`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`"__copyright__",`
`11`	`11`	`]`
`12`	`12`
`13`		`-__version__ = "41.0.6"`
	`13`	`+__version__ = "41.0.7"`
`14`	`14`
`15`	`15`
`16`	`16`	`__author__ = "The Python Cryptographic Authority and individual contributors"`
Original file line number	Diff line number	Diff line change
`@@ -6,4 +6,4 @@`
`6`	`6`	`"__version__",`
`7`	`7`	`]`
`8`	`8`
`9`		`-__version__ = "41.0.6"`
	`9`	`+__version__ = "41.0.7"`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"`
`4`	`4`
`5`	`5`	`[project]`
`6`	`6`	`name = "cryptography_vectors"`
`7`		`-version = "41.0.6"`
	`7`	`+version = "41.0.7"`
`8`	`8`	`authors = [`
`9`	`9`	`{name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}`
`10`	`10`	`]`