OpenSSL 1.1.0 support (#2826)
* make pre5 work
* add a blank line to make the diff happier
* 1.1.0-pre6 working
* support the changes since 1.1.0-pre6
* fixes
* add 1.1.0 to travis
* expose the symbol
* better testing for numericstring
* handle libre...
* actually use the 1.1.0 we compile
* cache the ossl-110 dir on travis
* add some newlines
* changelog entry for 1.1.0 support
* note that we test on 1.1.0
* proper skip on this test
* reorder
diff --git a/.travis.yml b/.travis.yml
index 74e8b26..1b33c6f 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -6,6 +6,7 @@
directories:
- $HOME/.cache/pip
- $HOME/ossl-100t
+ - $HOME/ossl-110
matrix:
include:
@@ -30,6 +31,10 @@
- python: 3.5
env: TOXENV=py35 OPENSSL=1.0.0
- python: 2.7
+ env: TOXENV=py27 OPENSSL=1.1.0
+ - python: 3.5
+ env: TOXENV=py35 OPENSSL=1.1.0
+ - python: 2.7
env: TOXENV=docs
addons:
apt:
diff --git a/.travis/install.sh b/.travis/install.sh
index b8ff31a..5c09b25 100755
--- a/.travis/install.sh
+++ b/.travis/install.sh
@@ -63,6 +63,10 @@
OPENSSL_VERSION_NUMBER="1.0.0t"
OPENSSL_DIR="ossl-100t"
fi
+ if [[ "${OPENSSL}" == "1.1.0" ]]; then
+ OPENSSL_VERSION_NUMBER="1.1.0"
+ OPENSSL_DIR="ossl-110"
+ fi
# download, compile, and install if it's not already present via travis
# cache
if [ -n "$OPENSSL_DIR" ]; then
@@ -72,7 +76,8 @@
cd openssl-$OPENSSL_VERSION_NUMBER
./config shared no-asm no-ssl2 -fPIC --prefix="$HOME/$OPENSSL_DIR"
# modify the shlib version to a unique one to make sure the dynamic
- # linker doesn't load the system one.
+ # linker doesn't load the system one. This isn't required for 1.1.0 at the
+ # moment since our Travis builders have a diff shlib version, but it doesn't hurt
sed -i "s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=100/" Makefile
sed -i "s/^SHLIB_MINOR=.*/SHLIB_MINOR=0.0/" Makefile
sed -i "s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=100.0.0/" Makefile
diff --git a/.travis/run.sh b/.travis/run.sh
index 5c8b53f..22beba0 100755
--- a/.travis/run.sh
+++ b/.travis/run.sh
@@ -29,6 +29,9 @@
if [[ "${OPENSSL}" == "1.0.0" ]]; then
OPENSSL_DIR="ossl-100t"
fi
+ if [[ "${OPENSSL}" == "1.1.0" ]]; then
+ OPENSSL_DIR="ossl-110"
+ fi
if [ -n "$OPENSSL_DIR" ]; then
export PATH="$HOME/$OPENSSL_DIR/bin:$PATH"
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index fad6454..f874073 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -24,6 +24,7 @@
:class:`~cryptography.x509.CertificateRevocationListBuilder`, and
:class:`~cryptography.x509.RevokedCertificateBuilder` now accept timezone
aware ``datetime`` objects as method arguments
+* ``cryptography`` now supports OpenSSL 1.1.0 as a compilation target.
1.4 - 2016-06-04
diff --git a/docs/installation.rst b/docs/installation.rst
index 2e1b3ae..3d10c36 100644
--- a/docs/installation.rst
+++ b/docs/installation.rst
@@ -34,6 +34,7 @@
* ``OpenSSL 1.0.1j-freebsd``
* ``OpenSSL 1.0.1f``
* ``OpenSSL 1.0.2-latest``
+* ``OpenSSL 1.1.0``
.. warning::
OpenSSL 1.0.0 is no longer supported by the OpenSSL project. Cryptography
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index c3b0a1d..6982401 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -36,12 +36,22 @@
(OPENSSL_VERSION_NUMBER < 0x10100000)
#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \
(OPENSSL_VERSION_NUMBER < 0x10100005)
+
+#if defined(LIBRESSL_VERSION_NUMBER)
+#define CRYPTOGRAPHY_IS_LIBRESSL 1
+#else
+#define CRYPTOGRAPHY_IS_LIBRESSL 0
+#endif
"""
TYPES = """
static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_110_OR_GREATER;
+
static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101;
+
+static const int CRYPTOGRAPHY_IS_LIBRESSL;
"""
FUNCTIONS = """
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 3449e21..a1de1a8 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1475,7 +1475,9 @@
check_y = self._lib.BN_CTX_get(bn_ctx)
res = set_func(group, point, bn_x, bn_y, bn_ctx)
- self.openssl_assert(res == 1)
+ if res != 1:
+ self._consume_errors()
+ raise ValueError("EC point not on curve")
res = get_func(group, point, check_x, check_y, bn_ctx)
self.openssl_assert(res == 1)
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 38f1134..4ec8d84 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -728,10 +728,18 @@
x509.load_der_x509_certificate,
backend
)
- with pytest.raises(ValueError) as exc:
- cert.subject
+ if (
+ not backend._lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER or
+ backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
+ ):
+ with pytest.raises(ValueError) as exc:
+ cert.subject
- # We assert on the message in this case because if the certificate
- # fails to load it will also raise a ValueError and this test could
- # erroneously pass.
- assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
+ # We assert on the message in this case because if the certificate
+ # fails to load it will also raise a ValueError and this test could
+ # erroneously pass.
+ assert str(exc.value) == "Unsupported ASN1 string type. Type: 18"
+ else:
+ assert cert.subject.get_attributes_for_oid(
+ x509.ObjectIdentifier("1.2.643.3.131.1.1")
+ )[0].value == "007710474375"
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index f41bcf3..1c395c2 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -21,6 +21,12 @@
def test_crypto_lock_init(self):
b = Binding()
+ if (
+ b.lib.CRYPTOGRAPHY_OPENSSL_110_OR_GREATER and
+ not b.lib.CRYPTOGRAPHY_IS_LIBRESSL
+ ):
+ pytest.skip("Requires an older OpenSSL. Must be < 1.1.0")
+
b.init_static_locks()
lock_cb = b.lib.CRYPTO_get_locking_callback()
assert lock_cb != b.ffi.NULL