Run tests/wycheproof/ on BoringSSL (#6583)

3 files changed, 15 insertions, 3 deletions

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ba7b7170e..5126f2ea1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,7 +42,7 @@ jobs:
           - {VERSION: "3.9", TOXENV: "py39", OPENSSL: {TYPE: "libressl", VERSION: "3.4.1"}}
           - {VERSION: "3.10", TOXENV: "py310"}
           # Latest commit on the main-with-bazel branch, as of November 8, 2021
-          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--ignore=tests/hazmat/backends/ --ignore=tests/hazmat/bindings/ --ignore=tests/hazmat/primitives/ --ignore=tests/wycheproof/ --ignore=tests/x509/", OPENSSL: {TYPE: "boringssl", VERSION: "4fb158925f7753d80fb858cb0239dff893ef9f15"}}
+          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--ignore=tests/hazmat/backends/ --ignore=tests/hazmat/bindings/ --ignore=tests/hazmat/primitives/ --ignore=tests/x509/", OPENSSL: {TYPE: "boringssl", VERSION: "4fb158925f7753d80fb858cb0239dff893ef9f15"}}
         RUST:
           - stable
     name: "${{ matrix.PYTHON.TOXENV }} ${{ matrix.PYTHON.OPENSSL.TYPE }} ${{ matrix.PYTHON.OPENSSL.VERSION }} ${{ matrix.PYTHON.TOXARGS }} ${{ matrix.PYTHON.OPENSSL.CONFIG_FLAGS }}"
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 4e1a549c9..fd5ad291d 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -1825,7 +1825,10 @@ class Backend(BackendInterface):
     def x448_supported(self):
         if self._fips_enabled:
             return False
-        return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+        return (
+            not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+            and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL
+        )
 
     def ed25519_supported(self):
         if self._fips_enabled:
@@ -1867,7 +1870,10 @@ class Backend(BackendInterface):
     def ed448_supported(self):
         if self._fips_enabled:
             return False
-        return not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B
+        return (
+            not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B
+            and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL
+        )
 
     def ed448_load_public_bytes(self, data):
         utils._check_bytes("data", data)
diff --git a/src/cryptography/hazmat/primitives/ciphers/aead.py b/src/cryptography/hazmat/primitives/ciphers/aead.py
index d47bb445c..842839042 100644
--- a/src/cryptography/hazmat/primitives/ciphers/aead.py
+++ b/src/cryptography/hazmat/primitives/ciphers/aead.py
@@ -91,6 +91,12 @@ class AESCCM(object):
 
         self._tag_length = tag_length
 
+        if not backend.aead_cipher_supported(self):
+            raise exceptions.UnsupportedAlgorithm(
+                "AESCCM is not supported by this version of OpenSSL",
+                exceptions._Reasons.UNSUPPORTED_CIPHER,
+            )
+
     @classmethod
     def generate_key(cls, bit_length: int) -> bytes:
         if not isinstance(bit_length, int):