diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py index 9d09471967a2..11afbdc182f0 100644 --- a/src/_cffi_src/openssl/cryptography.py +++ b/src/_cffi_src/openssl/cryptography.py @@ -53,11 +53,6 @@ """ TYPES = """ -static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER; -static const int CRYPTOGRAPHY_OPENSSL_320_OR_GREATER; - -static const int CRYPTOGRAPHY_IS_LIBRESSL; -static const int CRYPTOGRAPHY_IS_BORINGSSL; """ FUNCTIONS = """ diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py index 9f268b89aebc..e8577763c57e 100644 --- a/src/cryptography/hazmat/bindings/openssl/binding.py +++ b/src/cryptography/hazmat/bindings/openssl/binding.py @@ -67,7 +67,7 @@ def __init__(self) -> None: def _enable_fips(self) -> None: # This function enables FIPS mode for OpenSSL 3.0.0 on installs that # have the FIPS provider installed properly. - _openssl_assert(self.lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) + _openssl_assert(openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER) self.lib._fips_provider = self.lib.OSSL_PROVIDER_load( self.ffi.NULL, b"fips" ) diff --git a/tests/hazmat/backends/test_openssl.py b/tests/hazmat/backends/test_openssl.py index 6115e48f9cc3..7cf98afe91d0 100644 --- a/tests/hazmat/backends/test_openssl.py +++ b/tests/hazmat/backends/test_openssl.py @@ -59,13 +59,13 @@ def test_openssl_version_text(self): # Verify the correspondence between these two. And do it in a way that # ensures coverage. if version.startswith("LibreSSL"): - assert backend._lib.CRYPTOGRAPHY_IS_LIBRESSL - if backend._lib.CRYPTOGRAPHY_IS_LIBRESSL: + assert rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL + if rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: assert version.startswith("LibreSSL") if version.startswith("BoringSSL"): - assert backend._lib.CRYPTOGRAPHY_IS_BORINGSSL - if backend._lib.CRYPTOGRAPHY_IS_BORINGSSL: + assert rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL + if rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert version.startswith("BoringSSL") def test_openssl_version_number(self): diff --git a/tests/hazmat/bindings/test_openssl.py b/tests/hazmat/bindings/test_openssl.py index ef45b304b4ef..db6410d5d1e5 100644 --- a/tests/hazmat/bindings/test_openssl.py +++ b/tests/hazmat/bindings/test_openssl.py @@ -24,7 +24,7 @@ def test_ssl_ctx_options(self): # Test that we're properly handling 32-bit unsigned on all platforms. b = Binding() # SSL_OP_ALL is 0 on BoringSSL - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b.lib.SSL_OP_ALL > 0 ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) assert ctx != b.ffi.NULL @@ -39,7 +39,7 @@ def test_ssl_options(self): # Test that we're properly handling 32-bit unsigned on all platforms. b = Binding() # SSL_OP_ALL is 0 on BoringSSL - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b.lib.SSL_OP_ALL > 0 ctx = b.lib.SSL_CTX_new(b.lib.TLS_method()) assert ctx != b.ffi.NULL @@ -55,7 +55,7 @@ def test_ssl_options(self): def test_conditional_removal(self): b = Binding() - if not b.lib.CRYPTOGRAPHY_IS_LIBRESSL: + if not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL: assert b.lib.TLS_ST_OK else: with pytest.raises(AttributeError): @@ -76,7 +76,7 @@ def test_openssl_assert_error_on_stack(self): error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b"data not multiple of block length" in error.reason_text def test_version_mismatch(self): @@ -103,5 +103,5 @@ def test_rust_internal_error(self): error = exc_info.value.err_code[0] assert error.lib == b.lib.ERR_LIB_EVP assert error.reason == b.lib.EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH - if not b.lib.CRYPTOGRAPHY_IS_BORINGSSL: + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL: assert b"data not multiple of block length" in error.reason_text diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py index 1f3dfd0014b4..7b4b065cb2ce 100644 --- a/tests/hazmat/primitives/test_aes.py +++ b/tests/hazmat/primitives/test_aes.py @@ -8,6 +8,7 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives.ciphers import algorithms, base, modes from ...doubles import DummyMode @@ -61,7 +62,7 @@ def test_xts_too_short(self, backend): enc.update(b"0" * 15) @pytest.mark.supported( - only_if=lambda backend: (not backend._lib.CRYPTOGRAPHY_IS_LIBRESSL), + only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_LIBRESSL, skip_message="duplicate key encryption error added in OpenSSL 1.1.1d", ) def test_xts_no_duplicate_keys_encryption(self, backend): diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py index 4b3b63a96436..d287d29460ae 100644 --- a/tests/hazmat/primitives/test_dh.py +++ b/tests/hazmat/primitives/test_dh.py @@ -11,6 +11,7 @@ import pytest +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import dh @@ -379,7 +380,7 @@ def test_bad_exchange(self, backend, vector): @pytest.mark.skip_fips(reason="key_size too small for FIPS") @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ), skip_message="256-bit DH keys are not supported in OpenSSL 3.0.0+", ) diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py index 9a368e67cafa..a558af3b9b70 100644 --- a/tests/hazmat/primitives/test_ec.py +++ b/tests/hazmat/primitives/test_ec.py @@ -13,6 +13,7 @@ import pytest from cryptography import exceptions, utils, x509 +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ec from cryptography.hazmat.primitives.asymmetric.utils import ( @@ -133,7 +134,7 @@ def test_derive_point_at_infinity(backend): # BoringSSL rejects infinity points before it ever gets to us, so it # uses a more generic error message. match = ( - "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" + "infinity" if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else "Invalid" ) with pytest.raises(ValueError, match=match): ec.derive_private_key(q, ec.SECP256R1()) @@ -423,7 +424,7 @@ def test_load_invalid_ec_key_from_pem(self, backend): # uses a more generic error message. match = ( r"infinity|invalid form" - if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL + if not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL else None ) with pytest.raises(ValueError, match=match): diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py index cb998c4a4bc0..d9f2cdebd5c6 100644 --- a/tests/hazmat/primitives/test_pkcs12.py +++ b/tests/hazmat/primitives/test_pkcs12.py @@ -10,6 +10,7 @@ from cryptography import x509 from cryptography.exceptions import UnsupportedAlgorithm +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.decrepit.ciphers.algorithms import RC2 from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ( @@ -558,7 +559,7 @@ def test_key_serialization_encryption( ): if ( enc_alg is PBES.PBESv2SHA256AndAES256CBC - ) and not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + ) and not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: pytest.skip("PBESv2 is not supported on OpenSSL < 3.0") if ( @@ -615,7 +616,7 @@ def test_key_serialization_encryption( @pytest.mark.supported( only_if=lambda backend: ( - not backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER + not rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER ), skip_message="Requires OpenSSL < 3.0.0 (or Libre/Boring)", ) diff --git a/tests/hazmat/primitives/test_pkcs7.py b/tests/hazmat/primitives/test_pkcs7.py index 03b04cd389e5..837ad261941c 100644 --- a/tests/hazmat/primitives/test_pkcs7.py +++ b/tests/hazmat/primitives/test_pkcs7.py @@ -11,6 +11,7 @@ from cryptography import x509 from cryptography.exceptions import _Reasons +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import ed25519, padding, rsa from cryptography.hazmat.primitives.serialization import pkcs7 @@ -148,7 +149,7 @@ def _pkcs7_verify(encoding, sig, msg, certs, options, backend): backend.openssl_assert(res == 1) # OpenSSL 3.0 leaves a random bio error on the stack: # https://github.com/openssl/openssl/issues/16681 - if backend._lib.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: + if rust_openssl.CRYPTOGRAPHY_OPENSSL_300_OR_GREATER: backend._consume_errors() diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py index eb74be7c6d4c..3ce55b48c10c 100644 --- a/tests/hazmat/primitives/test_rsa.py +++ b/tests/hazmat/primitives/test_rsa.py @@ -15,6 +15,7 @@ UnsupportedAlgorithm, _Reasons, ) +from cryptography.hazmat.bindings._rust import openssl as rust_openssl from cryptography.hazmat.primitives import hashes, serialization from cryptography.hazmat.primitives.asymmetric import padding, rsa from cryptography.hazmat.primitives.asymmetric import utils as asym_utils @@ -251,7 +252,7 @@ def test_load_pss_vect_example_keys(self, pkcs1_example): assert public_num.e == public_num2.e @pytest.mark.supported( - only_if=lambda backend: not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, + only_if=lambda backend: not rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Does not support RSA PSS loading", ) @pytest.mark.parametrize( @@ -302,7 +303,7 @@ def test_load_pss_pub_keys_strips_constraints(self, backend): ) @pytest.mark.supported( - only_if=lambda backend: backend._lib.CRYPTOGRAPHY_IS_BORINGSSL, + only_if=lambda backend: rust_openssl.CRYPTOGRAPHY_IS_BORINGSSL, skip_message="Test requires a backend without RSA-PSS key support", ) def test_load_pss_unsupported(self, backend):