Update minimum LibreSSL to 3.5 (#7780)

This is the version of LibreSSL in OpenBSD 7.1, which is the oldest currently supported.

5 files changed, 3 insertions, 143 deletions

diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index 6223ed5fb..f53ee72ac 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -40,13 +40,10 @@ INCLUDES = """
 #endif
 
 #if CRYPTOGRAPHY_IS_LIBRESSL
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 \
-    (LIBRESSL_VERSION_NUMBER < 0x3050000f)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_360 \
     (LIBRESSL_VERSION_NUMBER < 0x3060000f)
 
 #else
-#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 (0)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_360 (0)
 #endif
 
@@ -81,8 +78,6 @@ static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
 static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE;
 
-static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350;
-
 static const int CRYPTOGRAPHY_IS_LIBRESSL;
 static const int CRYPTOGRAPHY_IS_BORINGSSL;
 """
diff --git a/src/_cffi_src/openssl/dh.py b/src/_cffi_src/openssl/dh.py
index cbf2e9a0a..44b3d817a 100644
--- a/src/_cffi_src/openssl/dh.py
+++ b/src/_cffi_src/openssl/dh.py
@@ -26,7 +26,7 @@ int DH_set0_pqg(DH *, BIGNUM *, BIGNUM *, BIGNUM *);
 void DH_get0_key(const DH *, const BIGNUM **, const BIGNUM **);
 int DH_set0_key(DH *, BIGNUM *, BIGNUM *);
 
-int Cryptography_DH_check(const DH *, int *);
+int DH_check(const DH *, int *);
 int DH_generate_parameters_ex(DH *, int, int, BN_GENCB *);
 DH *d2i_DHparams_bio(BIO *, DH **);
 int i2d_DHparams_bio(BIO *, DH *);
@@ -35,118 +35,6 @@ int i2d_DHxparams_bio(BIO *, DH *);
 """
 
 CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350
-#ifndef DH_CHECK_Q_NOT_PRIME
-#define DH_CHECK_Q_NOT_PRIME            0x10
-#endif
-
-#ifndef DH_CHECK_INVALID_Q_VALUE
-#define DH_CHECK_INVALID_Q_VALUE        0x20
-#endif
-
-#ifndef DH_CHECK_INVALID_J_VALUE
-#define DH_CHECK_INVALID_J_VALUE        0x40
-#endif
-
-/* DH_check implementation taken from OpenSSL 1.1.0pre6 */
-
-/*-
- * Check that p is a safe prime and
- * if g is 2, 3 or 5, check that it is a suitable generator
- * where
- * for 2, p mod 24 == 11
- * for 3, p mod 12 == 5
- * for 5, p mod 10 == 3 or 7
- * should hold.
- */
-
-int Cryptography_DH_check(const DH *dh, int *ret)
-{
-    int ok = 0, r;
-    BN_CTX *ctx = NULL;
-    BN_ULONG l;
-    BIGNUM *t1 = NULL, *t2 = NULL;
-
-    *ret = 0;
-    ctx = BN_CTX_new();
-    if (ctx == NULL)
-        goto err;
-    BN_CTX_start(ctx);
-    t1 = BN_CTX_get(ctx);
-    if (t1 == NULL)
-        goto err;
-    t2 = BN_CTX_get(ctx);
-    if (t2 == NULL)
-        goto err;
-
-    if (dh->q) {
-        if (BN_cmp(dh->g, BN_value_one()) <= 0)
-            *ret |= DH_NOT_SUITABLE_GENERATOR;
-        else if (BN_cmp(dh->g, dh->p) >= 0)
-            *ret |= DH_NOT_SUITABLE_GENERATOR;
-        else {
-            /* Check g^q == 1 mod p */
-            if (!BN_mod_exp(t1, dh->g, dh->q, dh->p, ctx))
-                goto err;
-            if (!BN_is_one(t1))
-                *ret |= DH_NOT_SUITABLE_GENERATOR;
-        }
-        r = BN_is_prime_ex(dh->q, BN_prime_checks, ctx, NULL);
-        if (r < 0)
-            goto err;
-        if (!r)
-            *ret |= DH_CHECK_Q_NOT_PRIME;
-        /* Check p == 1 mod q  i.e. q divides p - 1 */
-        if (!BN_div(t1, t2, dh->p, dh->q, ctx))
-            goto err;
-        if (!BN_is_one(t2))
-            *ret |= DH_CHECK_INVALID_Q_VALUE;
-        if (dh->j && BN_cmp(dh->j, t1))
-            *ret |= DH_CHECK_INVALID_J_VALUE;
-
-    } else if (BN_is_word(dh->g, DH_GENERATOR_2)) {
-        l = BN_mod_word(dh->p, 24);
-        if (l == (BN_ULONG)-1)
-            goto err;
-        if (l != 11)
-            *ret |= DH_NOT_SUITABLE_GENERATOR;
-    } else if (BN_is_word(dh->g, DH_GENERATOR_5)) {
-        l = BN_mod_word(dh->p, 10);
-        if (l == (BN_ULONG)-1)
-            goto err;
-        if ((l != 3) && (l != 7))
-            *ret |= DH_NOT_SUITABLE_GENERATOR;
-    } else
-        *ret |= DH_UNABLE_TO_CHECK_GENERATOR;
-
-    r = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL);
-    if (r < 0)
-        goto err;
-    if (!r)
-        *ret |= DH_CHECK_P_NOT_PRIME;
-    else if (!dh->q) {
-        if (!BN_rshift1(t1, dh->p))
-            goto err;
-        r = BN_is_prime_ex(t1, BN_prime_checks, ctx, NULL);
-        if (r < 0)
-            goto err;
-        if (!r)
-            *ret |= DH_CHECK_P_NOT_SAFE_PRIME;
-    }
-    ok = 1;
- err:
-    if (ctx != NULL) {
-        BN_CTX_end(ctx);
-        BN_CTX_free(ctx);
-    }
-    return (ok);
-}
-#else
-int Cryptography_DH_check(const DH *dh, int *ret) {
-    return DH_check(dh, ret);
-}
-#endif
-
 #if !(defined(EVP_PKEY_DHX) && EVP_PKEY_DHX != -1)
 DH *(*d2i_DHxparams_bio)(BIO *bp, DH **x) = NULL;
 int (*i2d_DHxparams_bio)(BIO *bp, DH *x) = NULL;
diff --git a/src/_cffi_src/openssl/evp.py b/src/_cffi_src/openssl/evp.py
index ca25c35c8..7a3ae2744 100644
--- a/src/_cffi_src/openssl/evp.py
+++ b/src/_cffi_src/openssl/evp.py
@@ -215,17 +215,6 @@ static const long Cryptography_HAS_RAW_KEY = 1;
 static const long Cryptography_HAS_EVP_DIGESTFINAL_XOF = 1;
 #endif
 
-/* These defines are needed for CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 */
-#if !defined(EVP_CTRL_AEAD_SET_IVLEN)
-# define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
-#endif
-#if !defined(EVP_CTRL_AEAD_GET_TAG)
-# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
-#endif
-#if !defined(EVP_CTRL_AEAD_SET_TAG)
-# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
-#endif
-
 /* This is tied to X25519 support so we reuse the Cryptography_HAS_X25519
    conditional to remove it. OpenSSL 1.1.0 didn't have this define, but
    1.1.1 will when it is released. We can remove this in the distant
diff --git a/src/_cffi_src/openssl/fips.py b/src/_cffi_src/openssl/fips.py
index dd81d06cf..9fb1e7aed 100644
--- a/src/_cffi_src/openssl/fips.py
+++ b/src/_cffi_src/openssl/fips.py
@@ -17,7 +17,7 @@ int FIPS_mode(void);
 """
 
 CUSTOMIZATIONS = """
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+#if CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
 static const long Cryptography_HAS_FIPS = 0;
 int (*FIPS_mode_set)(int) = NULL;
 int (*FIPS_mode)(void) = NULL;
diff --git a/src/_cffi_src/openssl/ssl.py b/src/_cffi_src/openssl/ssl.py
index 5a386773e..0a6a124e1 100644
--- a/src/_cffi_src/openssl/ssl.py
+++ b/src/_cffi_src/openssl/ssl.py
@@ -523,26 +523,14 @@ static const long Cryptography_HAS_TLSEXT_HOSTNAME = 1;
 int (*SSL_CTX_set_client_cert_engine)(SSL_CTX *, ENGINE *) = NULL;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 || CRYPTOGRAPHY_IS_BORINGSSL
+#if CRYPTOGRAPHY_IS_BORINGSSL
 static const long Cryptography_HAS_VERIFIED_CHAIN = 0;
 Cryptography_STACK_OF_X509 *(*SSL_get0_verified_chain)(const SSL *) = NULL;
 #else
 static const long Cryptography_HAS_VERIFIED_CHAIN = 1;
 #endif
 
-#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350
-static const long Cryptography_HAS_KEYLOG = 0;
-void (*SSL_CTX_set_keylog_callback)(SSL_CTX *,
-                                    void (*) (const SSL *, const char *)
-                                    ) = NULL;
-void (*(*SSL_CTX_get_keylog_callback)(SSL_CTX *))(
-                                                  const SSL *,
-                                                  const char *
-                                                  ) = NULL;
-#else
 static const long Cryptography_HAS_KEYLOG = 1;
-#endif
-
 static const long Cryptography_HAS_SECURE_RENEGOTIATION = 1;
 
 #ifdef OPENSSL_NO_SSL3_METHOD