| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
| |
OpenBSD 7.1 is no longer supported so neither is LibreSSL 3.5.x
|
| | |
|
| |
|
|
|
| |
This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* LibreSSL 3.7 adds support for Ed25519
This brings support for the raw public key API.
* Use feature variable to enable Ed25519
Ed25519 support is available since OpenSSL 1.1.1b and LibreSSL 3.7.0.
|
| |
|
| |
This is the version of LibreSSL in OpenBSD 7.1, which is the oldest currently supported.
|
| | |
|
| | |
|
| |
|
|
|
| |
related: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/base/win/wincrypt_shim.h
this only affects boring on windows as of this commit
|
| |
|
| |
This policy is to support things that are in supported versions of openbsd. the current oldest supported openbsd is 7.0, which included libressl 3.4
|
| | |
|
| |
|
| |
OpenBSD 7.0 ships 3.4, and Alpine 3.14 ships 3.3.6
|
| |
|
|
|
| |
There's still a few TODOs for cleanup.
Refs #7109
|
| |
|
|
|
|
|
|
|
|
|
| |
* RSA PSS openssl constant
* load PSS keys (OpenSSL only) but strip the constraints
* empty commit for CI, sigh
* review feedback
* nit
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add LibreSSL 3.5.0 to CI
* Add LibreSSL 3.5.0 guard
* Expose FIPS functions in LibreSSL 3.5.0+
* Expose DH API in LibreSSL 3.5.0+
* Expose SSL_get0_verified_chain and SSL_CTX_{set,get}_keylog_callback in LibreSSL 3.5.0+
* Fix SSL_CTX_{set,get}_keylog_callback guard
* Add missing CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 symbol
* Fix SSL_CTX_{set,get}_keylog_callback guard again
* Condense LibreSSL 3.5.0 defines
* Kick CircleCI
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Drop supported for older LibreSSL
3.1 covers the oldest version used by versions of Alpine and OpenBSD that are supported by their upstreams.
* Remove tests that are now unused
* Update CHANGELOG.rst
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
Co-authored-by: Paul Kehrer <paul.l.kehrer@gmail.com>
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add LibreSSL 3.4.0 to CI
* Add a LibreSSL 3.4.0 guard
Since LibreSSL 3.4.0 makes most of the TLSv1.3 API available, redefine CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 to LibreSSL versions below 3.4.0.
* DTLS_get_data_mtu does not exist in LibreSSL
* Only EVP_Digest{Sign,Verify} exist in LibreSSL 3.4.0+
* SSL_CTX_{set,get}_keylog_callback does not exist in LibreSSL
* Do not pollute CRYPTOGRAPHY_OPENSSL_LESS_THAN_111 with LibreSSL
While LibreSSL 3.4.0 supports more of TLSv1.3 API, the guard redefinition caused the X448 tests to run when not intended.
|
| |
|
|
|
|
|
| |
Issue an #error directive if it is
Signed-off-by: Baofeng Wang <baofeng.wang67@gmail.com>
Co-authored-by: Baofeng Wang <baofeng.wang67@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Added handling for OpenSSL "xts duplicated keys" error.
Closes #5998
This error value was added pre-OpenSSL 1.1.1d here:
https://github.com/openssl/openssl/commit/2a5f63c9a61be7582620c4b5da202bb3fd7e4138
and refined to only cover encryption shortly after:
https://github.com/openssl/openssl/commit/58ae5a47da1e4843b0cd1846eb297b341d0e7201
* test_aes: Remove unnecessary assignment
* xts: Update duplicated keys check for OpenSSL 3 providers
Also, change the exception message slightly:
- Now matches the tense used by openssl
- Turns out decryption *is* checked for duplicate keys by
OpenSSL 3 when in FIPS mode
|
| |
|
|
|
|
|
| |
* 3.0.0 support
* almost...there...
* make mypy happy
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* LibreSSL 3.3.2 supports SSL_OP_NO_DTLS*
While here, bump CI
* Fix preprocessor guards for LibreSSL's SSL_OP_NO_DTLS*
DTLS_set_link_mtu and DTLS_get_link_min_mtu are not part of 3.3.2
* Switch to LESS_THAN context for LibreSSL 3.3.2
While here, fix indents
* Remove extra C variable declaration
The variable is not actually used from Python
|
| | |
|
| |
|
|
|
|
|
| |
* Don't build our custom osrandom engine on libressl
As far as I can tell it's never used on LibreSSL -- they're `RAND_bytes` function unconditionally calls `arc4random_buf`
* Update cryptography.py
|
| | |
|
| |
|
|
|
|
|
|
|
| |
* handle unnamed-but-really-named curves in 1.0.2u
* handle openssl 1.0.2 not supporting better install commands on make
* do what openssl didn't feel was necessary in 1.0.2t/u
I didn't bind the named curve constant, fight me.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* disable the osrandom engine on 1.1.1d+
* skip (and run) some tests on 1.1.1d+
* simplify our conditionals
* Update src/_cffi_src/openssl/src/osrandom_engine.c
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
* words
* more words
* language
* get coverage more cleverly
* a word
* Update .github/workflows/ci.yml
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
|
| |
|
|
| |
supported) (#5231)
|
| | |
|
| |
|
|
|
|
| |
* Fixed #5050 -- dropped support for an old LibresSSL release
* Changelog
|
| |
|
|
|
|
|
|
|
|
| |
* Use generic DTLS functions added in LibreSSL 2.9.1
While here, bump travis.
* Remove LibreSSL 2.9.0 from travis now that 2.9.1 exists.
Requested by: @reaperhulk
|
| |
|
|
|
|
| |
* ed25519 support
* review feedback
|
| |
|
|
|
|
|
|
| |
* Run wycheproof RSA tests on LibreSSL>=2.8
* Define it this way
* These are errors on libressl
|
| |
|
|
|
|
| |
* add ed25519 bindings
* var name
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* add many OCSP bindings
Much of OCSP was opaqued in 1.1.0 so this also adds a bunch of getters
for older OpenSSL. However, 1.1.0 itself made it impossible to access
certain fields in the opaque struct, so we're forced to de-opaque them
for 1.1.0 through 1.1.0i as well as 1.1.1-pre1 through 1.1.1-pre9. There
is a patch (openssl/openssl#7082) that fixes this and should be in
1.1.0j and 1.1.1-pre10 (or 1.1.1 final, whichever they choose to issue)
* backslashes are sometimes useful
* comments
|
| |
|
|
|
|
|
|
|
| |
* set an OPENSSL_API_COMPAT level
this helps prevent adding deprecated functions and will let us see what
we need to/can prune in the distant future when we support only 1.1.0+
* raise the api compat to 1.0.1 (which doesn't matter but is less confusing)
|
| |
|
|
|
|
|
|
| |
* libre 2.7.3 compatibility
* add a changelog
* actually build against 2.7.3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove defines for openssl 1.1.0 pre
* Update bio.py
* Update dh.py
* Update dsa.py
* Update rsa.py
* Update x509_vfy.py
* Compress branches
|
| |
|
| |
So here we need to make sure we don't simply include windows but only the parts that we want
|
| |
|
| |
There's no sense in which we actually support them
|
| |
|
|
|
|
|
|
| |
* No more FUNCS/MACROS distinction
* change the docs to not talk about MACROS since they're gone
* remove out of date comment
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* jurisdictionCountryName also must be PrintableString
* flake8 + citation
* Write a test, which fails. If my analysis is correct, this is blocked on:
https://github.com/openssl/openssl/pull/3284
* This is only true on 1.1.0
* clearly express the version requirement
|
