drop support for openssl < 1.1.1d

This removes the OS random engine, which contained the only CPython PSF
licensed code in the repository. Accordingly, that license has now been
removed.

.github/workflows/ci.yml

@@ -132,7 +132,6 @@ jobs:
           - {IMAGE: "bullseye", TOXENV: "py39", RUNNER: "ubuntu-latest"}
           - {IMAGE: "bookworm", TOXENV: "py311", RUNNER: "ubuntu-latest"}
           - {IMAGE: "sid", TOXENV: "py311", RUNNER: "ubuntu-latest"}
-          - {IMAGE: "ubuntu-bionic", TOXENV: "py36", RUNNER: "ubuntu-latest"}
           - {IMAGE: "ubuntu-focal", TOXENV: "py38", RUNNER: "ubuntu-latest"}
           - {IMAGE: "ubuntu-jammy", TOXENV: "py310", RUNNER: "ubuntu-latest"}
           - {IMAGE: "ubuntu-rolling", TOXENV: "py310", RUNNER: "ubuntu-latest"}
@@ -178,7 +177,6 @@ jobs:
         run: mkdir -p "${HOME}/.cache/pip"
       - run: |
           echo "OPENSSL_FORCE_FIPS_MODE=1" >> $GITHUB_ENV
-          echo "CFLAGS=-DUSE_OSRANDOM_RNG_FOR_TESTING" >> $GITHUB_ENV
         if: matrix.IMAGE.FIPS
       - run: /venv/bin/python -m pip install -c ci-constraints-requirements.txt 'tox>3' coverage
       - run: '/venv/bin/tox -vvv --notest'
@@ -351,7 +349,7 @@ jobs:
           - {OS: [self-hosted, macos, ARM64, tart], ARCH: 'arm64'}
         PYTHON:
           - {VERSION: "3.6", TOXENV: "py36-nocoverage", EXTRA_CFLAGS: ""}
-          - {VERSION: "3.11", TOXENV: "py311", EXTRA_CFLAGS: "-DUSE_OSRANDOM_RNG_FOR_TESTING"}
+          - {VERSION: "3.11", TOXENV: "py311", EXTRA_CFLAGS: ""}
         exclude:
           # We only test latest Python on arm64. The py36 won't work since there's no universal2 binary
           - PYTHON: {VERSION: "3.6", TOXENV: "py36-nocoverage", EXTRA_CFLAGS: ""}
@@ -416,7 +414,7 @@ jobs:
           - {ARCH: 'x64', WINDOWS: 'win64'}
         PYTHON:
           - {VERSION: "3.6", TOXENV: "py36-nocoverage", CL_FLAGS: ""}
-          - {VERSION: "3.11", TOXENV: "py311", CL_FLAGS: "/D USE_OSRANDOM_RNG_FOR_TESTING"}
+          - {VERSION: "3.11", TOXENV: "py311", CL_FLAGS: ""}
         JOB_NUMBER: [0, 1]
     name: "${{ matrix.PYTHON.TOXENV }} on ${{ matrix.WINDOWS.WINDOWS }} (part ${{ matrix.JOB_NUMBER }})"
     timeout-minutes: 15

LICENSE

@@ -1,6 +1,3 @@
 This software is made available under the terms of *either* of the licenses
 found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made
 under the terms of *both* these licenses.
-
-The code used in the OS random engine is derived from CPython, and is licensed
-under the terms of the PSF License Agreement.

MANIFEST.in

@@ -3,7 +3,6 @@ include CONTRIBUTING.rst
 include LICENSE
 include LICENSE.APACHE
 include LICENSE.BSD
-include LICENSE.PSF
 include README.rst
 include tox.ini
 

docs/openssl.rst

@@ -29,21 +29,6 @@ control.
             typically shown in hexadecimal (e.g. ``0x1010003f``). This is
             not necessarily the same version as it was compiled against.
 
-    .. method:: activate_osrandom_engine()
-
-        Activates the OS random engine. This will effectively disable OpenSSL's
-        default CSPRNG.
-
-    .. method:: osrandom_engine_implementation()
-
-        .. versionadded:: 1.7
-
-        Returns the implementation of OS random engine.
-
-    .. method:: activate_builtin_random()
-
-        This will activate the default OpenSSL CSPRNG.
-
 .. _legacy-provider:
 
 Legacy provider in OpenSSL 3.x

setup.cfg

@@ -4,7 +4,7 @@ version = attr: cryptography.__version__
 description = cryptography is a package which provides cryptographic recipes and primitives to Python developers.
 long_description = file: README.rst
 long_description_content_type = text/x-rst
-license = (Apache-2.0 OR BSD-3-Clause) AND PSF-2.0
+license = Apache-2.0 OR BSD-3-Clause
 url = https://github.com/pyca/cryptography
 author = The Python Cryptographic Authority and individual contributors
 author_email = cryptography-dev@python.org

src/_cffi_src/build_openssl.py

@@ -94,7 +94,6 @@ def _extra_compile_args(platform):
         "nid",
         "objects",
         "opensslv",
-        "osrandom_engine",
         "pem",
         "pkcs12",
         "rand",

src/_cffi_src/openssl/cryptography.py

@@ -50,40 +50,30 @@
 #define CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370 (0)
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10101000
-    #error "pyca/cryptography MUST be linked with Openssl 1.1.1 or later"
+#if OPENSSL_VERSION_NUMBER < 0x10101040
+    #error "pyca/cryptography MUST be linked with Openssl 1.1.1d or later"
 #endif
 
 #define CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x10101040 && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_300_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x30000000 && !CRYPTOGRAPHY_IS_LIBRESSL)
 
-#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B \
-    (OPENSSL_VERSION_NUMBER < 0x10101020 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D \
     (OPENSSL_VERSION_NUMBER < 0x10101040 || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E \
     (OPENSSL_VERSION_NUMBER < 0x10101050 || CRYPTOGRAPHY_IS_LIBRESSL)
-#if (CRYPTOGRAPHY_OPENSSL_LESS_THAN_111D && !CRYPTOGRAPHY_IS_LIBRESSL && \
-    !defined(OPENSSL_NO_ENGINE)) || defined(USE_OSRANDOM_RNG_FOR_TESTING)
-#define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 1
-#else
-#define CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE 0
-#endif
-/* Ed25519 support is available from OpenSSL 1.1.1b and LibreSSL 3.7.0. */
+/* Ed25519 support is in all supported OpenSSLs as well as LibreSSL 3.7.0. */
 #define CRYPTOGRAPHY_HAS_WORKING_ED25519 \
-    (!CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B || \
+    (CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER || \
     (CRYPTOGRAPHY_IS_LIBRESSL && !CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370))
 """
 
 TYPES = """
 static const int CRYPTOGRAPHY_OPENSSL_111D_OR_GREATER;
 static const int CRYPTOGRAPHY_OPENSSL_300_OR_GREATER;
 
-static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111B;
 static const int CRYPTOGRAPHY_OPENSSL_LESS_THAN_111E;
-static const int CRYPTOGRAPHY_NEEDS_OSRANDOM_ENGINE;
 static const int CRYPTOGRAPHY_HAS_WORKING_ED25519;
 
 static const int CRYPTOGRAPHY_LIBRESSL_LESS_THAN_370;