38.0.2 release (#7691)

* upgrade openssl in CI and patch around 3.0.6 bug * changelog and version bump for 38.0.2
pyca · Oct 11, 2022 · 277ee0d · 277ee0d
1 parent ce119b8
commit 277ee0d
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 15 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -28,16 +28,16 @@ jobs:
         PYTHON:
           - {VERSION: "3.10", TOXENV: "flake"}
           - {VERSION: "3.10", TOXENV: "rust"}
-          - {VERSION: "3.10", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}}
+          - {VERSION: "3.10", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.0.6"}}
           - {VERSION: "pypy-3.7", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage"}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}}
-          - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}}
-          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.5"}}
+          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r"}}
+          - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r"}}
+          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}}
+          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.6"}}
+          - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.6"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.2.7"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.3.6"}}

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -1,6 +1,13 @@
 Changelog
 =========
 
+.. _v38-0-2:
+
+38.0.2 - 2022-10-11
+~~~~~~~~~~~~~~~~~~~
+
+* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6.
+
 .. _v38-0-1:
 
 38.0.1 - 2022-09-07

diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py
@@ -9,7 +9,7 @@
     "__copyright__",
 ]
 
-__version__ = "38.0.1"
+__version__ = "38.0.2"
 
 __author__ = "The Python Cryptographic Authority and individual contributors"
 __copyright__ = "Copyright 2013-2022 {}".format(__author__)
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -2190,14 +2190,11 @@ def load_pkcs12(
             res = self._lib.PKCS12_parse(
                 p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr
             )
-
-        # Workaround for
-        # https://github.com/libressl-portable/portable/issues/659
-        if self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340:
-            self._consume_errors()
-
+        # OpenSSL 3.0.6 leaves errors on the stack even in success, so
+        # we consume all errors unconditionally.
+        # https://github.com/openssl/openssl/issues/19389
+        self._consume_errors()
         if res == 0:
-            self._consume_errors()
             raise ValueError("Invalid password or PKCS12 data")
 
         cert = None

diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py
@@ -6,4 +6,4 @@
     "__version__",
 ]
 
-__version__ = "38.0.1"
+__version__ = "38.0.2"