diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d08dc9700fcc..29484ad90249 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,16 +28,16 @@ jobs: PYTHON: - {VERSION: "3.10", TOXENV: "flake"} - {VERSION: "3.10", TOXENV: "rust"} - - {VERSION: "3.10", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}} + - {VERSION: "3.10", TOXENV: "docs", OPENSSL: {TYPE: "openssl", VERSION: "3.0.6"}} - {VERSION: "pypy-3.7", TOXENV: "pypy3-nocoverage"} - {VERSION: "pypy-3.8", TOXENV: "pypy3-nocoverage"} - {VERSION: "pypy-3.9", TOXENV: "pypy3-nocoverage"} - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.0l"}} - - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}} - - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q"}} - - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1q", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} - - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.5"}} - - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.5"}} + - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r"}} + - {VERSION: "3.10", TOXENV: "py310-ssh", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r"}} + - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "1.1.1r", CONFIG_FLAGS: "no-engine no-rc2 no-srtp no-ct no-psk"}} + - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "openssl", VERSION: "3.0.6"}} + - {VERSION: "3.10", TOXENV: "py310", TOXARGS: "--enable-fips=1", OPENSSL: {TYPE: "openssl", CONFIG_FLAGS: "enable-fips", VERSION: "3.0.6"}} - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.1.5"}} - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.2.7"}} - {VERSION: "3.10", TOXENV: "py310", OPENSSL: {TYPE: "libressl", VERSION: "3.3.6"}} diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 55cce2e1b0b9..7606ce745a95 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,9 +1,16 @@ Changelog ========= +.. _v38-0-2: + +38.0.2 - 2022-10-11 +~~~~~~~~~~~~~~~~~~~ + +* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.0.6. + .. _v38-0-1: -38.0.0 - 2022-09-07 +38.0.1 - 2022-09-07 ~~~~~~~~~~~~~~~~~~~ * Fixed parsing TLVs in ASN.1 with length greater than 65535 bytes (typically diff --git a/src/cryptography/__about__.py b/src/cryptography/__about__.py index 96d8768c172b..1fe833a9c583 100644 --- a/src/cryptography/__about__.py +++ b/src/cryptography/__about__.py @@ -9,7 +9,7 @@ "__copyright__", ] -__version__ = "38.0.1" +__version__ = "38.0.2" __author__ = "The Python Cryptographic Authority and individual contributors" __copyright__ = "Copyright 2013-2022 {}".format(__author__) diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py index 7cc7f97bb52b..f8776b732229 100644 --- a/src/cryptography/hazmat/backends/openssl/backend.py +++ b/src/cryptography/hazmat/backends/openssl/backend.py @@ -2190,14 +2190,11 @@ def load_pkcs12( res = self._lib.PKCS12_parse( p12, password_buf, evp_pkey_ptr, x509_ptr, sk_x509_ptr ) - - # Workaround for - # https://github.com/libressl-portable/portable/issues/659 - if self._lib.CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340: - self._consume_errors() - + # OpenSSL 3.0.6 leaves errors on the stack even in success, so + # we consume all errors unconditionally. + # https://github.com/openssl/openssl/issues/19389 + self._consume_errors() if res == 0: - self._consume_errors() raise ValueError("Invalid password or PKCS12 data") cert = None diff --git a/vectors/cryptography_vectors/__about__.py b/vectors/cryptography_vectors/__about__.py index 9fac894249f9..b95c0084f254 100644 --- a/vectors/cryptography_vectors/__about__.py +++ b/vectors/cryptography_vectors/__about__.py @@ -6,4 +6,4 @@ "__version__", ] -__version__ = "38.0.1" +__version__ = "38.0.2"