bpo-43669: PEP 644: Require OpenSSL 1.1.1 or newer (GH-23014)

- Remove HAVE_X509_VERIFY_PARAM_SET1_HOST check - Update hashopenssl to require OpenSSL 1.1.1 - multissltests only OpenSSL > 1.1.0 - ALPN is always supported - SNI is always supported - Remove deprecated NPN code. Python wrappers are no-op. - ECDH is always supported - Remove OPENSSL_VERSION_1_1 macro - Remove locking callbacks - Drop PY_OPENSSL_1_1_API macro - Drop HAVE_SSL_CTX_CLEAR_OPTIONS macro - SSL_CTRL_GET_MAX_PROTO_VERSION is always defined now - security level is always available now - get_num_tickets is available with TLS 1.3 - X509_V_ERR MISMATCH is always available now - Always set SSL_MODE_RELEASE_BUFFERS - X509_V_FLAG_TRUSTED_FIRST is always available - get_ciphers is always supported - SSL_CTX_set_keylog_callback is always available - Update Modules/Setup with static link example - Mention PEP in whatsnew - Drop 1.0.2 and 1.1.0 from GHA tests
author: Christian Heimes <christian@python.org> 2021-04-17 09:36:35 (GMT)
committer: GitHub <noreply@github.com> 2021-04-17 09:36:35 (GMT)
commit: 39258d3595300bc7b952854c915f63ae2d4b9c3e (patch)
tree: c15a6172739d53516aa45042f22658e0af6ff992 /Modules/_hashopenssl.c
parent: b467d9a24011992242c95d9157d3455f8a84466b (diff)
download: cpython-39258d3595300bc7b952854c915f63ae2d4b9c3e.zip
cpython-39258d3595300bc7b952854c915f63ae2d4b9c3e.tar.gz
cpython-39258d3595300bc7b952854c915f63ae2d4b9c3e.tar.bz2
1 files changed, 3 insertions, 63 deletions
diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
index 272df35..870ee89 100644
--- a/Modules/_hashopenssl.c
+++ b/Modules/_hashopenssl.c
@@ -38,51 +38,12 @@
 #  error "OPENSSL_THREADS is not defined, Python requires thread-safe OpenSSL"
 #endif
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-/* OpenSSL < 1.1.0 */
-#define EVP_MD_CTX_new EVP_MD_CTX_create
-#define EVP_MD_CTX_free EVP_MD_CTX_destroy
-
-HMAC_CTX *
-HMAC_CTX_new(void)
-{
-    HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX));
-    if (ctx != NULL) {
-        memset(ctx, 0, sizeof(HMAC_CTX));
-        HMAC_CTX_init(ctx);
-    }
-    return ctx;
-}
-
-void
-HMAC_CTX_free(HMAC_CTX *ctx)
-{
-    if (ctx != NULL) {
-        HMAC_CTX_cleanup(ctx);
-        OPENSSL_free(ctx);
-    }
-}
-
-const EVP_MD *
-HMAC_CTX_get_md(const HMAC_CTX *ctx)
-{
-    return ctx->md;
-}
-#endif
-
 #define MUNCH_SIZE INT_MAX
 
-#ifdef NID_sha3_224
+#define PY_OPENSSL_HAS_SCRYPT 1
 #define PY_OPENSSL_HAS_SHA3 1
-#endif
-
-#if defined(EVP_MD_FLAG_XOF) && defined(NID_shake128)
 #define PY_OPENSSL_HAS_SHAKE 1
-#endif
-
-#if defined(NID_blake2b512) && !defined(OPENSSL_NO_BLAKE2)
 #define PY_OPENSSL_HAS_BLAKE2 1
-#endif
 
 static PyModuleDef _hashlibmodule;
 
@@ -1252,8 +1213,7 @@ pbkdf2_hmac_impl(PyObject *module, const char *hash_name,
     return key_obj;
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_SCRYPT) && !defined(LIBRESSL_VERSION_NUMBER)
-#define PY_SCRYPT 1
+#ifdef PY_OPENSSL_HAS_SCRYPT
 
 /* XXX: Parameters salt, n, r and p should be required keyword-only parameters.
    They are optional in the Argument Clinic declaration only due to a
@@ -1376,7 +1336,7 @@ _hashlib_scrypt_impl(PyObject *module, Py_buffer *password, Py_buffer *salt,
     }
     return key_obj;
 }
-#endif
+#endif  /* PY_OPENSSL_HAS_SCRYPT */
 
 /* Fast HMAC for hmac.digest()
  */
@@ -1844,12 +1804,6 @@ hashlib_md_meth_names(PyObject *module)
     return 0;
 }
 
-/* LibreSSL doesn't support FIPS:
-   https://marc.info/?l=openbsd-misc&m=139819485423701&w=2
-
-   Ted Unangst wrote: "I figured I should mention our current libressl policy
-   wrt FIPS mode.  It's gone and it's not coming back." */
-#ifndef LIBRESSL_VERSION_NUMBER
 /*[clinic input]
 _hashlib.get_fips_mode -> int
 
@@ -1887,7 +1841,6 @@ _hashlib_get_fips_mode_impl(PyObject *module)
     return result;
 #endif
 }
-#endif  // !LIBRESSL_VERSION_NUMBER
 
 
 static int
@@ -2068,17 +2021,6 @@ hashlib_free(void *m)
 
 /* Py_mod_exec functions */
 static int
-hashlib_openssl_legacy_init(PyObject *module)
-{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
-    /* Load all digest algorithms and initialize cpuid */
-    OPENSSL_add_all_algorithms_noconf();
-    ERR_load_crypto_strings();
-#endif
-    return 0;
-}
-
-static int
 hashlib_init_evptype(PyObject *module)
 {
     _hashlibstate *state = get_hashlib_state(module);
@@ -2200,8 +2142,6 @@ hashlib_exception(PyObject *module)
 
 
 static PyModuleDef_Slot hashlib_slots[] = {
-    /* OpenSSL 1.0.2 and LibreSSL */
-    {Py_mod_exec, hashlib_openssl_legacy_init},
     {Py_mod_exec, hashlib_init_evptype},
     {Py_mod_exec, hashlib_init_evpxoftype},
     {Py_mod_exec, hashlib_init_hmactype},
author	Christian Heimes <christian@python.org>	2021-04-17 09:36:35 (GMT)
committer	GitHub <noreply@github.com>	2021-04-17 09:36:35 (GMT)
commit	39258d3595300bc7b952854c915f63ae2d4b9c3e (patch)
tree	c15a6172739d53516aa45042f22658e0af6ff992 /Modules/_hashopenssl.c
parent	b467d9a24011992242c95d9157d3455f8a84466b (diff)
download	cpython-39258d3595300bc7b952854c915f63ae2d4b9c3e.zip cpython-39258d3595300bc7b952854c915f63ae2d4b9c3e.tar.gz cpython-39258d3595300bc7b952854c915f63ae2d4b9c3e.tar.bz2