Use a series of constants for OpenSSL version checks (#3037)
* Use a series of constants for OpenSSL version checks.
N.B. I removed several qualifiers that were being used to express beta vs. release in OpenSSL version numbers. Reviewers please look closely!
* Convert some python as well, also add the file
* flake8
* Simplify code, remove functionality that can be expressed more simply
* clean up the tests as well
* more constants
* wrap long lines
* reflect feedback
* unused
* add this back?
diff --git a/src/_cffi_src/build_openssl.py b/src/_cffi_src/build_openssl.py
index 14ba5b3..3dcece5 100644
--- a/src/_cffi_src/build_openssl.py
+++ b/src/_cffi_src/build_openssl.py
@@ -37,25 +37,13 @@
return ["ssl", "crypto"]
-_PRE_INCLUDE = """
-#include <openssl/opensslv.h>
-/*
- LibreSSL removed e_os2.h from the public headers so we'll only include it
- if we're using vanilla OpenSSL.
-*/
-#if !defined(LIBRESSL_VERSION_NUMBER)
-#include <openssl/e_os2.h>
-#endif
-#if defined(_WIN32)
-#include <windows.h>
-#endif
-"""
-
-
ffi = build_ffi_for_binding(
module_name="_openssl",
module_prefix="_cffi_src.openssl.",
modules=[
+ # This goes first so we can define some cryptography-wide symbols.
+ "cryptography",
+
"aes",
"asn1",
"bignum",
@@ -88,7 +76,6 @@
"pkcs7",
"callbacks",
],
- pre_include=_PRE_INCLUDE,
libraries=_get_openssl_libraries(sys.platform),
extra_link_args=extra_link_args(compiler_type()),
)
diff --git a/src/_cffi_src/openssl/aes.py b/src/_cffi_src/openssl/aes.py
index 0841ea7..c54b636 100644
--- a/src/_cffi_src/openssl/aes.py
+++ b/src/_cffi_src/openssl/aes.py
@@ -38,7 +38,7 @@
CUSTOMIZATIONS = """
static const long Cryptography_HAS_AES_WRAP = 1;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER)
static const int Cryptography_HAS_AES_CTR128_ENCRYPT = 0;
void (*AES_ctr128_encrypt)(const unsigned char *, unsigned char *,
size_t, const AES_KEY *,
diff --git a/src/_cffi_src/openssl/cmac.py b/src/_cffi_src/openssl/cmac.py
index f4a3686..24aa4b3 100644
--- a/src/_cffi_src/openssl/cmac.py
+++ b/src/_cffi_src/openssl/cmac.py
@@ -5,7 +5,7 @@
from __future__ import absolute_import, division, print_function
INCLUDES = """
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#if CRYPTOGRAPHY_OPENSSL_101_OR_GREATER
#include <openssl/cmac.h>
#endif
"""
@@ -28,8 +28,9 @@
"""
CUSTOMIZATIONS = """
-#if OPENSSL_VERSION_NUMBER < 0x10001000L
-
+#if CRYPTOGRAPHY_OPENSSL_101_OR_GREATER
+static const long Cryptography_HAS_CMAC = 1;
+#else
static const long Cryptography_HAS_CMAC = 0;
typedef void CMAC_CTX;
CMAC_CTX *(*CMAC_CTX_new)(void) = NULL;
@@ -39,7 +40,5 @@
int (*CMAC_Final)(CMAC_CTX *, unsigned char *, size_t *) = NULL;
int (*CMAC_CTX_copy)(CMAC_CTX *, const CMAC_CTX *) = NULL;
void (*CMAC_CTX_free)(CMAC_CTX *) = NULL;
-#else
-static const long Cryptography_HAS_CMAC = 1;
#endif
"""
diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
new file mode 100644
index 0000000..c3b0a1d
--- /dev/null
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -0,0 +1,54 @@
+# This file is dual licensed under the terms of the Apache License, Version
+# 2.0, and the BSD License. See the LICENSE file in the root of this repository
+# for complete details.
+
+from __future__ import absolute_import, division, print_function
+
+INCLUDES = """
+#include <openssl/opensslv.h>
+/*
+ LibreSSL removed e_os2.h from the public headers so we'll only include it
+ if we're using vanilla OpenSSL.
+*/
+#if !defined(LIBRESSL_VERSION_NUMBER)
+#include <openssl/e_os2.h>
+#endif
+#if defined(_WIN32)
+#include <windows.h>
+#endif
+
+#define CRYPTOGRAPHY_OPENSSL_101_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x10001000)
+#define CRYPTOGRAPHY_OPENSSL_102_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x10002000)
+#define CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x10002002)
+#define CRYPTOGRAPHY_OPENSSL_110_OR_GREATER \
+ (OPENSSL_VERSION_NUMBER >= 0x10100000)
+
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_101 \
+ (OPENSSL_VERSION_NUMBER < 0x10001000)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
+ (OPENSSL_VERSION_NUMBER < 0x10002000)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102BETA3 \
+ (OPENSSL_VERSION_NUMBER < 0x10002003)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \
+ (OPENSSL_VERSION_NUMBER < 0x10100000)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 \
+ (OPENSSL_VERSION_NUMBER < 0x10100005)
+"""
+
+TYPES = """
+static const int CRYPTOGRAPHY_OPENSSL_101_OR_GREATER;
+
+static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_101;
+"""
+
+FUNCTIONS = """
+"""
+
+MACROS = """
+"""
+
+CUSTOMIZATIONS = """
+"""
diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py
index ab0f396..488b05b 100644
--- a/src/_cffi_src/openssl/dh.py
+++ b/src/_cffi_src/openssl/dh.py
@@ -41,7 +41,7 @@
CUSTOMIZATIONS = """
/* These functions were added in OpenSSL 1.1.0-pre5 (beta2) */
-#if OPENSSL_VERSION_NUMBER < 0x10100005 || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 || defined(LIBRESSL_VERSION_NUMBER)
void DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
diff --git a/src/_cffi_src/openssl/dsa.py b/src/_cffi_src/openssl/dsa.py
index c9f3377..5970e2f 100644
--- a/src/_cffi_src/openssl/dsa.py
+++ b/src/_cffi_src/openssl/dsa.py
@@ -38,7 +38,7 @@
CUSTOMIZATIONS = """
/* These functions were added in OpenSSL 1.1.0-pre5 (beta2) */
-#if OPENSSL_VERSION_NUMBER < 0x10100005 || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 || defined(LIBRESSL_VERSION_NUMBER)
void DSA_get0_pqg(const DSA *d,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
diff --git a/src/_cffi_src/openssl/ec.py b/src/_cffi_src/openssl/ec.py
index 9160309..0853a72 100644
--- a/src/_cffi_src/openssl/ec.py
+++ b/src/_cffi_src/openssl/ec.py
@@ -331,7 +331,7 @@
static const long Cryptography_HAS_EC = 1;
#endif
-#if defined(OPENSSL_NO_EC) || OPENSSL_VERSION_NUMBER < 0x1000100f
+#if defined(OPENSSL_NO_EC) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101
static const long Cryptography_HAS_EC_1_0_1 = 0;
int (*EC_KEY_get_flags)(const EC_KEY *) = NULL;
@@ -371,7 +371,7 @@
static const long Cryptography_HAS_EC2M = 1;
#endif
-#if defined(OPENSSL_NO_EC) || OPENSSL_VERSION_NUMBER < 0x1000200f || \
+#if defined(OPENSSL_NO_EC) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || \
defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20020002L
static const long Cryptography_HAS_EC_1_0_2 = 0;
const char *(*EC_curve_nid2nist)(int) = NULL;
diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
index a768e42..20e115b 100644
--- a/src/_cffi_src/openssl/evp.py
+++ b/src/_cffi_src/openssl/evp.py
@@ -187,14 +187,14 @@
}
EVP_MD_CTX *Cryptography_EVP_MD_CTX_new(void) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(LIBRESSL_VERSION_NUMBER)
return EVP_MD_CTX_create();
#else
return EVP_MD_CTX_new();
#endif
}
void Cryptography_EVP_MD_CTX_free(EVP_MD_CTX *ctx) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(LIBRESSL_VERSION_NUMBER)
EVP_MD_CTX_destroy(ctx);
#else
EVP_MD_CTX_free(ctx);
diff --git a/src/_cffi_src/openssl/hmac.py b/src/_cffi_src/openssl/hmac.py
index 8b85304..daedd32 100644
--- a/src/_cffi_src/openssl/hmac.py
+++ b/src/_cffi_src/openssl/hmac.py
@@ -27,7 +27,7 @@
CUSTOMIZATIONS = """
HMAC_CTX *Cryptography_HMAC_CTX_new(void) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER)
return HMAC_CTX_new();
#else
/* This uses OPENSSL_zalloc in 1.1.0, which is malloc + memset */
@@ -39,7 +39,7 @@
void Cryptography_HMAC_CTX_free(HMAC_CTX *ctx) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER)
return HMAC_CTX_free(ctx);
#else
if (ctx != NULL) {
diff --git a/src/_cffi_src/openssl/rand.py b/src/_cffi_src/openssl/rand.py
index 73226ee..f4a143e 100644
--- a/src/_cffi_src/openssl/rand.py
+++ b/src/_cffi_src/openssl/rand.py
@@ -33,7 +33,7 @@
"""
CUSTOMIZATIONS = """
-#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if defined(LIBRESSL_VERSION_NUMBER) || CRYPTOGRAPHY_OPENSSL_110_OR_GREATER
static const long Cryptography_HAS_EGD = 0;
int (*RAND_egd)(const char *) = NULL;
int (*RAND_egd_bytes)(const char *, int) = NULL;
diff --git a/src/_cffi_src/openssl/rsa.py b/src/_cffi_src/openssl/rsa.py
index 45e5379..e920cf2 100644
--- a/src/_cffi_src/openssl/rsa.py
+++ b/src/_cffi_src/openssl/rsa.py
@@ -73,7 +73,7 @@
CUSTOMIZATIONS = """
static const long Cryptography_HAS_PSS_PADDING = 1;
-#if OPENSSL_VERSION_NUMBER >= 0x1000100f
+#if CRYPTOGRAPHY_OPENSSL_101_OR_GREATER
static const long Cryptography_HAS_MGF1_MD = 1;
#else
static const long Cryptography_HAS_MGF1_MD = 0;
@@ -87,7 +87,7 @@
#endif
/* These functions were added in OpenSSL 1.1.0-pre5 (beta2) */
-#if OPENSSL_VERSION_NUMBER < 0x10100005 || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110PRE5 || defined(LIBRESSL_VERSION_NUMBER)
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
{
/* If the fields n and e in r are NULL, the corresponding input
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 922c909..0b81f15 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -451,7 +451,7 @@
CUSTOMIZATIONS = """
/* Added in 1.0.1 but we need it in all versions now due to the great
opaquing. */
-#if OPENSSL_VERSION_NUMBER < 0x1000100fL
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_101
/* from ssl.h */
#define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
#define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
@@ -470,17 +470,19 @@
return 1;
}
#endif
+
/* Added in 1.0.2 but we need it in all versions now due to the great
opaquing. */
-#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || defined(LIBRESSL_VERSION_NUMBER)
/* from ssl/ssl_lib.c */
const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) {
return ctx->method;
}
#endif
+
/* Added in 1.1.0 in the great opaquing, but we need to define it for older
OpenSSLs. Such is our burden. */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(LIBRESSL_VERSION_NUMBER)
/* from ssl/ssl_lib.c */
size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen)
{
@@ -619,7 +621,7 @@
* addition to a definition check. NPN was added in 1.0.1: for any version
* before that, there is no compatibility.
*/
-#if defined(OPENSSL_NO_NEXTPROTONEG) || OPENSSL_VERSION_NUMBER < 0x1000100fL
+#if defined(OPENSSL_NO_NEXTPROTONEG) || CRYPTOGRAPHY_OPENSSL_LESS_THAN_101
static const long Cryptography_HAS_NEXTPROTONEG = 0;
void (*SSL_CTX_set_next_protos_advertised_cb)(SSL_CTX *,
int (*)(SSL *,
@@ -646,7 +648,7 @@
#endif
/* ALPN was added in OpenSSL 1.0.2. */
-#if OPENSSL_VERSION_NUMBER < 0x10002001L && !defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 && !defined(LIBRESSL_VERSION_NUMBER)
int (*SSL_CTX_set_alpn_protos)(SSL_CTX *,
const unsigned char *,
unsigned) = NULL;
@@ -668,7 +670,7 @@
#endif
/* SSL_CTX_set_cert_cb was added in OpenSSL 1.0.2. */
-#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || defined(LIBRESSL_VERSION_NUMBER)
void (*SSL_CTX_set_cert_cb)(SSL_CTX *, int (*)(SSL *, void *), void *) = NULL;
void (*SSL_set_cert_cb)(SSL *, int (*)(SSL *, void *), void *) = NULL;
static const long Cryptography_HAS_SET_CERT_CB = 0;
@@ -697,7 +699,7 @@
/* in OpenSSL 1.1.0 the SSL_ST values were renamed to TLS_ST and several were
removed */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(LIBRESSL_VERSION_NUMBER)
static const long Cryptography_HAS_SSL_ST = 1;
#else
static const long Cryptography_HAS_SSL_ST = 0;
@@ -706,7 +708,7 @@
static const long SSL_ST_INIT = 0;
static const long SSL_ST_RENEGOTIATE = 0;
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && !defined(LIBRESSL_VERSION_NUMBER)
static const long Cryptography_HAS_TLS_ST = 1;
#else
static const long Cryptography_HAS_TLS_ST = 0;
diff --git a/src/_cffi_src/openssl/x509.py b/src/_cffi_src/openssl/x509.py
index 8ab950f..673250b 100644
--- a/src/_cffi_src/openssl/x509.py
+++ b/src/_cffi_src/openssl/x509.py
@@ -350,7 +350,7 @@
CUSTOMIZATIONS = """
/* Added in 1.0.2 beta but we need it in all versions now due to the great
opaquing. */
-#if OPENSSL_VERSION_NUMBER < 0x10002001L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 || defined(LIBRESSL_VERSION_NUMBER)
/* from x509/x_x509.c version 1.0.2 */
void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
const X509 *x)
@@ -367,9 +367,10 @@
}
#endif
-/* Added in 1.0.2 but we need it in all versions now due to the great
+
+/* Added in 1.0.2beta3 but we need it in all versions now due to the great
opaquing. */
-#if OPENSSL_VERSION_NUMBER < 0x10002003L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_102BETA3 || defined(LIBRESSL_VERSION_NUMBER)
/* from x509/x_x509.c */
int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
{
@@ -405,7 +406,7 @@
/* Added in 1.1.0 but we need it in all versions now due to the great
opaquing. */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 || defined(LIBRESSL_VERSION_NUMBER)
X509_ALGOR *X509_get0_tbs_sigalg(X509 *x)
{
diff --git a/src/_cffi_src/openssl/x509_vfy.py b/src/_cffi_src/openssl/x509_vfy.py
index 4e389b3..7821d19 100644
--- a/src/_cffi_src/openssl/x509_vfy.py
+++ b/src/_cffi_src/openssl/x509_vfy.py
@@ -195,8 +195,9 @@
"""
CUSTOMIZATIONS = """
-/* OpenSSL 1.0.2+ verification error codes */
-#if OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined(LIBRESSL_VERSION_NUMBER)
+/* OpenSSL 1.0.2beta2+ verification error codes */
+#if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \
+ !defined(LIBRESSL_VERSION_NUMBER)
static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 1;
#else
static const long Cryptography_HAS_102_VERIFICATION_ERROR_CODES = 0;
@@ -211,8 +212,9 @@
static const long X509_V_ERR_IP_ADDRESS_MISMATCH = 0;
#endif
-/* OpenSSL 1.0.2+ verification parameters */
-#if OPENSSL_VERSION_NUMBER >= 0x10002002L && !defined(LIBRESSL_VERSION_NUMBER)
+/* OpenSSL 1.0.2beta2+ verification parameters */
+#if CRYPTOGRAPHY_OPENSSL_102BETA2_OR_GREATER && \
+ !defined(LIBRESSL_VERSION_NUMBER)
static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 1;
#else
static const long Cryptography_HAS_102_VERIFICATION_PARAMS = 0;
diff --git a/src/_cffi_src/utils.py b/src/_cffi_src/utils.py
index bdce2f3..00c8bad 100644
--- a/src/_cffi_src/utils.py
+++ b/src/_cffi_src/utils.py
@@ -11,9 +11,8 @@
from cffi import FFI
-def build_ffi_for_binding(module_name, module_prefix, modules, pre_include="",
- post_include="", libraries=[], extra_compile_args=[],
- extra_link_args=[]):
+def build_ffi_for_binding(module_name, module_prefix, modules, libraries=[],
+ extra_compile_args=[], extra_link_args=[]):
"""
Modules listed in ``modules`` should have the following attributes:
@@ -49,9 +48,7 @@
# int foo(int);
# int foo(short);
verify_source = "\n".join(
- [pre_include] +
includes +
- [post_include] +
functions +
customizations
)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 948584f..3449e21 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -699,7 +699,7 @@
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.OPENSSL_VERSION_NUMBER <= 0x10001000:
+ if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
if isinstance(private_key, _DSAPrivateKey):
raise NotImplementedError(
"Certificate signing requests aren't implemented for DSA"
@@ -777,7 +777,7 @@
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.OPENSSL_VERSION_NUMBER <= 0x10001000:
+ if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
if isinstance(private_key, _DSAPrivateKey):
raise NotImplementedError(
"Certificate signatures aren't implemented for DSA"
@@ -869,7 +869,7 @@
if not isinstance(algorithm, hashes.HashAlgorithm):
raise TypeError('Algorithm must be a registered hash algorithm.')
- if self._lib.OPENSSL_VERSION_NUMBER <= 0x10001000:
+ if self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
if isinstance(private_key, _DSAPrivateKey):
raise NotImplementedError(
"CRL signatures aren't implemented for DSA"
diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py
index 2d3bf24..38f1134 100644
--- a/tests/hazmat/backends/test_openssl.py
+++ b/tests/hazmat/backends/test_openssl.py
@@ -320,7 +320,7 @@
key_size=256)
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x1000100f,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_non_sha1_pss_mgf1_hash_algorithm_on_old_openssl(self):
@@ -495,7 +495,7 @@
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER <= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101,
reason="Requires an OpenSSL version >= 1.0.1"
)
class TestOpenSSLCMAC(object):
@@ -506,7 +506,7 @@
class TestOpenSSLCreateX509CSR(object):
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_unsupported_dsa_keys(self):
@@ -516,7 +516,7 @@
backend.create_x509_csr(object(), private_key, hashes.SHA1())
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_unsupported_ec_keys(self):
@@ -537,7 +537,7 @@
)
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_sign_with_dsa_private_key_is_unsupported(self):
@@ -561,7 +561,7 @@
builder.sign(private_key, hashes.SHA512(), backend)
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_sign_with_ec_private_key_is_unsupported(self):
@@ -594,7 +594,7 @@
backend.create_x509_crl(object(), private_key, hashes.SHA256())
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_sign_with_dsa_private_key_is_unsupported(self):
@@ -612,7 +612,7 @@
builder.sign(private_key, hashes.SHA1(), backend)
@pytest.mark.skipif(
- backend._lib.OPENSSL_VERSION_NUMBER >= 0x10001000,
+ backend._lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER,
reason="Requires an older OpenSSL. Must be < 1.0.1"
)
def test_sign_with_ec_private_key_is_unsupported(self):
diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py
index 41c653b..f41bcf3 100644
--- a/tests/hazmat/bindings/test_openssl.py
+++ b/tests/hazmat/bindings/test_openssl.py
@@ -138,7 +138,7 @@
def test_conditional_removal(self):
b = Binding()
- if b.lib.OPENSSL_VERSION_NUMBER >= 0x10001000:
+ if b.lib.CRYPTOGRAPHY_OPENSSL_101_OR_GREATER:
assert b.lib.CMAC_Init
else:
with pytest.raises(AttributeError):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index ebe6dc5..40efb6d 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1935,7 +1935,7 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_dsa_private_key(self, backend):
- if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
issuer_private_key = DSA_KEY_2048.private_key(backend)
@@ -1983,7 +1983,7 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_build_cert_with_ec_private_key(self, backend):
- if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
_skip_curve_unsupported(backend, ec.SECP256R1())
@@ -2537,7 +2537,7 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
def test_build_ca_request_with_ec(self, backend):
- if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
_skip_curve_unsupported(backend, ec.SECP256R1())
@@ -2567,7 +2567,7 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
def test_build_ca_request_with_dsa(self, backend):
- if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
private_key = DSA_KEY_2048.private_key(backend)
diff --git a/tests/test_x509_crlbuilder.py b/tests/test_x509_crlbuilder.py
index 32a0748..96311ee 100644
--- a/tests/test_x509_crlbuilder.py
+++ b/tests/test_x509_crlbuilder.py
@@ -309,7 +309,7 @@
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_sign_dsa_key(self, backend):
- if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
private_key = DSA_KEY_2048.private_key(backend)
invalidity_date = x509.InvalidityDate(
@@ -355,7 +355,7 @@
@pytest.mark.requires_backend_interface(interface=EllipticCurveBackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)
def test_sign_ec_key_unsupported(self, backend):
- if backend._lib.OPENSSL_VERSION_NUMBER < 0x10001000:
+ if backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_101:
pytest.skip("Requires a newer OpenSSL. Must be >= 1.0.1")
_skip_curve_unsupported(backend, ec.SECP256R1())
private_key = ec.generate_private_key(ec.SECP256R1(), backend)