Move a few more constants fully to Rust (#10428)

src/_cffi_src/openssl/cryptography.py

@@ -53,11 +53,6 @@
 """
 
 TYPES = """
-static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
-static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER;
-
-static const int CRYPTOGRAPHY_IS_LIBRESSL;
-static const int CRYPTOGRAPHY_IS_BORINGSSL;
 """
 
 FUNCTIONS = """

src/cryptography/hazmat/bindings/openssl/binding.py

@@ -67,7 +67,7 @@ def __init__(self) -> None:
     def _enable_fips(self) -> None:
         # This function enables FIPS mode for OpenSSL 3.0.0 on installs that
         # have the FIPS provider installed properly.
-        _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)
+        _openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER)
         self.lib._fips_provider = self.lib.OSSL_PROVIDER_load(
             self.ffi.NULL, b"fips"
         )

tests/hazmat/backends/test_openssl.py

@@ -59,13 +59,13 @@ def test_openssl_version_text(self):
         # Verify the correspondence between these two. And do it in a way that
         # ensures coverage.
         if version.startswith("LibreSSL"):
-            assert backend._lib.CRYPTOGRAPHY_IS_LIBRESSL
-        if backend._lib.CRYPTOGRAPHY_IS_LIBRESSL:
+            assert rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL
+        if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL:
             assert version.startswith("LibreSSL")
 
         if version.startswith("BoringSSL"):
-            assert backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
-        if backend._lib.CRYPTOGRAPHY_IS_BORINGSSL:
+            assert rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
+        if rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
             assert version.startswith("BoringSSL")
 
     def test_openssl_version_number(self):

tests/hazmat/bindings/test_openssl.py

@@ -24,7 +24,7 @@ def test_ssl_ctx_options(self):
         # Test that we're properly handling 32-bit unsigned on all platforms.
         b = Binding()
         # SSL_OP_ALL is 0 on BoringSSL
-        if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
+        if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
             assert b.lib.SSL_OP_ALL > 0
         ctx = b.lib.SSL_CTX_new(b.lib.TLS_method())
         assert ctx != b.ffi.NULL
@@ -39,7 +39,7 @@ def test_ssl_options(self):
         # Test that we're properly handling 32-bit unsigned on all platforms.
         b = Binding()
         # SSL_OP_ALL is 0 on BoringSSL
-        if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
+        if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
             assert b.lib.SSL_OP_ALL > 0
         ctx = b.lib.SSL_CTX_new(b.lib.TLS_method())
         assert ctx != b.ffi.NULL
@@ -55,7 +55,7 @@ def test_ssl_options(self):
     def test_conditional_removal(self):
         b = Binding()
 
-        if not b.lib.CRYPTOGRAPHY_IS_LIBRESSL:
+        if not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL:
             assert b.lib.TLS_ST_OK
         else:
             with pytest.raises(AttributeError):
@@ -76,7 +76,7 @@ def test_openssl_assert_error_on_stack(self):
         error = exc_info.value.err_code[0]
         assert error.lib == b.lib.ERR_LIB_EVP
         assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
-        if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
+        if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
             assert b"data not multiple of block length" in error.reason_text
 
     def test_version_mismatch(self):
@@ -103,5 +103,5 @@ def test_rust_internal_error(self):
         error = exc_info.value.err_code[0]
         assert error.lib == b.lib.ERR_LIB_EVP
         assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH
-        if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL:
+        if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL:
             assert b"data not multiple of block length" in error.reason_text

tests/hazmat/primitives/test_aes.py

@@ -8,6 +8,7 @@
 
 import pytest
 
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.primitives.ciphers import algorithms, base, modes
 
 from ...doubles import DummyMode
@@ -61,7 +62,7 @@ def test_xts_too_short(self, backend):
             enc.update(b"0" * 15)
 
     @pytest.mark.supported(
-        only_if=lambda backend: (not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL),
+        only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL,
         skip_message="duplicate key encryption error added in OpenSSL 1.1.1d",
     )
     def test_xts_no_duplicate_keys_encryption(self, backend):

tests/hazmat/primitives/test_dh.py

@@ -11,6 +11,7 @@
 
 import pytest
 
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import dh
 
@@ -379,7 +380,7 @@ def test_bad_exchange(self, backend, vector):
     @pytest.mark.skip_fips(reason="key_size too small for FIPS")
     @pytest.mark.supported(
         only_if=lambda backend: (
-            not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+            not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
         ),
         skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+",
     )

tests/hazmat/primitives/test_ec.py

@@ -13,6 +13,7 @@
 import pytest
 
 from cryptography import exceptions, utils, x509
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ec
 from cryptography.hazmat.primitives.asymmetric.utils import (
@@ -133,7 +134,7 @@ def test_derive_point_at_infinity(backend):
     # BoringSSL rejects infinity points before it ever gets to us, so it
     # uses a more generic error message.
     match = (
-        "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid"
+        "infinity" if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid"
     )
     with pytest.raises(ValueError, match=match):
         ec.derive_private_key(q, ec.SECP256R1())
@@ -423,7 +424,7 @@ def test_load_invalid_ec_key_from_pem(self, backend):
         # uses a more generic error message.
         match = (
             r"infinity|invalid form"
-            if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL
             else None
         )
         with pytest.raises(ValueError, match=match):

tests/hazmat/primitives/test_pkcs12.py

@@ -10,6 +10,7 @@
 
 from cryptography import x509
 from cryptography.exceptions import UnsupportedAlgorithm
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.decrepit.ciphers.algorithms import RC2
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import (
@@ -558,7 +559,7 @@ def test_key_serialization_encryption(
     ):
         if (
             enc_alg is PBES.PBESv2SHA256AndAES256CBC
-        ) and not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
+        ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
             pytest.skip("PBESv2 is not supported on OpenSSL < 3.0")
 
         if (
@@ -615,7 +616,7 @@ def test_key_serialization_encryption(
 
     @pytest.mark.supported(
         only_if=lambda backend: (
-            not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
+            not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER
         ),
         skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)",
     )

tests/hazmat/primitives/test_pkcs7.py

@@ -11,6 +11,7 @@
 
 from cryptography import x509
 from cryptography.exceptions import _Reasons
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa
 from cryptography.hazmat.primitives.serialization import pkcs7
@@ -148,7 +149,7 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend):
     backend.openssl_assert(res == 1)
     # OpenSSL 3.0 leaves a random bio error on the stack:
     # https://github.com/openssl/openssl/issues/16681
-    if backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
+    if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER:
         backend._consume_errors()
 
 

tests/hazmat/primitives/test_rsa.py

@@ -15,6 +15,7 @@
     UnsupportedAlgorithm,
     _Reasons,
 )
+from cryptography.hazmat.bindings._rust import openssl as rust_openssl
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import padding, rsa
 from cryptography.hazmat.primitives.asymmetric import utils as asym_utils
@@ -251,7 +252,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example):
         assert public_num.e == public_num2.e
 
     @pytest.mark.supported(
-        only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL,
+        only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL,
         skip_message="Does not support RSA PSS loading",
     )
     @pytest.mark.parametrize(
@@ -302,7 +303,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend):
             )
 
     @pytest.mark.supported(
-        only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL,
+        only_if=lambda backend: rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL,
         skip_message="Test requires a backend without RSA-PSS key support",
     )
     def test_load_pss_unsupported(self, backend):