backport #7833 (#7853)

* Update invalid EC key test for compatibility with upcoming OpenSSL changes (#7833) One of the tests checking behavior with invalid EC keys hardcoded the error reason. This commit replaces the string matching with a regex to match both the current string and a new reason, introduced by upcoming OpenSSL changes [0], which would otherwise trigger a false positive failure. [0]: openssl/openssl#19681 * fix CI * fixes #7653 -- handle OPENSSL_cleanup existing on LibreSSL 3.6.0 (#7654) * kill CI cache * endless CI fixing Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Co-authored-by: Alex Gaynor <alex.gaynor@gmail.com>
pyca · Nov 27, 2022 · 61e9d6a · 61e9d6a
1 parent 7d9c6c3
commit 61e9d6a
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 10 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ env:
 
 jobs:
   linux:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
@@ -70,7 +70,7 @@ jobs:
             ~/.cargo/registry/src/
             ~/.cargo/git/db/
             src/rust/target/
-          key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-3-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ matrix.PYTHON.VERSION }}-${{ steps.setup-python.outputs.python-version }}-cargo-4-${{ hashFiles('**/Cargo.lock') }}
 
       - uses: actions/checkout@v3.0.2
         timeout-minutes: 3
@@ -99,7 +99,7 @@ jobs:
           path: ${{ github.workspace }}/osslcache
           # When altering the openssl build process you may need to increment the value on the end of this cache key
           # so that you can prevent it from fetching the cache and skipping the build step.
-          key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-2
+          key: ${{ matrix.PYTHON.OPENSSL.TYPE }}-${{ matrix.PYTHON.OPENSSL.VERSION }}-${{ env.CONFIG_HASH }}-3
         if: matrix.PYTHON.OPENSSL
       - name: Build custom OpenSSL/LibreSSL
         run: .github/workflows/build_openssl.sh
@@ -140,7 +140,7 @@ jobs:
           - {IMAGE: "ubuntu-focal", TOXENV: "py38"}
           - {IMAGE: "ubuntu-jammy", TOXENV: "py310"}
           - {IMAGE: "ubuntu-rolling", TOXENV: "py310"}
-          - {IMAGE: "fedora", TOXENV: "py310"}
+          - {IMAGE: "fedora", TOXENV: "py311"}
           - {IMAGE: "alpine", TOXENV: "py310"}
     name: "${{ matrix.IMAGE.TOXENV }} on ${{ matrix.IMAGE.IMAGE }}"
     timeout-minutes: 15
@@ -502,7 +502,7 @@ jobs:
           import pkg_resources
           import shutil
           import urllib.request
-          
+
           d = pkg_resources.get_distribution("cryptography")
           with urllib.request.urlopen("https://pypi.org/pypi/cryptography/json") as r:
               latest_version = json.load(r)["info"]["version"]

diff --git a/src/_cffi_src/openssl/crypto.py b/src/_cffi_src/openssl/crypto.py
@@ -75,7 +75,7 @@
 # define OPENSSL_DIR             SSLEAY_DIR
 #endif
 
-#if CRYPTOGRAPHY_IS_LIBRESSL
+#if CRYPTOGRAPHY_LIBRESSL_LESS_THAN_360
 static const long Cryptography_HAS_OPENSSL_CLEANUP = 0;
 void (*OPENSSL_cleanup)(void) = NULL;
 #else

diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
@@ -47,12 +47,15 @@
     (LIBRESSL_VERSION_NUMBER < 0x3040000f)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 \
     (LIBRESSL_VERSION_NUMBER < 0x3050000f)
+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_360 \
+    (LIBRESSL_VERSION_NUMBER < 0x3060000f)
 
 #else
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_322 (0)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_332 (0)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_340 (0)
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_350 (0)
+#define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_360 (0)
 #endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000

diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py
@@ -174,7 +174,9 @@ class _FragList:
 
     flist: typing.List[bytes]
 
-    def __init__(self, init: typing.List[bytes] = None) -> None:
+    def __init__(
+        self, init: typing.Optional[typing.List[bytes]] = None
+    ) -> None:
         self.flist = []
         if init:
             self.flist.extend(init)

diff --git a/tests/hazmat/primitives/test_ec.py b/tests/hazmat/primitives/test_ec.py
@@ -479,7 +479,9 @@ def test_load_invalid_ec_key_from_pem(self, backend):
         # BoringSSL rejects infinity points before it ever gets to us, so it
         # uses a more generic error message.
         match = (
-            "infinity" if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL else None
+            r"infinity|invalid form"
+            if not backend._lib.CRYPTOGRAPHY_IS_BORINGSSL
+            else None
         )
         with pytest.raises(ValueError, match=match):
             serialization.load_pem_public_key(

diff --git a/tests/test_interfaces.py b/tests/test_interfaces.py
@@ -58,15 +58,15 @@ def property(self):
     def test_signature_mismatch(self):
         class SimpleInterface(metaclass=abc.ABCMeta):
             @abc.abstractmethod
-            def method(self, other: object) -> int:
+            def method(self, other: object):
                 """Method with signature"""
 
         class ClassWithoutSignature:
             def method(self, other):
                 """Method without signature"""
 
         class ClassWithSignature:
-            def method(self, other: object) -> int:
+            def method(self, other: object):
                 """Method with signature"""
 
         verify_interface(SimpleInterface, ClassWithoutSignature)