support only 1.1.1e+

pyca · Apr 26, 2022 · c3454ad · c3454ad
1 parent cabb360
commit c3454ad
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 14 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,15 +31,6 @@ jobs:
           - {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage", COVERAGE: "false"}
           - {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage", COVERAGE: "false"}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1e"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1f"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1g"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1h"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1i"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1j"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1k"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1l"}}
-          - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1m"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1n"}}
           - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1n"}}
           - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1n", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct"}}

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -74,7 +74,7 @@ Changelog
   :func:`~cryptography.hazmat.primitives.serialization.load_pem_private_key`
   and
   :func:`~cryptography.hazmat.primitives.serialization.load_der_private_key`.
-  This functionality is limited to OpenSSL 1.1.1+ and loads the key as a
+  This functionality is limited to OpenSSL 1.1.1e+ and loads the key as a
   normal RSA private key, discarding the PSS constraint information.
 
 .. _v36-0-2:

diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
@@ -70,6 +70,8 @@
     (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
     (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \
+    (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL)
 #if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
     !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
 #define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
@@ -79,11 +81,12 @@
 """
 
 TYPES = """
-static const int CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER;
+static const int CRYPTOGRAPHY_OPENSSL_111E_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
 
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111;
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
+static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
 static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE;
 
 static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340;

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -648,7 +648,7 @@ def _evp_pkey_to_private_key(self, evp_pkey) -> PRIVATE_KEY_TYPES:
             key_type == self._lib.EVP_PKEY_RSA_PSS
             and not self._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not self._lib.CRYPTOGRAPHY_IS_BORINGSSL
-            and not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+            and not self._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E
         ):
             # At the moment the way we handle RSA PSS keys is to strip the
             # PSS constraints from them and treat them as normal RSA keys

diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
@@ -261,7 +261,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example):
         only_if=lambda backend: (
             not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             and not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
-            and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+            and not backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E
         ),
         skip_message="Does not support RSA PSS loading",
     )
@@ -297,7 +297,7 @@ def test_load_pss_keys_strips_constraints(self, path, backend):
         only_if=lambda backend: (
             backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
             or backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
-            or backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111
+            or backend._lib.CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E
         ),
         skip_message="Test requires a backend without RSA-PSS key support",
     )