diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a58cdb1d3af..a83fda34adfd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,6 +42,7 @@ jobs: - {VERSION: "3.12", NOXSESSION: "tests", NOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.2.1"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.7.3"}} - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.8.2"}} + - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "libressl", VERSION: "3.9.1"}} - {VERSION: "3.12", NOXSESSION: "tests-randomorder"} # Latest commit on the BoringSSL master branch, as of Jan 23, 2024. - {VERSION: "3.12", NOXSESSION: "tests", OPENSSL: {TYPE: "boringssl", VERSION: "a4c3f8de4406c2382e43e88a638882fb1a32da32"}} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5ca890c1753c..ed2e24c35ee2 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,6 +1,13 @@ Changelog ========= +.. _v42-0-6: + +42.0.6 - 2024-05-04 +~~~~~~~~~~~~~~~~~~~ + +* Fixed compilation when using LibreSSL 3.9.1. + .. _v42-0-5: 42.0.5 - 2024-02-23 diff --git a/pyproject.toml b/pyproject.toml index 33ad685e116f..a227517e89e4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -12,7 +12,7 @@ build-backend = "setuptools.build_meta" [project] name = "cryptography" -version = "42.0.5" +version = "42.0.6" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ] diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index b933afb35fd6..41874f587083 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -10,7 +10,7 @@ "__copyright__", ] -__version__ = "42.0.5" +__version__ = "42.0.6" __author__ = "The Python Cryptographic Authority and individual contributors" diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 66053af7f937..d83b89c68a0d 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -535,20 +535,12 @@ def dh_x942_serialization_supported(self) -> bool: return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1 def x25519_supported(self) -> bool: - # Beginning with OpenSSL 3.2.0, X25519 is considered FIPS. - if ( - self._fips_enabled - and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER - ): + if self._fips_enabled: return False return True def x448_supported(self) -> bool: - # Beginning with OpenSSL 3.2.0, X448 is considered FIPS. - if ( - self._fips_enabled - and not self._lib.CRYPTOGRAPHY_OPENSSL_320_OR_GREATER - ): + if self._fips_enabled: return False return ( not self._lib.CRYPTOGRAPHY_IS_LIBRESSL diff --git a/src/rust/Cargo.lock b/src/rust/Cargo.lock index 030e38d092ad..c60002f4aac7 100644 --- a/src/rust/Cargo.lock +++ b/src/rust/Cargo.lock @@ -189,9 +189,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "openssl" -version = "0.10.63" +version = "0.10.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8" +checksum = "95a0481286a310808298130d22dd1fef0fa571e05a8f44ec801801e84b216b1f" dependencies = [ "bitflags 2.4.2", "cfg-if", @@ -215,9 +215,9 @@ dependencies = [ [[package]] name = "openssl-sys" -version = "0.9.99" +version = "0.9.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae" +checksum = "c597637d56fbc83893a35eb0dd04b2b8e7a50c91e64e9493e398b5df4fb45fa2" dependencies = [ "cc", "libc", diff --git a/src/rust/cryptography-cffi/src/lib.rs b/src/rust/cryptography-cffi/src/lib.rs index 110341a1901e..83a8b143841f 100644 --- a/src/rust/cryptography-cffi/src/lib.rs +++ b/src/rust/cryptography-cffi/src/lib.rs @@ -27,7 +27,7 @@ pub fn create_module(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::types::PyMod // SAFETY: `PyInit__openssl` returns an owned reference. let openssl_mod = unsafe { let ptr = PyInit__openssl(); - pyo3::types::PyModule::from_owned_ptr(py, ptr) + pyo3::types::PyModule::from_owned_ptr_or_err(py, ptr)? }; Ok(openssl_mod) diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs index 9308e0c81c17..b407d3232e45 100644 --- a/src/rust/src/lib.rs +++ b/src/rust/src/lib.rs @@ -3,6 +3,7 @@ // for complete details. #![deny(rust_2018_idioms, clippy::undocumented_unsafe_blocks)] +#![allow(unknown_lints, non_local_definitions)] use crate::error::CryptographyResult; #[cfg(CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)] diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs index f4d6feebc820..35f5002efc41 100644 --- a/src/rust/src/x509/crl.rs +++ b/src/rust/src/x509/crl.rs @@ -455,11 +455,18 @@ fn try_map_arc_data_mut_crl_iterator( ) -> Result, E>, ) -> Result { OwnedRevokedCertificate::try_new(Arc::clone(it.borrow_owner()), |inner_it| { - // SAFETY: This is safe because `Arc::clone` ensures the data is - // alive, but Rust doesn't understand the lifetime relationship it - // produces. Open-coded implementation of the API discussed in - // https://github.com/joshua-maros/ouroboros/issues/38 - it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) + it.with_dependent_mut(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 + f(inner_it, unsafe { + std::mem::transmute::< + &mut Option>>, + &mut Option>>, + >(value) + }) + }) }) } diff --git a/src/rust/src/x509/ocsp_resp.rs b/src/rust/src/x509/ocsp_resp.rs index e5f8b479576a..0e7fc54807c9 100644 --- a/src/rust/src/x509/ocsp_resp.rs +++ b/src/rust/src/x509/ocsp_resp.rs @@ -418,7 +418,11 @@ fn map_arc_data_ocsp_response( // alive, but Rust doesn't understand the lifetime relationship it // produces. Open-coded implementation of the API discussed in // https://github.com/joshua-maros/ouroboros/issues/38 - f(inner_it.as_bytes(py), unsafe { std::mem::transmute(value) }) + f(inner_it.as_bytes(py), unsafe { + std::mem::transmute::<&ocsp_resp::OCSPResponse<'_>, &ocsp_resp::OCSPResponse<'_>>( + value, + ) + }) }) }) } @@ -430,11 +434,18 @@ fn try_map_arc_data_mut_ocsp_response_iterator( ) -> Result, E>, ) -> Result { OwnedSingleResponse::try_new(Arc::clone(it.borrow_owner()), |inner_it| { - // SAFETY: This is safe because `Arc::clone` ensures the data is - // alive, but Rust doesn't understand the lifetime relationship it - // produces. Open-coded implementation of the API discussed in - // https://github.com/joshua-maros/ouroboros/issues/38 - it.with_dependent_mut(|_, value| f(inner_it, unsafe { std::mem::transmute(value) })) + it.with_dependent_mut(|_, value| { + // SAFETY: This is safe because `Arc::clone` ensures the data is + // alive, but Rust doesn't understand the lifetime relationship it + // produces. Open-coded implementation of the API discussed in + // https://github.com/joshua-maros/ouroboros/issues/38 + f(inner_it, unsafe { + std::mem::transmute::< + &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>, + &mut asn1::SequenceOf<'_, ocsp_resp::SingleResponse<'_>>, + >(value) + }) + }) }) } diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 0e2885894f4b..ce12e36f724a 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "42.0.5" +__version__ = "42.0.6" diff --git a/vectors/pyproject.toml b/vectors/pyproject.toml index 1ec385878c74..9f10e207d1dc 100644 --- a/vectors/pyproject.toml +++ b/vectors/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "flit_core.buildapi" [project] name = "cryptography_vectors" -version = "42.0.5" +version = "42.0.6" authors = [ {name = "The Python Cryptographic Authority and individual contributors", email = "cryptography-dev@python.org"} ]