Skip to content

Commit

Permalink
Prepare backports for 42.0.6 release (#10929)
Browse files Browse the repository at this point in the history
* Upgrade openssl package for libressl 3.9.1 support

* Ensure a good error message when cffi module fails to import

* CHANGELOG

* Bump version for 42.0.6 release

* It's not FIPS anymore

* Resolve new clippy warnings (#10755)

The fixes themselves are of marginal value 🙃

* fix warning from latest nightly rust (#10486)

* fix warning from latest nightly rust

* Update lib.rs
  • Loading branch information
alex authored May 4, 2024
1 parent 33833f0 commit cfad004
Show file tree
Hide file tree
Showing 12 changed files with 49 additions and 30 deletions.
1 change: 1 addition & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ jobs:
- {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}}
- {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}}
- {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}}
- {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}}
- {VERSION: "3.12", NOXSESSION: "tests-randomorder"}
# Latest commit on the BoringSSL master branch, as of Jan 23, 2024.
- {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4c3f8de4406c2382e43e88a638882fb1a32da32"}}
Expand Down
7 changes: 7 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,13 @@
Changelog
=========

.. _v42-0-6:

42.0.6 - 2024-05-04
~~~~~~~~~~~~~~~~~~~

* Fixed compilation when using LibreSSL 3.9.1.

.. _v42-0-5:

42.0.5 - 2024-02-23
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "cryptography"
version = "42.0.5"
version = "42.0.6"
authors = [
{name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
]
Expand Down
2 changes: 1 addition & 1 deletion src/cryptography/__about__.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
"__copyright__",
]

__version__ = "42.0.5"
__version__ = "42.0.6"


__author__ = "The Python Cryptographic Authority and individual contributors"
Expand Down
12 changes: 2 additions & 10 deletions src/cryptography/hazmat/backends/openssl/backend.py
Original file line number Diff line number Diff line change
Expand Up @@ -535,20 +535,12 @@ def dh_x942_serialization_supported(self) -> bool:
return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1

def x25519_supported(self) -> bool:
# Beginning with OpenSSL 3.2.0, X25519 is considered FIPS.
if (
self._fips_enabled
and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
):
if self._fips_enabled:
return False
return True

def x448_supported(self) -> bool:
# Beginning with OpenSSL 3.2.0, X448 is considered FIPS.
if (
self._fips_enabled
and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER
):
if self._fips_enabled:
return False
return (
not self._lib.CRYPTOGRAPHY_IS_LIBRESSL
Expand Down
8 changes: 4 additions & 4 deletions src/rust/Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion src/rust/cryptography-cffi/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ pub fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyMod
// SAFETY: `PyInit__openssl` returns an owned reference.
let openssl_mod = unsafe {
let ptr = PyInit__openssl();
pyo3::types::PyModule::from_owned_ptr(py, ptr)
pyo3::types::PyModule::from_owned_ptr_or_err(py, ptr)?
};

Ok(openssl_mod)
Expand Down
1 change: 1 addition & 0 deletions src/rust/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
// for complete details.

#![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)]
#![allow(unknown_lints, non_local_definitions)]

use crate::error::CryptographyResult;
#[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)]
Expand Down
17 changes: 12 additions & 5 deletions src/rust/src/x509/crl.rs
Original file line number Diff line number Diff line change
Expand Up @@ -455,11 +455,18 @@ fn try_map_arc_data_mut_crl_iterator<E>(
) -> Result<crl::RevokedCertificate<'this>, E>,
) -> Result<OwnedRevokedCertificate, E> {
OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| {
// SAFETY: This is safe because `Arc::clone` ensures the data is
// alive, but Rust doesn't understand the lifetime relationship it
// produces. Open-coded implementation of the API discussed in
// https://github.com/joshua-maros/ouroboros/issues/38
it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) }))
it.with_dependent_mut(|_, value| {
// SAFETY: This is safe because `Arc::clone` ensures the data is
// alive, but Rust doesn't understand the lifetime relationship it
// produces. Open-coded implementation of the API discussed in
// https://github.com/joshua-maros/ouroboros/issues/38
f(inner_it, unsafe {
std::mem::transmute::<
&mut Option<asn1::SequenceOf<'_, crl::RevokedCertificate<'_>>>,
&mut Option<asn1::SequenceOf<'_, crl::RevokedCertificate<'_>>>,
>(value)
})
})
})
}

Expand Down
23 changes: 17 additions & 6 deletions src/rust/src/x509/ocsp_resp.rs
Original file line number Diff line number Diff line change
Expand Up @@ -418,7 +418,11 @@ fn map_arc_data_ocsp_response(
// alive, but Rust doesn't understand the lifetime relationship it
// produces. Open-coded implementation of the API discussed in
// https://github.com/joshua-maros/ouroboros/issues/38
f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) })
f(inner_it.as_bytes(py), unsafe {
std::mem::transmute::<&ocsp_resp::OCSPResponse<'_>, &ocsp_resp::OCSPResponse<'_>>(
value,
)
})
})
})
}
Expand All @@ -430,11 +434,18 @@ fn try_map_arc_data_mut_ocsp_response_iterator<E>(
) -> Result<ocsp_resp::SingleResponse<'this>, E>,
) -> Result<OwnedSingleResponse, E> {
OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| {
// SAFETY: This is safe because `Arc::clone` ensures the data is
// alive, but Rust doesn't understand the lifetime relationship it
// produces. Open-coded implementation of the API discussed in
// https://github.com/joshua-maros/ouroboros/issues/38
it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) }))
it.with_dependent_mut(|_, value| {
// SAFETY: This is safe because `Arc::clone` ensures the data is
// alive, but Rust doesn't understand the lifetime relationship it
// produces. Open-coded implementation of the API discussed in
// https://github.com/joshua-maros/ouroboros/issues/38
f(inner_it, unsafe {
std::mem::transmute::<
&mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>,
&mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>,
>(value)
})
})
})
}

Expand Down
2 changes: 1 addition & 1 deletion vectors/cryptography_vectors/__about__.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@
"__version__",
]

__version__ = "42.0.5"
__version__ = "42.0.6"
2 changes: 1 addition & 1 deletion vectors/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi"

[project]
name = "cryptography_vectors"
version = "42.0.5"
version = "42.0.6"
authors = [
{name = "The Python Cryptographic Authority and individual contributors", email = "[email protected]"}
]
Expand Down

0 comments on commit cfad004

Please sign in to comment.